3 files changed, 26 insertions, 85 deletions
diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces-tunnel.py
index c9964d41c..c13f77d91 100755
--- a/src/conf_mode/interfaces-tunnel.py
+++ b/src/conf_mode/interfaces-tunnel.py
@@ -254,6 +254,10 @@ default_config_data = {
     'ip': False,
     'ipv6': False,
     'nhrp': [],
+    'arp_filter': 1,
+    'arp_accept': 0,
+    'arp_announce': 0,
+    'arp_ignore': 0,
     'ipv6_accept_ra': 1,
     'ipv6_autoconf': 0,
     'ipv6_forwarding': 1,
@@ -307,6 +311,10 @@ mapping = {
     'link_detect':         ('disable-link-detect', False, 2),
     'vrf':                 ('vrf', False, None),
     'addresses-add':       ('address', True, None),
+    'arp_filter':          ('ip disable-arp-filter', False, 0),
+    'arp_accept':          ('ip enable-arp-accept', False, 1),
+    'arp_announce':        ('ip enable-arp-announce', False, 1),
+    'arp_ignore':          ('ip enable-arp-ignore', False, 1),
     'ipv6_autoconf':       ('ipv6 address autoconf', False, 1),
     'ipv6_forwarding':     ('ipv6 disable-forwarding', False, 0),
     'ipv6_dad_transmits:': ('ipv6 dup-addr-detect-transmits', False, None)
@@ -474,6 +482,8 @@ def verify(conf):
 
     kls = get_class(options)
     valid = kls.updates + ['alias', 'addresses-add', 'addresses-del', 'vrf', 'state']
+    valid += ['arp_filter', 'arp_accept', 'arp_announce', 'arp_ignore']
+    valid += ['ipv6_accept_ra', 'ipv6_autoconf', 'ipv6_forwarding', 'ipv6_dad_transmits']
 
     if changes['section'] == 'create':
         valid.extend(['type',])
@@ -645,6 +655,7 @@ def apply(conf):
 
     # set other interface properties
     for option in ('alias', 'mtu', 'link_detect', 'multicast', 'allmulticast',
+                   'arp_accept', 'arp_filter', 'arp_announce', 'arp_ignore',
                    'ipv6_accept_ra', 'ipv6_autoconf', 'ipv6_forwarding', 'ipv6_dad_transmits'):
         if not options[option]:
             # should never happen but better safe
diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py
index ab3e073ae..c24c9a7ce 100755
--- a/src/conf_mode/interfaces-wireguard.py
+++ b/src/conf_mode/interfaces-wireguard.py
@@ -275,7 +275,7 @@ def apply(wg):
 
     # peer pubkey
     # setting up the wg interface
-    w.config['private-key'] = c['pk']
+    w.config['private_key'] = c['pk']
 
     for peer in wg['peer']:
         # peer pubkey
@@ -300,13 +300,8 @@ def apply(wg):
         if peer['persistent_keepalive']:
             w.config['keepalive'] = peer['persistent_keepalive']
 
-        # maybe move it into ifconfig.py
-        # preshared-key - needs to be read from a file
         if peer['psk']:
-            psk_file = '/config/auth/wireguard/psk'
-            with open(psk_file, 'w') as f:
-                f.write(peer['psk'])
-            w.config['psk'] = psk_file
+            w.config['psk'] = peer['psk']
 
         w.update()
 
diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py
index 43fa2ff39..1ca2c8b4c 100755
--- a/src/conf_mode/ssh.py
+++ b/src/conf_mode/ssh.py
@@ -20,89 +20,28 @@ from netifaces import interfaces
 from sys import exit
 
 from vyos.config import Config
+from vyos.configdict import dict_merge
 from vyos import ConfigError
 from vyos.util import call
 from vyos.template import render
-
+from vyos.xml import defaults
 from vyos import airbag
 airbag.enable()
 
 config_file = r'/etc/ssh/sshd_config'
 systemd_override = r'/etc/systemd/system/ssh.service.d/override.conf'
 
-default_config_data = {
-    'port' : ['22'],
-    'log_level': 'INFO',
-    'password_authentication': 'yes',
-    'host_validation': 'yes',
-    'vrf': ''
-}
-
 def get_config():
-    ssh = default_config_data
     conf = Config()
     base = ['service', 'ssh']
     if not conf.exists(base):
         return None
-    else:
-        conf.set_level(base)
-
-    tmp = ['access-control', 'allow', 'user']
-    if conf.exists(tmp):
-        ssh['allow_users'] = conf.return_values(tmp)
-
-    tmp = ['access-control', 'allow', 'group']
-    if conf.exists(tmp):
-        ssh['allow_groups'] = conf.return_values(tmp)
-
-    tmp = ['access-control', 'deny' 'user']
-    if conf.exists(tmp):
-        ssh['deny_users'] = conf.return_values(tmp)
-
-    tmp = ['access-control', 'deny', 'group']
-    if conf.exists(tmp):
-        ssh['deny_groups'] = conf.return_values(tmp)
-
-    tmp = ['ciphers']
-    if conf.exists(tmp):
-        ssh['ciphers'] = conf.return_values(tmp)
-
-    tmp = ['key-exchange']
-    if conf.exists(tmp):
-        ssh['key_exchange'] = conf.return_values(tmp)
-
-    if conf.exists(['disable-host-validation']):
-        ssh['host_validation'] = 'no'
-
-    if conf.exists(['disable-password-authentication']):
-        ssh['password_authentication'] = 'no'
-
-    tmp = ['listen-address']
-    if conf.exists(tmp):
-        # We can listen on both IPv4 and IPv6 addresses
-        # Maybe there could be a check in the future if the configured IP address
-        # is configured on this system at all?
-        ssh['listen_on'] = conf.return_values(tmp)
-
-    tmp = ['loglevel']
-    if conf.exists(tmp):
-        ssh['log_level'] = conf.return_value(tmp)
-
-    tmp = ['mac']
-    if conf.exists(tmp):
-        ssh['mac'] = conf.return_values(tmp)
 
-    tmp = ['port']
-    if conf.exists(tmp):
-        ssh['port'] = conf.return_values(tmp)
-
-    tmp = ['client-keepalive-interval']
-    if conf.exists(tmp):
-        ssh['client_keepalive'] = conf.return_value(tmp)
-
-    tmp = ['vrf']
-    if conf.exists(tmp):
-        ssh['vrf'] = conf.return_value(tmp)
+    ssh = conf.get_config_dict(base, key_mangling=('-', '_'))
+    # We have gathered the dict representation of the CLI, but there are default
+    # options which we need to update into the dictionary retrived.
+    default_values = defaults(base)
+    ssh = dict_merge(default_values, ssh)
 
     return ssh
 
@@ -110,18 +49,18 @@ def verify(ssh):
     if not ssh:
         return None
 
-    if 'loglevel' in ssh.keys():
-        allowed_loglevel = 'QUIET, FATAL, ERROR, INFO, VERBOSE'
-        if not ssh['loglevel'] in allowed_loglevel:
-            raise ConfigError('loglevel must be one of "{0}"\n'.format(allowed_loglevel))
-
-    if ssh['vrf'] and ssh['vrf'] not in interfaces():
+    if 'vrf' in ssh.keys() and ssh['vrf'] not in interfaces():
         raise ConfigError('VRF "{vrf}" does not exist'.format(**ssh))
 
     return None
 
 def generate(ssh):
     if not ssh:
+        if os.path.isfile(config_file):
+            os.unlink(config_file)
+        if os.path.isfile(systemd_override):
+            os.unlink(systemd_override)
+
         return None
 
     render(config_file, 'ssh/sshd_config.tmpl', ssh, trim_blocks=True)
@@ -133,10 +72,6 @@ def apply(ssh):
     if not ssh:
         # SSH access is removed in the commit
         call('systemctl stop ssh.service')
-        if os.path.isfile(config_file):
-            os.unlink(config_file)
-        if os.path.isfile(systemd_override):
-            os.unlink(systemd_override)
 
     # Reload systemd manager configuration
     call('systemctl daemon-reload')