12 files changed, 114 insertions, 167 deletions

diff --git a/src/conf_mode/service_dhcp-server.py b/src/conf_mode/service_dhcp-server.py
index 5a729af74..e46d916fd 100755
--- a/src/conf_mode/service_dhcp-server.py
+++ b/src/conf_mode/service_dhcp-server.py
@@ -41,7 +41,6 @@ from vyos import airbag
 
 airbag.enable()
 
-ctrl_config_file = '/run/kea/kea-ctrl-agent.conf'
 ctrl_socket = '/run/kea/dhcp4-ctrl-socket'
 config_file = '/run/kea/kea-dhcp4.conf'
 lease_file = '/config/dhcp/dhcp4-leases.csv'
@@ -480,13 +479,6 @@ def generate(dhcp):
             dhcp['high_availability']['ca_cert_file'] = ca_cert_file
 
     render(
-        ctrl_config_file,
-        'dhcp-server/kea-ctrl-agent.conf.j2',
-        dhcp,
-        user=user_group,
-        group=user_group,
-    )
-    render(
         config_file,
         'dhcp-server/kea-dhcp4.conf.j2',
         dhcp,
@@ -498,7 +490,7 @@ def generate(dhcp):
 
 
 def apply(dhcp):
-    services = ['kea-ctrl-agent', 'kea-dhcp4-server', 'kea-dhcp-ddns-server']
+    services = ['kea-dhcp4-server', 'kea-dhcp-ddns-server']
 
     if not dhcp or 'disable' in dhcp:
         for service in services:
@@ -515,9 +507,6 @@ def apply(dhcp):
         if service == 'kea-dhcp-ddns-server' and 'dynamic_dns_update' not in dhcp:
             action = 'stop'
 
-        if service == 'kea-ctrl-agent' and 'high_availability' not in dhcp:
-            action = 'stop'
-
         call(f'systemctl {action} {service}.service')
 
     return None
diff --git a/src/conf_mode/service_ids_ddos-protection.py b/src/conf_mode/service_ids_ddos-protection.py
deleted file mode 100755
index 276a71fcb..000000000
--- a/src/conf_mode/service_ids_ddos-protection.py
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2018-2023 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import os
-
-from sys import exit
-
-from vyos.config import Config
-from vyos.template import render
-from vyos.utils.process import call
-from vyos import ConfigError
-from vyos import airbag
-airbag.enable()
-
-config_file = r'/run/fastnetmon/fastnetmon.conf'
-networks_list = r'/run/fastnetmon/networks_list'
-excluded_networks_list = r'/run/fastnetmon/excluded_networks_list'
-attack_dir = '/var/log/fastnetmon_attacks'
-
-def get_config(config=None):
-    if config:
-        conf = config
-    else:
-        conf = Config()
-    base = ['service', 'ids', 'ddos-protection']
-    if not conf.exists(base):
-        return None
-
-    fastnetmon = conf.get_config_dict(base, key_mangling=('-', '_'),
-                                      get_first_key=True,
-                                      with_recursive_defaults=True)
-
-    return fastnetmon
-
-def verify(fastnetmon):
-    if not fastnetmon:
-        return None
-
-    if 'mode' not in fastnetmon:
-        raise ConfigError('Specify operating mode!')
-
-    if fastnetmon.get('mode') == 'mirror' and 'listen_interface' not in fastnetmon:
-        raise ConfigError("Incorrect settings for 'mode mirror': must specify interface(s) for traffic mirroring")
-
-    if fastnetmon.get('mode') == 'sflow' and 'listen_address' not in fastnetmon.get('sflow', {}):
-        raise ConfigError("Incorrect settings for 'mode sflow': must specify sFlow 'listen-address'")
-
-    if 'alert_script' in fastnetmon:
-        if os.path.isfile(fastnetmon['alert_script']):
-            # Check script permissions
-            if not os.access(fastnetmon['alert_script'], os.X_OK):
-                raise ConfigError('Script "{alert_script}" is not executable!'.format(fastnetmon['alert_script']))
-        else:
-           raise ConfigError('File "{alert_script}" does not exists!'.format(fastnetmon))
-
-def generate(fastnetmon):
-    if not fastnetmon:
-        for file in [config_file, networks_list]:
-            if os.path.isfile(file):
-                os.unlink(file)
-
-        return None
-
-    # Create dir for log attack details
-    if not os.path.exists(attack_dir):
-        os.mkdir(attack_dir)
-
-    render(config_file, 'ids/fastnetmon.j2', fastnetmon)
-    render(networks_list, 'ids/fastnetmon_networks_list.j2', fastnetmon)
-    render(excluded_networks_list, 'ids/fastnetmon_excluded_networks_list.j2', fastnetmon)
-    return None
-
-def apply(fastnetmon):
-    systemd_service = 'fastnetmon.service'
-    if not fastnetmon:
-        # Stop fastnetmon service if removed
-        call(f'systemctl stop {systemd_service}')
-    else:
-        call(f'systemctl reload-or-restart {systemd_service}')
-
-    return None
-
-if __name__ == '__main__':
-    try:
-        c = get_config()
-        verify(c)
-        generate(c)
-        apply(c)
-    except ConfigError as e:
-        print(e)
-        exit(1)
diff --git a/src/conf_mode/system_option.py b/src/conf_mode/system_option.py
index 064a1aa91..b45a9d8a6 100755
--- a/src/conf_mode/system_option.py
+++ b/src/conf_mode/system_option.py
@@ -122,6 +122,10 @@ def generate(options):
     render(ssh_config, 'system/ssh_config.j2', options)
     render(usb_autosuspend, 'system/40_usb_autosuspend.j2', options)
 
+    # XXX: This code path and if statements must be kept in sync with the Kernel
+    # option handling in image_installer.py:get_cli_kernel_options(). This
+    # occurance is used for having the appropriate options passed to GRUB
+    # when re-configuring options on the CLI.
     cmdline_options = []
     if 'kernel' in options:
         if 'disable_mitigations' in options['kernel']:
@@ -131,8 +135,7 @@ def generate(options):
         if 'amd_pstate_driver' in options['kernel']:
             mode = options['kernel']['amd_pstate_driver']
             cmdline_options.append(
-                f'initcall_blacklist=acpi_cpufreq_init amd_pstate={mode}'
-            )
+                f'initcall_blacklist=acpi_cpufreq_init amd_pstate={mode}')
     grub_util.update_kernel_cmdline_options(' '.join(cmdline_options))
 
     return None
diff --git a/src/etc/netplug/vyos-netplug-dhcp-client b/src/etc/netplug/vyos-netplug-dhcp-client
index 7fe6cda75..a230fe900 100755
--- a/src/etc/netplug/vyos-netplug-dhcp-client
+++ b/src/etc/netplug/vyos-netplug-dhcp-client
@@ -20,10 +20,10 @@ import sys
 from time import sleep
 
 from vyos.config import Config
-from vyos.configdict import get_interface_dict
-from vyos.ifconfig import Interface
 from vyos.ifconfig import Section
 from vyos.utils.boot import boot_configuration_complete
+from vyos.utils.process import cmd
+from vyos.utils.process import is_systemd_service_active
 from vyos.utils.commit import commit_in_progress
 from vyos import airbag
 
@@ -38,21 +38,34 @@ if not boot_configuration_complete():
     sys.exit(1)
 
 interface = sys.argv[1]
-# helper scripts should only work on physical interfaces not on individual
-# sub-interfaces. Moving e.g. a VLAN interface in/out a VRF will also trigger
-# this script which should be prohibited - bail out early
-if '.' in interface:
-    sys.exit(0)
 
 while commit_in_progress():
-    sleep(1)
+    sleep(0.250)
 
 in_out = sys.argv[2]
 config = Config()
 
 interface_path = ['interfaces'] + Section.get_config_path(interface).split()
-_, interface_config = get_interface_dict(
-    config, interface_path[:-1], ifname=interface, with_pki=True
-)
-if 'deleted' not in interface_config:
-    Interface(interface).update(interface_config)
+
+systemdV4_service = f'dhclient@{interface}.service'
+systemdV6_service = f'dhcp6c@{interface}.service'
+if in_out == 'out':
+    # Interface moved state to down
+    if is_systemd_service_active(systemdV4_service):
+        cmd(f'systemctl stop {systemdV4_service}')
+    if is_systemd_service_active(systemdV6_service):
+        cmd(f'systemctl stop {systemdV6_service}')
+elif in_out == 'in':
+    if config.exists_effective(interface_path + ['address']):
+        tmp = config.return_effective_values(interface_path + ['address'])
+        # Always (re-)start the DHCP(v6) client service. If the DHCP(v6) client
+        # is already running - which could happen if the interface is re-
+        # configured in operational down state, it will have a backoff
+        # time increasing while not receiving a DHCP(v6) reply.
+        #
+        # To make the interface instantly available, and as for a DHCP(v6) lease
+        # we will re-start the service and thus cancel the backoff time.
+        if 'dhcp' in tmp:
+            cmd(f'systemctl restart {systemdV4_service}')
+        if 'dhcpv6' in tmp:
+            cmd(f'systemctl restart {systemdV6_service}')
diff --git a/src/etc/systemd/system/fastnetmon.service.d/override.conf b/src/etc/systemd/system/fastnetmon.service.d/override.conf
deleted file mode 100644
index 841666070..000000000
--- a/src/etc/systemd/system/fastnetmon.service.d/override.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-[Unit]
-RequiresMountsFor=/run
-ConditionPathExists=/run/fastnetmon/fastnetmon.conf
-After=
-After=vyos-router.service
-
-[Service]
-Type=simple
-WorkingDirectory=/run/fastnetmon
-PIDFile=/run/fastnetmon.pid
-ExecStart=
-ExecStart=/usr/sbin/fastnetmon --configuration_file /run/fastnetmon/fastnetmon.conf
diff --git a/src/etc/systemd/system/kea-ctrl-agent.service.d/override.conf b/src/etc/systemd/system/kea-ctrl-agent.service.d/override.conf
deleted file mode 100644
index c74fafb42..000000000
--- a/src/etc/systemd/system/kea-ctrl-agent.service.d/override.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-[Unit]
-After=
-After=vyos-router.service
-ConditionFileNotEmpty=
-
-[Service]
-ExecStart=
-ExecStart=/usr/sbin/kea-ctrl-agent -c /run/kea/kea-ctrl-agent.conf
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
diff --git a/src/init/vyos-router b/src/init/vyos-router
index 565b778e6..081adf214 100755
--- a/src/init/vyos-router
+++ b/src/init/vyos-router
@@ -557,6 +557,9 @@ start ()
     if [[ ! -z "$tmp" ]]; then
         vtysh -c "rpki start"
     fi
+
+    # Start netplug daemon
+    systemctl start netplug.service
 }
 
 stop()
@@ -574,8 +577,8 @@ stop()
     umount ${vyatta_configdir}
     log_action_end_msg $?
 
+    systemctl stop netplug.service
     systemctl stop vyconfd.service
-
     systemctl stop frr.service
 
     unmount_encrypted_config
diff --git a/src/migration-scripts/dhcp-server/7-to-8 b/src/migration-scripts/dhcp-server/7-to-8
index 7fcb62e86..d0f9455bb 100644
--- a/src/migration-scripts/dhcp-server/7-to-8
+++ b/src/migration-scripts/dhcp-server/7-to-8
@@ -41,9 +41,6 @@ def migrate(config: ConfigTree) -> None:
         for network in config.list_nodes(base + ['shared-network-name']):
             base_network = base + ['shared-network-name', network]
 
-            if config.exists(base_network + ['ping-check']):
-                config.delete(base_network + ['ping-check'])
-
             if config.exists(base_network + ['shared-network-parameters']):
                 config.delete(base_network +['shared-network-parameters'])
 
@@ -57,9 +54,6 @@ def migrate(config: ConfigTree) -> None:
                 if config.exists(base_subnet + ['enable-failover']):
                     config.delete(base_subnet + ['enable-failover'])
 
-                if config.exists(base_subnet + ['ping-check']):
-                    config.delete(base_subnet + ['ping-check'])
-
                 if config.exists(base_subnet + ['subnet-parameters']):
                     config.delete(base_subnet + ['subnet-parameters'])
 
diff --git a/src/migration-scripts/ids/1-to-2 b/src/migration-scripts/ids/1-to-2
new file mode 100644
index 000000000..4c0333c88
--- /dev/null
+++ b/src/migration-scripts/ids/1-to-2
@@ -0,0 +1,30 @@
+# Copyright 2025 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# T: Migrate threshold and add new threshold types
+
+from vyos.configtree import ConfigTree
+
+# The old 'service ids' path was only used for FastNetMon
+# Suricata is in 'service suricata',
+# so this isn't an overreach
+base = ['service', 'ids']
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(base):
+        # Nothing to do
+        return
+    else:
+        config.delete(base)
diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py
index 179913f15..2660309a5 100755
--- a/src/op_mode/image_installer.py
+++ b/src/op_mode/image_installer.py
@@ -24,7 +24,9 @@ from glob import glob
 from sys import exit
 from os import environ
 from os import readlink
-from os import getpid, getppid
+from os import getpid
+from os import getppid
+from json import loads
 from typing import Union
 from urllib.parse import urlparse
 from passlib.hosts import linux_context
@@ -35,15 +37,23 @@ from psutil import disk_partitions
 from vyos.base import Warning
 from vyos.configtree import ConfigTree
 from vyos.remote import download
-from vyos.system import disk, grub, image, compat, raid, SYSTEM_CFG_VER
+from vyos.system import disk
+from vyos.system import grub
+from vyos.system import image
+from vyos.system import compat
+from vyos.system import raid
+from vyos.system import SYSTEM_CFG_VER
+from vyos.system import grub_util
 from vyos.template import render
 from vyos.utils.auth import (
     DEFAULT_PASSWORD,
     EPasswdStrength,
     evaluate_strength
 )
+from vyos.utils.dict import dict_search
 from vyos.utils.io import ask_input, ask_yes_no, select_entry
 from vyos.utils.file import chmod_2775
+from vyos.utils.file import read_file
 from vyos.utils.process import cmd, run, rc_cmd
 from vyos.version import get_version_data
 
@@ -477,6 +487,25 @@ def setup_grub(root_dir: str) -> None:
     render(grub_cfg_menu, grub.TMPL_GRUB_MENU, {})
     render(grub_cfg_options, grub.TMPL_GRUB_OPTS, {})
 
+def get_cli_kernel_options(config_file: str) -> list:
+    config = ConfigTree(read_file(config_file))
+    config_dict = loads(config.to_json())
+    kernel_options = dict_search('system.option.kernel', config_dict)
+    cmdline_options = []
+
+    # XXX: This code path and if statements must be kept in sync with the Kernel
+    # option handling in system_options.py:generate(). This occurance is used
+    # for having the appropriate options passed to GRUB after an image upgrade!
+    if 'disable-mitigations' in kernel_options:
+        cmdline_options.append('mitigations=off')
+    if 'disable-power-saving' in kernel_options:
+        cmdline_options.append('intel_idle.max_cstate=0 processor.max_cstate=1')
+    if 'amd-pstate-driver' in kernel_options:
+        mode = kernel_options['amd-pstate-driver']
+        cmdline_options.append(
+            f'initcall_blacklist=acpi_cpufreq_init amd_pstate={mode}')
+
+    return cmdline_options
 
 def configure_authentication(config_file: str, password: str) -> None:
     """Write encrypted password to config file
@@ -491,10 +520,7 @@ def configure_authentication(config_file: str, password: str) -> None:
     plaintext exposed
     """
     encrypted_password = linux_context.hash(password)
-
-    with open(config_file) as f:
-        config_string = f.read()
-
+    config_string = read_file(config_file)
     config = ConfigTree(config_string)
     config.set([
         'system', 'login', 'user', 'vyos', 'authentication',
@@ -1045,6 +1071,12 @@ def add_image(image_path: str, vrf: str = None, username: str = '',
         if set_as_default:
             grub.set_default(image_name, root_dir)
 
+        cmdline_options = get_cli_kernel_options(
+            f'{target_config_dir}/config.boot')
+        grub_util.update_kernel_cmdline_options(' '.join(cmdline_options),
+                                                root_dir=root_dir,
+                                                version=image_name)
+
     except OSError as e:
         # if no space error, remove image dir and cleanup
         if e.errno == ENOSPC:
diff --git a/src/systemd/netplug.service b/src/systemd/netplug.service
new file mode 100644
index 000000000..928c553e8
--- /dev/null
+++ b/src/systemd/netplug.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Network cable hotplug management daemon
+Documentation=man:netplugd(8)
+After=vyos-router.service
+
+[Service]
+Type=forking
+PIDFile=/run/netplugd.pid
+ExecStart=/sbin/netplugd -c /etc/netplug/netplugd.conf -p /run/netplugd.pid
diff --git a/src/systemd/vyos.target b/src/systemd/vyos.target
index 47c91c1cc..c5d04891d 100644
--- a/src/systemd/vyos.target
+++ b/src/systemd/vyos.target
@@ -1,3 +1,3 @@
 [Unit]
 Description=VyOS target
-After=multi-user.target
+After=multi-user.target vyos-grub-update.service