6 files changed, 103 insertions, 19 deletions

diff --git a/src/op_mode/connect_disconnect.py b/src/op_mode/connect_disconnect.py
index bd02dc6ea..373f9e953 100755
--- a/src/op_mode/connect_disconnect.py
+++ b/src/op_mode/connect_disconnect.py
@@ -48,7 +48,7 @@ def connect(interface):
         if os.path.isdir(f'/sys/class/net/{interface}'):
             print(f'Interface {interface}: already connected!')
         elif check_ppp_running(interface):
-            print(f'Interface {interface}: connection is beeing established!')
+            print(f'Interface {interface}: connection is being established!')
         else:
             print(f'Interface {interface}: connecting...')
             call(f'systemctl restart ppp@{interface}.service')
@@ -58,7 +58,7 @@ def connect(interface):
         else:
             call(f'VYOS_TAGNODE_VALUE={interface} /usr/libexec/vyos/conf_mode/interfaces_wwan.py')
     else:
-        print(f'Unknown interface {interface}, can not connect. Aborting!')
+        print(f'Unknown interface {interface}, cannot connect. Aborting!')
 
     # Reaply QoS configuration
     config = ConfigTreeQuery()
@@ -90,7 +90,7 @@ def disconnect(interface):
             modem = interface.lstrip('wwan')
             call(f'mmcli --modem {modem} --simple-disconnect', stdout=DEVNULL)
     else:
-        print(f'Unknown interface {interface}, can not disconnect. Aborting!')
+        print(f'Unknown interface {interface}, cannot disconnect. Aborting!')
 
 def main():
     parser = argparse.ArgumentParser()
diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py
index 25554b781..442c186cc 100755
--- a/src/op_mode/firewall.py
+++ b/src/op_mode/firewall.py
@@ -16,6 +16,7 @@
 
 import argparse
 import ipaddress
+import json
 import re
 import tabulate
 import textwrap
@@ -89,10 +90,38 @@ def get_nftables_details(family, hook, priority):
         out[rule_id] = rule
     return out
 
-def output_firewall_vertical(rules, headers):
+def get_nftables_group_members(family, table, name):
+    prefix = 'ip6' if family == 'ipv6' else 'ip'
+    out = []
+
+    try:
+        results_str = cmd(f'sudo nft -j list set {prefix} {table} {name}')
+        results = json.loads(results_str)
+    except:
+        return out
+
+    if 'nftables' not in results:
+        return out
+
+    for obj in results['nftables']:
+        if 'set' not in obj:
+            continue
+
+        set_obj = obj['set']
+
+        if 'elem' in set_obj:
+            for elem in set_obj['elem']:
+                if isinstance(elem, str):
+                    out.append(elem)
+                elif isinstance(elem, dict) and 'elem' in elem:
+                    out.append(elem['elem'])
+
+    return out
+
+def output_firewall_vertical(rules, headers, adjust=True):
     for rule in rules:
-        adjusted_rule = rule + [""] * (len(headers) - len(rule)) # account for different header length, like default-action
-        transformed_rule = [[header, textwrap.fill(adjusted_rule[i].replace('\n', ' '), 65)] for i, header in enumerate(headers)] # create key-pair list from headers and rules lists; wrap at 100 char
+        adjusted_rule = rule + [""] * (len(headers) - len(rule)) if adjust else rule # account for different header length, like default-action
+        transformed_rule = [[header, textwrap.fill(adjusted_rule[i].replace('\n', ' '), 65)] for i, header in enumerate(headers) if i < len(adjusted_rule)] # create key-pair list from headers and rules lists; wrap at 100 char
 
         print(tabulate.tabulate(transformed_rule, tablefmt="presto"))
         print()
@@ -453,6 +482,7 @@ def show_firewall_group(name=None):
         return out
 
     rows = []
+    header_tail = []
 
     for group_type, group_type_conf in firewall['group'].items():
         ##
@@ -479,21 +509,53 @@ def show_firewall_group(name=None):
                 rows.append(row)
 
         else:
+            if not args.detail:
+                header_tail = ['Timeout', 'Expires']
+
             for dynamic_type in ['address_group', 'ipv6_address_group']:
+                family = 'ipv4' if dynamic_type == 'address_group' else 'ipv6'
+                prefix = 'DA_' if dynamic_type == 'address_group' else 'DA6_'
                 if dynamic_type in firewall['group']['dynamic_group']:
                     for dynamic_name, dynamic_conf in firewall['group']['dynamic_group'][dynamic_type].items():
                         references = find_references(dynamic_type, dynamic_name)
                         row = [dynamic_name, textwrap.fill(dynamic_conf.get('description') or '', 50), dynamic_type + '(dynamic)', '\n'.join(references) or 'N/D']
-                        row.append('N/D')
-                        rows.append(row)
+
+                        members = get_nftables_group_members(family, 'vyos_filter', f'{prefix}{dynamic_name}')
+
+                        if not members:
+                            if args.detail:
+                                row.append('N/D')
+                            else:
+                                row += ["N/D"] * 3
+                            rows.append(row)
+                            continue
+
+                        for idx, member in enumerate(members):
+                            val = member.get('val', 'N/D')
+                            timeout = str(member.get('timeout', 'N/D'))
+                            expires = str(member.get('expires', 'N/D'))
+
+                            if args.detail:
+                                row.append(f'{val} (timeout: {timeout}, expires: {expires})')
+                                continue
+
+                            if idx > 0:
+                                row = [""] * 4
+
+                            row += [val, timeout, expires]
+                            rows.append(row)
+
+                        if args.detail:
+                            header_tail += [""] * (len(members) - 1)
+                            rows.append(row)
 
     if rows:
         print('Firewall Groups\n')
         if args.detail:
-            header = ['Name', 'Description','Type', 'References', 'Members']
-            output_firewall_vertical(rows, header)
+            header = ['Name', 'Description', 'Type', 'References', 'Members'] + header_tail
+            output_firewall_vertical(rows, header, adjust=False)
         else:
-            header = ['Name', 'Type', 'References', 'Members']
+            header = ['Name', 'Type', 'References', 'Members'] + header_tail
             for i in rows:
                 rows[rows.index(i)].pop(1)
             print(tabulate.tabulate(rows, header))
diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py
index 9f6949fb3..ba0e3b6db 100755
--- a/src/op_mode/image_installer.py
+++ b/src/op_mode/image_installer.py
@@ -26,6 +26,7 @@ from os import environ
 from typing import Union
 from urllib.parse import urlparse
 from passlib.hosts import linux_context
+from errno import ENOSPC
 
 from psutil import disk_partitions
 
@@ -60,7 +61,8 @@ MSG_INPUT_CONFIG_CHOICE: str = 'The following config files are available for boo
 MSG_INPUT_CONFIG_CHOOSE: str = 'Which file would you like as boot config?'
 MSG_INPUT_IMAGE_NAME: str = 'What would you like to name this image?'
 MSG_INPUT_IMAGE_DEFAULT: str = 'Would you like to set the new image as the default one for boot?'
-MSG_INPUT_PASSWORD: str = 'Please enter a password for the "vyos" user'
+MSG_INPUT_PASSWORD: str = 'Please enter a password for the "vyos" user:'
+MSG_INPUT_PASSWORD_CONFIRM: str = 'Please confirm password for the "vyos" user:'
 MSG_INPUT_ROOT_SIZE_ALL: str = 'Would you like to use all the free space on the drive?'
 MSG_INPUT_ROOT_SIZE_SET: str = 'Please specify the size (in GB) of the root partition (min is 1.5 GB)?'
 MSG_INPUT_CONSOLE_TYPE: str = 'What console should be used by default? (K: KVM, S: Serial, U: USB-Serial)?'
@@ -74,6 +76,7 @@ MSG_WARN_ROOT_SIZE_TOOBIG: str = 'The size is too big. Try again.'
 MSG_WARN_ROOT_SIZE_TOOSMALL: str = 'The size is too small. Try again'
 MSG_WARN_IMAGE_NAME_WRONG: str = 'The suggested name is unsupported!\n'\
 'It must be between 1 and 64 characters long and contains only the next characters: .+-_ a-z A-Z 0-9'
+MSG_WARN_PASSWORD_CONFIRM: str = 'The entered values did not match. Try again'
 CONST_MIN_DISK_SIZE: int = 2147483648  # 2 GB
 CONST_MIN_ROOT_SIZE: int = 1610612736  # 1.5 GB
 # a reserved space: 2MB for header, 1 MB for BIOS partition, 256 MB for EFI
@@ -695,8 +698,14 @@ def install_image() -> None:
         print(MSG_WARN_IMAGE_NAME_WRONG)
 
     # ask for password
-    user_password: str = ask_input(MSG_INPUT_PASSWORD, default='vyos',
-                                   no_echo=True)
+    while True:
+        user_password: str = ask_input(MSG_INPUT_PASSWORD, no_echo=True,
+                                       non_empty=True)
+        confirm: str = ask_input(MSG_INPUT_PASSWORD_CONFIRM, no_echo=True,
+                                 non_empty=True)
+        if user_password == confirm:
+            break
+        print(MSG_WARN_PASSWORD_CONFIRM)
 
     # ask for default console
     console_type: str = ask_input(MSG_INPUT_CONSOLE_TYPE,
@@ -931,6 +940,16 @@ def add_image(image_path: str, vrf: str = None, username: str = '',
         if set_as_default:
             grub.set_default(image_name, root_dir)
 
+    except OSError as e:
+        # if no space error, remove image dir and cleanup
+        if e.errno == ENOSPC:
+            cleanup(mounts=[str(iso_path)],
+                    remove_items=[f'{root_dir}/boot/{image_name}'])
+        else:
+            # unmount an ISO and cleanup
+            cleanup([str(iso_path)])
+        exit(f'Error: {e}')
+
     except Exception as err:
         # unmount an ISO and cleanup
         cleanup([str(iso_path)])
diff --git a/src/op_mode/openvpn.py b/src/op_mode/openvpn.py
index d54a67199..092873909 100755
--- a/src/op_mode/openvpn.py
+++ b/src/op_mode/openvpn.py
@@ -48,9 +48,12 @@ def _get_tunnel_address(peer_host, peer_port, status_file):
         # 10.10.2.0/25,client1,...
         lst = [l for l in lst[1:] if '/' not in l.split(',')[0]]
 
-        tunnel_ip = lst[0].split(',')[0]
+        if lst:
+            tunnel_ip = lst[0].split(',')[0]
 
-        return tunnel_ip
+            return tunnel_ip
+
+        return 'n/a'
 
 def _get_interface_status(mode: str, interface: str) -> dict:
     status_file = f'/run/openvpn/{interface}.status'
diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py
index ad2c1ada0..b1ca6ee29 100755
--- a/src/op_mode/pki.py
+++ b/src/op_mode/pki.py
@@ -306,7 +306,7 @@ def parse_san_string(san_string):
             output.append(ipaddress.IPv4Address(value))
         elif tag == 'ipv6':
             output.append(ipaddress.IPv6Address(value))
-        elif tag == 'dns':
+        elif tag == 'dns' or tag == 'rfc822':
             output.append(value)
     return output
 
@@ -324,7 +324,7 @@ def generate_certificate_request(private_key=None, key_type=None, return_request
     subject_alt_names = None
 
     if ask_san and ask_yes_no('Do you want to configure Subject Alternative Names?'):
-        print("Enter alternative names in a comma separate list, example: ipv4:1.1.1.1,ipv6:fe80::1,dns:vyos.net")
+        print("Enter alternative names in a comma separate list, example: ipv4:1.1.1.1,ipv6:fe80::1,dns:vyos.net,rfc822:user@vyos.net")
         san_string = ask_input('Enter Subject Alternative Names:')
         subject_alt_names = parse_san_string(san_string)
 
diff --git a/src/op_mode/uptime.py b/src/op_mode/uptime.py
index d6adf6f4d..059a4c3f6 100755
--- a/src/op_mode/uptime.py
+++ b/src/op_mode/uptime.py
@@ -49,7 +49,7 @@ def _get_raw_data():
 
     res = {}
     res["uptime_seconds"] = _get_uptime_seconds()
-    res["uptime"] = seconds_to_human(_get_uptime_seconds())
+    res["uptime"] = seconds_to_human(_get_uptime_seconds(), separator=' ')
     res["load_average"] = _get_load_averages()
 
     return res