6 files changed, 61 insertions, 23 deletions

diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 3c27655b0..810437dda 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -268,6 +268,18 @@ def verify_rule(firewall, rule_conf, ipv6):
             if 'port' in side_conf and dict_search_args(side_conf, 'group', 'port_group'):
                 raise ConfigError(f'{side} port-group and port cannot both be defined')
 
+    if 'add_address_to_group' in rule_conf:
+        for type in ['destination_address', 'source_address']:
+            if type in rule_conf['add_address_to_group']:
+                if 'address_group' not in rule_conf['add_address_to_group'][type]:
+                    raise ConfigError(f'Dynamic address group must be defined.')
+                else:
+                    target = rule_conf['add_address_to_group'][type]['address_group']
+                    fwall_group = 'ipv6_address_group' if ipv6 else 'address_group'
+                    group_obj = dict_search_args(firewall, 'group', 'dynamic_group', fwall_group, target)
+                    if group_obj is None:
+                            raise ConfigError(f'Invalid dynamic address group on firewall rule')
+
     if 'log_options' in rule_conf:
         if 'log' not in rule_conf:
             raise ConfigError('log-options defined, but log is not enable')
diff --git a/src/conf_mode/service_router-advert.py b/src/conf_mode/service_router-advert.py
index dbb47de4e..88d767bb8 100755
--- a/src/conf_mode/service_router-advert.py
+++ b/src/conf_mode/service_router-advert.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2018-2022 VyOS maintainers and contributors
+# Copyright (C) 2018-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -17,6 +17,8 @@
 import os
 
 from sys import exit
+from ipaddress import IPv6Network
+
 from vyos.base import Warning
 from vyos.config import Config
 from vyos.template import render
@@ -47,7 +49,9 @@ def verify(rtradv):
         return None
 
     for interface, interface_config in rtradv['interface'].items():
-        if 'prefix' in interface:
+        interval_max = int(interface_config['interval']['max'])
+
+        if 'prefix' in interface_config:
             for prefix, prefix_config in interface_config['prefix'].items():
                 valid_lifetime = prefix_config['valid_lifetime']
                 if valid_lifetime == 'infinity':
@@ -60,6 +64,15 @@ def verify(rtradv):
                 if not (int(valid_lifetime) >= int(preferred_lifetime)):
                     raise ConfigError('Prefix valid-lifetime must be greater then or equal to preferred-lifetime')
 
+        if 'nat64prefix' in interface_config:
+            nat64_supported_lengths = [32, 40, 48, 56, 64, 96]
+            for prefix, prefix_config in interface_config['nat64prefix'].items():
+                if IPv6Network(prefix).prefixlen not in nat64_supported_lengths:
+                    raise ConfigError(f'Invalid NAT64 prefix length for "{prefix}", can only be one of: /' + ', /'.join(nat64_supported_lengths))
+
+                if int(prefix_config['valid_lifetime']) < interval_max:
+                    raise ConfigError(f'NAT64 valid-lifetime must not be smaller then "interval max" which is "{interval_max}"!')
+
         if 'name_server' in interface_config:
             if len(interface_config['name_server']) > 3:
                 raise ConfigError('No more then 3 IPv6 name-servers supported!')
@@ -72,7 +85,6 @@ def verify(rtradv):
             # ensure stale RDNSS info gets removed in a timely fashion, this
             # should not be greater than 2*MaxRtrAdvInterval.
             lifetime = int(interface_config['name_server_lifetime'])
-            interval_max = int(interface_config['interval']['max'])
             if lifetime > 0:
                 if lifetime < int(interval_max):
                     raise ConfigError(f'RDNSS lifetime must be at least "{interval_max}" seconds!')
diff --git a/src/conf_mode/system_conntrack.py b/src/conf_mode/system_conntrack.py
index 2a55daed4..a1472aaaa 100755
--- a/src/conf_mode/system_conntrack.py
+++ b/src/conf_mode/system_conntrack.py
@@ -58,6 +58,11 @@ module_map = {
         'nftables': ['tcp dport {1723} ct helper set "pptp_tcp" return'],
         'ipv4': True
      },
+    'rtsp': {
+        'ko': ['nf_nat_rtsp', 'nf_conntrack_rtsp'],
+        'nftables': ['tcp dport {554} ct helper set "rtsp_tcp" return'],
+        'ipv4': True
+    },
     'sip': {
         'ko': ['nf_nat_sip', 'nf_conntrack_sip'],
         'nftables': ['tcp dport {5060,5061} ct helper set "sip_tcp" return',
@@ -195,7 +200,7 @@ def generate(conntrack):
 def apply(conntrack):
     # Depending on the enable/disable state of the ALG (Application Layer Gateway)
     # modules we need to either insmod or rmmod the helpers.
-    
+
     add_modules = []
     rm_modules = []
 
diff --git a/src/helpers/vyos_config_sync.py b/src/helpers/vyos_config_sync.py
index 7cfa8fe88..572fea61f 100755
--- a/src/helpers/vyos_config_sync.py
+++ b/src/helpers/vyos_config_sync.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2023 VyOS maintainers and contributors
+# Copyright (C) 2023-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -60,6 +60,7 @@ def post_request(url: str,
     return response
 
 
+
 def retrieve_config(section: str = None) -> Optional[Dict[str, Any]]:
     """Retrieves the configuration from the local server.
 
@@ -71,8 +72,6 @@ def retrieve_config(section: str = None) -> Optional[Dict[str, Any]]:
     """
     if section is None:
         section = []
-    else:
-        section = section.split()
 
     conf = Config()
     config = conf.get_config_dict(section, get_first_key=True)
@@ -101,8 +100,6 @@ def set_remote_config(
 
     if path is None:
         path = []
-    else:
-        path = path.split()
     headers = {'Content-Type': 'application/json'}
 
     # Disable the InsecureRequestWarning
@@ -127,17 +124,16 @@ def set_remote_config(
 
 def is_section_revised(section: str) -> bool:
     from vyos.config_mgmt import is_node_revised
-    return is_node_revised([section])
+    return is_node_revised(section)
 
 
 def config_sync(secondary_address: str,
                 secondary_key: str,
-                sections: List[str],
+                sections: List[list],
                 mode: str):
     """Retrieve a config section from primary router in JSON format and send it to
        secondary router
     """
-    # Config sync only if sections changed
     if not any(map(is_section_revised, sections)):
         return
 
@@ -188,5 +184,17 @@ if __name__ == '__main__':
             "Missing required configuration data for config synchronization.")
         exit(0)
 
+    # Generate list_sections of sections/subsections
+    # [
+    #   ['interfaces', 'pseudo-ethernet'], ['interfaces', 'virtual-ethernet'], ['nat'], ['nat66']
+    # ]
+    list_sections = []
+    for section, subsections in sections.items():
+        if subsections:
+            for subsection in subsections:
+                list_sections.append([section, subsection])
+        else:
+            list_sections.append([section])
+
     config_sync(secondary_address, secondary_key,
-                sections, mode)
+                list_sections, mode)
diff --git a/src/migration-scripts/policy/1-to-2 b/src/migration-scripts/policy/1-to-2
index c70490ce9..c7a983bba 100755
--- a/src/migration-scripts/policy/1-to-2
+++ b/src/migration-scripts/policy/1-to-2
@@ -32,23 +32,23 @@ file_name = argv[1]
 with open(file_name, 'r') as f:
     config_file = f.read()
 
-base = ['policy', 'ipv6-route']
+base = ['policy']
 config = ConfigTree(config_file)
 
 if not config.exists(base):
     # Nothing to do
     exit(0)
 
-config.rename(base, 'route6')
-config.set_tag(['policy', 'route6'])
+if config.exists(base + ['ipv6-route']):
+    config.rename(base + ['ipv6-route'],'route6')
+    config.set_tag(['policy', 'route6'])
 
 for route in ['route', 'route6']:
-    route_path = ['policy', route]
-    if config.exists(route_path):
-        for name in config.list_nodes(route_path):
-            if config.exists(route_path + [name, 'rule']):
-                for rule in config.list_nodes(route_path + [name, 'rule']):
-                    rule_tcp_flags = route_path + [name, 'rule', rule, 'tcp', 'flags']
+    if config.exists(base + [route]):
+        for name in config.list_nodes(base + [route]):
+            if config.exists(base + [route, name, 'rule']):
+                for rule in config.list_nodes(base + [route, name, 'rule']):
+                    rule_tcp_flags = base + [route, name, 'rule', rule, 'tcp', 'flags']
 
                     if config.exists(rule_tcp_flags):
                         tmp = config.return_value(rule_tcp_flags)
diff --git a/src/op_mode/conntrack.py b/src/op_mode/conntrack.py
index cf8adf795..6ea213bec 100755
--- a/src/op_mode/conntrack.py
+++ b/src/op_mode/conntrack.py
@@ -112,7 +112,8 @@ def get_formatted_output(dict_data):
                     proto = meta['layer4']['protoname']
             if direction == 'independent':
                 conn_id = meta['id']
-                timeout = meta['timeout']
+                # T6138 flowtable offload conntrack entries without 'timeout'
+                timeout = meta.get('timeout', 'n/a')
                 orig_src = f'{orig_src}:{orig_sport}' if orig_sport else orig_src
                 orig_dst = f'{orig_dst}:{orig_dport}' if orig_dport else orig_dst
                 reply_src = f'{reply_src}:{reply_sport}' if reply_sport else reply_src