7 files changed, 147 insertions, 11 deletions

diff --git a/src/op_mode/monitor_bandwidth_test.sh b/src/op_mode/execute_bandwidth_test.sh
index a6ad0b42c..a6ad0b42c 100755
--- a/src/op_mode/monitor_bandwidth_test.sh
+++ b/src/op_mode/execute_bandwidth_test.sh
diff --git a/src/op_mode/interfaces_wireguard.py b/src/op_mode/interfaces_wireguard.py
new file mode 100644
index 000000000..627af0579
--- /dev/null
+++ b/src/op_mode/interfaces_wireguard.py
@@ -0,0 +1,53 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2024 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import sys
+import vyos.opmode
+
+from vyos.ifconfig import WireGuardIf
+from vyos.configquery import ConfigTreeQuery
+
+
+def _verify(func):
+    """Decorator checks if WireGuard interface config exists"""
+    from functools import wraps
+
+    @wraps(func)
+    def _wrapper(*args, **kwargs):
+        config = ConfigTreeQuery()
+        interface = kwargs.get('intf_name')
+        if not config.exists(['interfaces', 'wireguard', interface]):
+            unconf_message = f'WireGuard interface {interface} is not configured'
+            raise vyos.opmode.UnconfiguredSubsystem(unconf_message)
+        return func(*args, **kwargs)
+
+    return _wrapper
+
+
+@_verify
+def show_summary(raw: bool, intf_name: str):
+    intf = WireGuardIf(intf_name, create=False, debug=False)
+    return intf.operational.show_interface()
+
+
+if __name__ == '__main__':
+    try:
+        res = vyos.opmode.run(sys.modules[__name__])
+        if res:
+            print(res)
+    except (ValueError, vyos.opmode.Error) as e:
+        print(e)
+        sys.exit(1)
diff --git a/src/op_mode/restart.py b/src/op_mode/restart.py
index 813d3a2b7..a83c8b9d8 100755
--- a/src/op_mode/restart.py
+++ b/src/op_mode/restart.py
@@ -25,11 +25,11 @@ from vyos.utils.commit import commit_in_progress
 config = ConfigTreeQuery()
 
 service_map = {
-    'dhcp' : {
+    'dhcp': {
         'systemd_service': 'kea-dhcp4-server',
         'path': ['service', 'dhcp-server'],
     },
-    'dhcpv6' : {
+    'dhcpv6': {
         'systemd_service': 'kea-dhcp6-server',
         'path': ['service', 'dhcpv6-server'],
     },
@@ -61,24 +61,40 @@ service_map = {
         'systemd_service': 'radvd',
         'path': ['service', 'router-advert'],
     },
-    'snmp' : {
+    'snmp': {
         'systemd_service': 'snmpd',
     },
-    'ssh' : {
+    'ssh': {
         'systemd_service': 'ssh',
     },
-    'suricata' : {
+    'suricata': {
         'systemd_service': 'suricata',
     },
-    'vrrp' : {
+    'vrrp': {
         'systemd_service': 'keepalived',
         'path': ['high-availability', 'vrrp'],
     },
-    'webproxy' : {
+    'webproxy': {
         'systemd_service': 'squid',
     },
 }
-services = typing.Literal['dhcp', 'dhcpv6', 'dns_dynamic', 'dns_forwarding', 'igmp_proxy', 'ipsec', 'mdns_repeater', 'reverse_proxy', 'router_advert', 'snmp', 'ssh', 'suricata' 'vrrp', 'webproxy']
+services = typing.Literal[
+    'dhcp',
+    'dhcpv6',
+    'dns_dynamic',
+    'dns_forwarding',
+    'igmp_proxy',
+    'ipsec',
+    'mdns_repeater',
+    'reverse_proxy',
+    'router_advert',
+    'snmp',
+    'ssh',
+    'suricata',
+    'vrrp',
+    'webproxy',
+]
+
 
 def _verify(func):
     """Decorator checks if DHCP(v6) config exists"""
@@ -102,13 +118,18 @@ def _verify(func):
 
         # Check if config does not exist
         if not config.exists(path):
-            raise vyos.opmode.UnconfiguredSubsystem(f'Service {human_name} is not configured!')
+            raise vyos.opmode.UnconfiguredSubsystem(
+                f'Service {human_name} is not configured!'
+            )
         if config.exists(path + ['disable']):
-            raise vyos.opmode.UnconfiguredSubsystem(f'Service {human_name} is disabled!')
+            raise vyos.opmode.UnconfiguredSubsystem(
+                f'Service {human_name} is disabled!'
+            )
         return func(*args, **kwargs)
 
     return _wrapper
 
+
 @_verify
 def restart_service(raw: bool, name: services, vrf: typing.Optional[str]):
     systemd_service = service_map[name]['systemd_service']
@@ -117,6 +138,7 @@ def restart_service(raw: bool, name: services, vrf: typing.Optional[str]):
     else:
         call(f'systemctl restart "{systemd_service}.service"')
 
+
 if __name__ == '__main__':
     try:
         res = vyos.opmode.run(sys.modules[__name__])
diff --git a/src/op_mode/restart_frr.py b/src/op_mode/restart_frr.py
index 8841b0eca..83146f5ec 100755
--- a/src/op_mode/restart_frr.py
+++ b/src/op_mode/restart_frr.py
@@ -139,7 +139,7 @@ def _reload_config(daemon):
 # define program arguments
 cmd_args_parser = argparse.ArgumentParser(description='restart frr daemons')
 cmd_args_parser.add_argument('--action', choices=['restart'], required=True, help='action to frr daemons')
-cmd_args_parser.add_argument('--daemon', choices=['zebra', 'staticd', 'bgpd', 'eigrpd', 'ospfd', 'ospf6d', 'ripd', 'ripngd', 'isisd', 'pimd', 'pim6d', 'ldpd', 'babeld', 'bfdd'], required=False,  nargs='*', help='select single or multiple daemons')
+cmd_args_parser.add_argument('--daemon', choices=['zebra', 'staticd', 'bgpd', 'eigrpd', 'ospfd', 'ospf6d', 'ripd', 'ripngd', 'isisd', 'pimd', 'pim6d', 'ldpd', 'babeld', 'bfdd', 'fabricd'], required=False,  nargs='*', help='select single or multiple daemons')
 # parse arguments
 cmd_args = cmd_args_parser.parse_args()
 
diff --git a/src/op_mode/secure_boot.py b/src/op_mode/secure_boot.py
new file mode 100755
index 000000000..5f6390a15
--- /dev/null
+++ b/src/op_mode/secure_boot.py
@@ -0,0 +1,50 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2024 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import sys
+import vyos.opmode
+
+from vyos.utils.boot import is_uefi_system
+from vyos.utils.system import get_secure_boot_state
+
+def _get_raw_data(name=None):
+    sb_data = {
+        'state' : get_secure_boot_state(),
+        'uefi' : is_uefi_system()
+    }
+    return sb_data
+
+def _get_formatted_output(raw_data):
+    if not raw_data['uefi']:
+        print('System run in legacy BIOS mode!')
+    state = 'enabled' if raw_data['state'] else 'disabled'
+    return f'SecureBoot {state}'
+
+def show(raw: bool):
+    sb_data = _get_raw_data()
+    if raw:
+        return sb_data
+    else:
+        return _get_formatted_output(sb_data)
+
+if __name__ == "__main__":
+    try:
+        res = vyos.opmode.run(sys.modules[__name__])
+        if res:
+            print(res)
+    except (ValueError, vyos.opmode.Error) as e:
+        print(e)
+        sys.exit(1)
diff --git a/src/op_mode/version.py b/src/op_mode/version.py
index 09d69ad1d..71a40dd50 100755
--- a/src/op_mode/version.py
+++ b/src/op_mode/version.py
@@ -25,6 +25,9 @@ import vyos.opmode
 import vyos.version
 import vyos.limericks
 
+from vyos.utils.boot import is_uefi_system
+from vyos.utils.system import get_secure_boot_state
+
 from jinja2 import Template
 
 version_output_tmpl = """
@@ -43,6 +46,7 @@ Build comment:    {{build_comment}}
 Architecture:     {{system_arch}}
 Boot via:         {{boot_via}}
 System type:      {{system_type}}
+Secure Boot:      {{secure_boot}}
 
 Hardware vendor:  {{hardware_vendor}}
 Hardware model:   {{hardware_model}}
@@ -57,6 +61,11 @@ Copyright:        VyOS maintainers and contributors
 
 def _get_raw_data(funny=False):
     version_data = vyos.version.get_full_version_data()
+    version_data["secure_boot"] = "n/a (BIOS)"
+    if is_uefi_system():
+        version_data["secure_boot"] = "disabled"
+        if get_secure_boot_state():
+            version_data["secure_boot"] = "enabled"
 
     if funny:
         version_data["limerick"] = vyos.limericks.get_random()
diff --git a/src/op_mode/vpn_ike_sa.py b/src/op_mode/vpn_ike_sa.py
index 5e2aaae6b..9385bcd0c 100755
--- a/src/op_mode/vpn_ike_sa.py
+++ b/src/op_mode/vpn_ike_sa.py
@@ -38,6 +38,8 @@ def ike_sa(peer, nat):
     peers = []
     for conn in sas:
         for name, sa in conn.items():
+            if peer and s(sa['remote-host']) != peer:
+                continue
             if name.startswith('peer_') and name in peers:
                 continue
             if nat and 'nat-local' not in sa: