From 07080afd4015a900fb7474e1c81008f58b478565 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Sat, 11 Apr 2020 15:12:52 +0200
Subject: vpn: l2tp: T2264: migrate IPv6 prefix node to common CLI style

Combining multiple options into a single CLI node is considered bad practice.
IPv6 prefixes consited of the prefix itself and a mask send to the client in
one node only.

The following CLI parts have been migrated from

  client-ipv6-pool {
    delegate-prefix fc00:0:1::/48,64
    prefix 2001:db8::/64,64
  }

to

  client-ipv6-pool {
    delegate fc00:0:1::/48 {
      delegation-prefix 48
    }
    prefix 2001:db8::/48 {
      mask 64
    }
  }

Thus regular validation steps from the VyOS CLI can be used when a prefix is
configured.
---
 data/templates/l2tp/l2tp.config.tmpl  |  8 ++---
 interface-definitions/vpn-l2tp.xml.in | 56 +++++++++++++++++++++++++++--------
 src/conf_mode/vpn_l2tp.py             | 30 ++++++++++++++++---
 src/migration-scripts/l2tp/2-to-3     | 28 ++++++++++++++++++
 4 files changed, 102 insertions(+), 20 deletions(-)

diff --git a/data/templates/l2tp/l2tp.config.tmpl b/data/templates/l2tp/l2tp.config.tmpl
index 0dcff1371..ba78cadcd 100644
--- a/data/templates/l2tp/l2tp.config.tmpl
+++ b/data/templates/l2tp/l2tp.config.tmpl
@@ -118,11 +118,11 @@ ipv6=allow
 
 {% if client_ipv6_pool %}
 [ipv6-pool]
-{% for prefix in client_ipv6_pool %}
-{{ prefix }}
+{% for p in client_ipv6_pool %}
+{{ p.prefix }},{{ p.mask }}
 {% endfor %}
-{% for prefix in client_ipv6_delegate_prefix %}
-delegate={{ prefix }}
+{% for p in client_ipv6_delegate_prefix %}
+delegate={{ p.prefix }},{{ p.mask }}
 {% endfor %}
 
 {% endif %}
diff --git a/interface-definitions/vpn-l2tp.xml.in b/interface-definitions/vpn-l2tp.xml.in
index 84dd8187c..d4286a810 100644
--- a/interface-definitions/vpn-l2tp.xml.in
+++ b/interface-definitions/vpn-l2tp.xml.in
@@ -237,26 +237,58 @@
                   <help>Pool of client IPv6 addresses</help>
                 </properties>
                 <children>
-                  <leafNode name="prefix">
+                  <tagNode name="prefix">
                     <properties>
-                      <help>IPV6 prefix delegation</help>
+                      <help>Pool of addresses used to assign to clients</help>
                       <valueHelp>
-                        <format>ipv6prefix/mask,prefix_len</format>
-                        <description>e.g.: fc00:0:1::/48,64 - divides prefix into /64 subnets for clients</description>
+                        <format>ipv6net</format>
+                        <description>IPv6 address and prefix length</description>
                       </valueHelp>
-                      <multi />
+                      <constraint>
+                        <validator name="ipv6-prefix"/>
+                      </constraint>
                     </properties>
-                  </leafNode>
-                  <leafNode name="delegate-prefix">
+                    <children>
+                        <leafNode name="mask">
+                          <properties>
+                            <help>Prefix length used for individual client</help>
+                            <valueHelp>
+                              <format>&lt;48-128&gt;</format>
+                              <description>Client prefix length (default: 64)</description>
+                            </valueHelp>
+                            <constraint>
+                              <validator name="numeric" argument="--range 48-128"/>
+                            </constraint>
+                          </properties>
+                        </leafNode>
+                    </children>
+                  </tagNode>
+                  <tagNode name="delegate">
                     <properties>
-                      <help>DHCPv6 prefix delegation - rfc3633</help>
+                      <help>Subnet used to delegate prefix through DHCPv6-PD (RFC3633)</help>
                       <valueHelp>
-                        <format>ipv6prefix/mask,prefix_len</format>
-                        <description>Delegate to clients through DHCPv6 prefix delegation - rfc3633</description>
+                        <format>ipv6net</format>
+                        <description>IPv6 address and prefix length</description>
                       </valueHelp>
-                      <multi />
+                      <constraint>
+                        <validator name="ipv6-prefix"/>
+                      </constraint>
                     </properties>
-                  </leafNode>
+                    <children>
+                        <leafNode name="delegation-prefix">
+                          <properties>
+                            <help>Prefix length delegated to client</help>
+                            <valueHelp>
+                              <format>&lt;32-64&gt;</format>
+                              <description>Delegated prefix length</description>
+                            </valueHelp>
+                            <constraint>
+                              <validator name="numeric" argument="--range 32-64"/>
+                            </constraint>
+                          </properties>
+                        </leafNode>
+                    </children>
+                  </tagNode>
                 </children>
               </node>
               <leafNode name="description">
diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py
index 08654e2ff..7cfb4e74e 100755
--- a/src/conf_mode/vpn_l2tp.py
+++ b/src/conf_mode/vpn_l2tp.py
@@ -232,12 +232,30 @@ def get_config():
         l2tp['client_ip_subnets'] = conf.return_values(['client-ip-pool', 'subnet'])
 
     if conf.exists(['client-ipv6-pool', 'prefix']):
-        l2tp['client_ipv6_pool'] = conf.return_values(['client-ipv6-pool', 'prefix'])
         l2tp['ip6_column'].append('ip6')
+        for prefix in conf.list_nodes(['client-ipv6-pool', 'prefix']):
+            tmp = {
+                'prefix': prefix,
+                'mask': '64'
+            }
+
+            if conf.exists(['client-ipv6-pool', 'prefix', prefix, 'mask']):
+                tmp['mask'] = conf.return_value(['client-ipv6-pool', 'prefix', prefix, 'mask'])
 
-    if conf.exists(['client-ipv6-pool', 'delegate-prefix']):
-        l2tp['client_ipv6_delegate_prefix'] = conf.return_values(['client-ipv6-pool', 'delegate-prefix'])
-        l2tp['ip6_column'].append('ip6-dp')
+            l2tp['client_ipv6_pool'].append(tmp)
+
+    if conf.exists(['client-ipv6-pool', 'delegate']):
+        l2tp['ip6_column'].append('ip6-db')
+        for prefix in conf.list_nodes(['client-ipv6-pool', 'delegate']):
+            tmp = {
+                'prefix': prefix,
+                'mask': ''
+            }
+
+            if conf.exists(['client-ipv6-pool', 'delegate', prefix, 'mask']):
+                tmp['mask'] = conf.return_value(['client-ipv6-pool', 'delegate', prefix, 'delegation-prefix'])
+
+            l2tp['client_ipv6_delegate_prefix'].append(tmp)
 
     if conf.exists(['mtu']):
         l2tp['mtu'] = conf.return_value(['mtu'])
@@ -306,6 +324,10 @@ def verify(l2tp):
     if l2tp['client_ipv6_delegate_prefix'] and not l2tp['client_ipv6_pool']:
         raise ConfigError('IPv6 prefix delegation requires client-ipv6-pool prefix')
 
+    for prefix in l2tp['client_ipv6_delegate_prefix']:
+        if not prefix['mask']:
+            raise ConfigError('Delegation-prefix required for individual delegated networks')
+
     if len(l2tp['wins']) > 2:
         raise ConfigError('Not more then two IPv4 WINS name-servers can be configured')
 
diff --git a/src/migration-scripts/l2tp/2-to-3 b/src/migration-scripts/l2tp/2-to-3
index e24d1ffa9..bd0839e03 100755
--- a/src/migration-scripts/l2tp/2-to-3
+++ b/src/migration-scripts/l2tp/2-to-3
@@ -75,6 +75,34 @@ else:
             if config.exists(radius_base + ['server', server, 'req-limit']):
                 config.delete(radius_base + ['server', server, 'req-limit'])
 
+    # Migrate IPv6 prefixes
+    ipv6_base = base + ['client-ipv6-pool']
+    if config.exists(ipv6_base + ['prefix']):
+        prefix_old = config.return_values(ipv6_base + ['prefix'])
+        # delete old prefix CLI nodes
+        config.delete(ipv6_base + ['prefix'])
+        # create ned prefix tag node
+        config.set(ipv6_base + ['prefix'])
+        config.set_tag(ipv6_base + ['prefix'])
+
+        for p in prefix_old:
+            prefix = p.split(',')[0]
+            mask = p.split(',')[1]
+            config.set(ipv6_base + ['prefix', prefix, 'mask'], value=mask)
+
+    if config.exists(ipv6_base + ['delegate-prefix']):
+        prefix_old = config.return_values(ipv6_base + ['delegate-prefix'])
+        # delete old delegate prefix CLI nodes
+        config.delete(ipv6_base + ['delegate-prefix'])
+        # create ned delegation tag node
+        config.set(ipv6_base + ['delegate '])
+        config.set_tag(ipv6_base + ['delegate '])
+
+        for p in prefix_old:
+            prefix = p.split(',')[0]
+            mask = p.split(',')[1]
+            config.set(ipv6_base + ['delegate', prefix, 'mask'], value=mask)
+
     try:
         with open(file_name, 'w') as f:
             f.write(config.to_string())
-- 
cgit v1.2.3