12 files changed, 125 insertions, 6 deletions
diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py
index 94882fc14..83e6dee11 100755
--- a/src/conf_mode/container.py
+++ b/src/conf_mode/container.py
@@ -315,7 +315,7 @@ def generate_run_arguments(name, container_config):
     sysctl_opt = ''
     if 'sysctl' in container_config and 'parameter' in container_config['sysctl']:
         for k, v in container_config['sysctl']['parameter'].items():
-            sysctl_opt += f" --sysctl {k}={v['value']}"
+            sysctl_opt += f" --sysctl \"{k}={v['value']}\""
 
     # Add capability options. Should be in uppercase
     capabilities = ''
diff --git a/src/conf_mode/interfaces_wwan.py b/src/conf_mode/interfaces_wwan.py
index ddbebfb4a..fb71731d8 100755
--- a/src/conf_mode/interfaces_wwan.py
+++ b/src/conf_mode/interfaces_wwan.py
@@ -29,6 +29,7 @@ from vyos.configverify import verify_vrf
 from vyos.configverify import verify_mtu_ipv6
 from vyos.ifconfig import WWANIf
 from vyos.utils.dict import dict_search
+from vyos.utils.network import is_wwan_connected
 from vyos.utils.process import cmd
 from vyos.utils.process import call
 from vyos.utils.process import DEVNULL
@@ -137,7 +138,7 @@ def apply(wwan):
                 break
             sleep(0.250)
 
-    if 'shutdown_required' in wwan:
+    if 'shutdown_required' in wwan or (not is_wwan_connected(wwan['ifname'])):
         # we only need the modem number. wwan0 -> 0, wwan1 -> 1
         modem = wwan['ifname'].lstrip('wwan')
         base_cmd = f'mmcli --modem {modem}'
@@ -159,7 +160,7 @@ def apply(wwan):
 
         return None
 
-    if 'shutdown_required' in wwan:
+    if 'shutdown_required' in wwan or (not is_wwan_connected(wwan['ifname'])):
         ip_type = 'ipv4'
         slaac = dict_search('ipv6.address.autoconf', wwan) != None
         if 'address' in wwan:
diff --git a/src/conf_mode/protocols_ospf.py b/src/conf_mode/protocols_ospf.py
index c06c0aafc..467c9611b 100755
--- a/src/conf_mode/protocols_ospf.py
+++ b/src/conf_mode/protocols_ospf.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021-2024 VyOS maintainers and contributors
+# Copyright (C) 2021-2025 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -17,6 +17,7 @@
 from sys import exit
 from sys import argv
 
+from vyos.base import Warning
 from vyos.config import Config
 from vyos.configverify import verify_common_route_maps
 from vyos.configverify import verify_route_map
@@ -62,6 +63,16 @@ def verify(config_dict):
     if 'area' in ospf:
           networks = []
           for area, area_config in ospf['area'].items():
+              # Implemented as warning to not break existing configurations
+              if area == '0' and dict_search('area_type.nssa', area_config) != None:
+                  Warning('You cannot configure NSSA to backbone!')
+              # Implemented as warning to not break existing configurations
+              if area == '0' and dict_search('area_type.stub', area_config) != None:
+                  Warning('You cannot configure STUB to backbone!')
+              # Implemented as warning to not break existing configurations
+              if len(area_config['area_type']) > 1:
+                  Warning(f'Only one area-type is supported for area "{area}"!')
+
               if 'import_list' in area_config:
                   acl_import = area_config['import_list']
                   if acl_import: verify_access_list(acl_import, ospf)
diff --git a/src/conf_mode/system_conntrack.py b/src/conf_mode/system_conntrack.py
index f25ed8d10..8909d9cba 100755
--- a/src/conf_mode/system_conntrack.py
+++ b/src/conf_mode/system_conntrack.py
@@ -32,7 +32,6 @@ from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
 
-conntrack_config = r'/etc/modprobe.d/vyatta_nf_conntrack.conf'
 sysctl_file = r'/run/sysctl/10-vyos-conntrack.conf'
 nftables_ct_file = r'/run/nftables-ct.conf'
 vyos_conntrack_logger_config = r'/run/vyos-conntrack-logger.conf'
@@ -204,7 +203,6 @@ def generate(conntrack):
                 elif path[0] == 'ipv6':
                     conntrack['ipv6_firewall_action'] = 'accept'
 
-    render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.j2', conntrack)
     render(sysctl_file, 'conntrack/sysctl.conf.j2', conntrack)
     render(nftables_ct_file, 'conntrack/nftables-ct.j2', conntrack)
 
diff --git a/src/etc/default/vyatta b/src/etc/default/vyatta
index e5fa3bb30..0a5129e8b 100644
--- a/src/etc/default/vyatta
+++ b/src/etc/default/vyatta
@@ -173,6 +173,7 @@ unset _vyatta_extglob
     declare -x -r vyos_bin_dir=/usr/bin
     declare -x -r vyos_sbin_dir=/usr/sbin
     declare -x -r vyos_share_dir=/usr/share
+    declare -x -r vyconf_bin_dir=/usr/libexec/vyos/vyconf/bin
 
     if test -z "$vyos_conf_scripts_dir" ; then
         declare -x -r vyos_conf_scripts_dir=$vyos_libexec_dir/conf_mode
diff --git a/src/helpers/set_vyconf_backend.py b/src/helpers/set_vyconf_backend.py
index 6747e51c3..816452f3b 100755
--- a/src/helpers/set_vyconf_backend.py
+++ b/src/helpers/set_vyconf_backend.py
@@ -19,10 +19,14 @@
 # N.B. only for use within testing framework; explicit invocation will leave
 # system in inconsistent state.
 
+import os
+import sys
 from argparse import ArgumentParser
 
 from vyos.utils.backend import set_vyconf_backend
 
+if os.getuid() != 0:
+    sys.exit('Requires root privileges')
 
 parser = ArgumentParser()
 parser.add_argument('--disable', action='store_true',
diff --git a/src/helpers/vyconf_cli.py b/src/helpers/vyconf_cli.py
new file mode 100755
index 000000000..a159a2678
--- /dev/null
+++ b/src/helpers/vyconf_cli.py
@@ -0,0 +1,47 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2025 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#
+
+import os
+import sys
+
+from vyos.vyconf_session import VyconfSession
+
+
+pid = os.getppid()
+
+vs = VyconfSession(pid=pid)
+
+script_path = sys.argv[0]
+script_name = os.path.basename(script_path)
+# drop prefix 'vy_' if present
+if script_name.startswith('vy_'):
+    func_name = script_name[3:]
+else:
+    func_name = script_name
+
+if hasattr(vs, func_name):
+    func = getattr(vs, func_name)
+else:
+    sys.exit(f'Call unimplemented: {func_name}')
+
+out = func()
+if isinstance(out, bool):
+    # for use in shell scripts
+    sys.exit(int(not out))
+
+print(out)
diff --git a/src/migration-scripts/conntrack/5-to-6 b/src/migration-scripts/conntrack/5-to-6
new file mode 100644
index 000000000..1db2e78b4
--- /dev/null
+++ b/src/migration-scripts/conntrack/5-to-6
@@ -0,0 +1,30 @@
+# Copyright 2025 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# T7202: fix lower limit of supported conntrack hash-size to match Kernel
+#        lower limit.
+
+from vyos.configtree import ConfigTree
+
+base = ['system', 'conntrack']
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(base):
+        # Nothing to do
+        return
+
+    if config.exists(base + ['hash-size']):
+        tmp = config.return_value(base + ['hash-size'])
+        if int(tmp) < 1024:
+            config.set(base + ['hash-size'], value=1024)
diff --git a/src/op_mode/install_mok.sh b/src/op_mode/install_mok.sh
new file mode 100755
index 000000000..29f78cd1f
--- /dev/null
+++ b/src/op_mode/install_mok.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+if test -f /var/lib/shim-signed/mok/vyos-dev-2025-shim.der; then
+    mokutil --ignore-keyring --import /var/lib/shim-signed/mok/vyos-dev-2025-shim.der;
+else
+    echo "Secure Boot Machine Owner Key not found";
+fi
diff --git a/src/op_mode/show_bonding_detail.sh b/src/op_mode/show_bonding_detail.sh
new file mode 100755
index 000000000..62265daa2
--- /dev/null
+++ b/src/op_mode/show_bonding_detail.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+if [ -f "/proc/net/bonding/$1" ]; then
+  cat "/proc/net/bonding/$1";
+else
+  echo "Interface $1 does not exist!";
+fi
diff --git a/src/op_mode/show_ppp_stats.sh b/src/op_mode/show_ppp_stats.sh
new file mode 100755
index 000000000..d9c17f966
--- /dev/null
+++ b/src/op_mode/show_ppp_stats.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+if [ -d "/sys/class/net/$1" ]; then
+  /usr/sbin/pppstats "$1";
+fi
diff --git a/src/op_mode/update_suricata.sh b/src/op_mode/update_suricata.sh
new file mode 100755
index 000000000..6e4e605f4
--- /dev/null
+++ b/src/op_mode/update_suricata.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+if test -f /run/suricata/suricata.yaml; then
+  suricata-update --suricata-conf /run/suricata/suricata.yaml;
+  systemctl restart suricata;
+else
+  echo "Service Suricata not configured";
+fi