From ed67750b94e8bc779ec0e2cf6d568a3f7292de13 Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Sat, 29 Jan 2022 13:18:28 +0100 Subject: firewall: T4218: Adds a prefix to all user defined chains --- data/templates/firewall/nftables.tmpl | 4 ++-- data/templates/zone_policy/nftables.tmpl | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) (limited to 'data') diff --git a/data/templates/firewall/nftables.tmpl b/data/templates/firewall/nftables.tmpl index 33c821e84..468a5a32f 100644 --- a/data/templates/firewall/nftables.tmpl +++ b/data/templates/firewall/nftables.tmpl @@ -32,7 +32,7 @@ table ip filter { {% endif %} {% if name is defined %} {% for name_text, conf in name.items() %} - chain {{ name_text }} { + chain NAME_{{ name_text }} { {% if conf.rule is defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %} {{ rule_conf | nft_rule(name_text, rule_id) }} @@ -82,7 +82,7 @@ table ip6 filter { {% endif %} {% if ipv6_name is defined %} {% for name_text, conf in ipv6_name.items() %} - chain {{ name_text }} { + chain NAME6_{{ name_text }} { {% if conf.rule is defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %} {{ rule_conf | nft_rule(name_text, rule_id, 'ip6') }} diff --git a/data/templates/zone_policy/nftables.tmpl b/data/templates/zone_policy/nftables.tmpl index e59208a0d..093da6bd8 100644 --- a/data/templates/zone_policy/nftables.tmpl +++ b/data/templates/zone_policy/nftables.tmpl @@ -13,7 +13,7 @@ table ip filter { chain VZONE_{{ zone_name }}_IN { iifname lo counter return {% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is defined %} - iifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.name }} + iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }} iifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }} @@ -21,7 +21,7 @@ table ip filter { chain VZONE_{{ zone_name }}_OUT { oifname lo counter return {% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.name is defined %} - oifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.name }} + oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }} oifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }} @@ -34,7 +34,7 @@ table ip filter { {% endif %} {% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is defined %} {% if zone[from_zone].local_zone is not defined %} - iifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.name }} + iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }} iifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endif %} {% endfor %} @@ -50,7 +50,7 @@ table ip6 filter { chain VZONE6_{{ zone_name }}_IN { iifname lo counter return {% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is defined %} - iifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.ipv6_name }} + iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }} iifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }} @@ -58,7 +58,7 @@ table ip6 filter { chain VZONE6_{{ zone_name }}_OUT { oifname lo counter return {% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.ipv6_name is defined %} - oifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.ipv6_name }} + oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }} oifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }} @@ -71,7 +71,7 @@ table ip6 filter { {% endif %} {% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is defined %} {% if zone[from_zone].local_zone is not defined %} - iifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.ipv6_name }} + iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }} iifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endif %} {% endfor %} -- cgit v1.2.3 From d331da9949060870f0543ac841e533d73e02c079 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Wed, 2 Feb 2022 17:58:42 +0000 Subject: monitoring: T3872: Fix template input plugin for running services Add required capability for input scripts which collect statistics of running services --- data/templates/monitoring/override.conf.tmpl | 2 +- data/templates/monitoring/telegraf.tmpl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'data') diff --git a/data/templates/monitoring/override.conf.tmpl b/data/templates/monitoring/override.conf.tmpl index 63f6d7391..f8f150791 100644 --- a/data/templates/monitoring/override.conf.tmpl +++ b/data/templates/monitoring/override.conf.tmpl @@ -3,5 +3,5 @@ After=vyos-router.service ConditionPathExists=/run/telegraf/vyos-telegraf.conf [Service] Environment=INFLUX_TOKEN={{ authentication.token }} -CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN +CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN diff --git a/data/templates/monitoring/telegraf.tmpl b/data/templates/monitoring/telegraf.tmpl index f05396d91..465b58c80 100644 --- a/data/templates/monitoring/telegraf.tmpl +++ b/data/templates/monitoring/telegraf.tmpl @@ -53,7 +53,7 @@ [[inputs.exec]] commands = [ "{{ custom_scripts_dir }}/show_interfaces_input_filter.py", - "cat /tmp/vyos_services_input_filter" + "{{ custom_scripts_dir }}/vyos_services_input_filter.py" ] timeout = "10s" data_format = "influx" -- cgit v1.2.3 From 22f0794a9f195e69e277d48f031fe934febe9408 Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Thu, 27 Jan 2022 16:58:36 +0100 Subject: firewall: T4209: Fix support for rule `recent` matches --- data/templates/firewall/nftables.tmpl | 22 ++++++++++++++++++++++ .../include/firewall/common-rule.xml.i | 19 +++++++++++++++---- python/vyos/firewall.py | 4 +--- src/conf_mode/firewall.py | 6 +++++- src/migration-scripts/firewall/6-to-7 | 20 ++++++++++++++++++++ 5 files changed, 63 insertions(+), 8 deletions(-) (limited to 'data') diff --git a/data/templates/firewall/nftables.tmpl b/data/templates/firewall/nftables.tmpl index 468a5a32f..0cc977cf9 100644 --- a/data/templates/firewall/nftables.tmpl +++ b/data/templates/firewall/nftables.tmpl @@ -31,16 +31,27 @@ table ip filter { } {% endif %} {% if name is defined %} +{% set ns = namespace(sets=[]) %} {% for name_text, conf in name.items() %} chain NAME_{{ name_text }} { {% if conf.rule is defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %} {{ rule_conf | nft_rule(name_text, rule_id) }} +{% if rule_conf.recent is defined %} +{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %} +{% endif %} {% endfor %} {% endif %} {{ conf | nft_default_rule(name_text) }} } {% endfor %} +{% for set_name in ns.sets %} + set RECENT_{{ set_name }} { + type ipv4_addr + size 65535 + flags dynamic + } +{% endfor %} {% endif %} {% if state_policy is defined %} chain VYOS_STATE_POLICY { @@ -81,16 +92,27 @@ table ip6 filter { } {% endif %} {% if ipv6_name is defined %} +{% set ns = namespace(sets=[]) %} {% for name_text, conf in ipv6_name.items() %} chain NAME6_{{ name_text }} { {% if conf.rule is defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %} {{ rule_conf | nft_rule(name_text, rule_id, 'ip6') }} +{% if rule_conf.recent is defined %} +{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %} +{% endif %} {% endfor %} {% endif %} {{ conf | nft_default_rule(name_text) }} } {% endfor %} +{% for set_name in ns.sets %} + set RECENT6_{{ set_name }} { + type ipv6_addr + size 65535 + flags dynamic + } +{% endfor %} {% endif %} {% if state_policy is defined %} chain VYOS_STATE_POLICY6 { diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i index 521fe54f2..353804990 100644 --- a/interface-definitions/include/firewall/common-rule.xml.i +++ b/interface-definitions/include/firewall/common-rule.xml.i @@ -146,13 +146,24 @@ - Source addresses seen in the last N seconds + Source addresses seen in the last second/minute/hour + + second minute hour + - u32:0-4294967295 - Source addresses seen in the last N seconds + second + Source addresses seen COUNT times in the last second + + + minute + Source addresses seen COUNT times in the last minute + + + hour + Source addresses seen COUNT times in the last hour - + ^(second|minute|hour)$ diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index c1217b420..55ce318e7 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -181,9 +181,7 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if 'recent' in rule_conf: count = rule_conf['recent']['count'] time = rule_conf['recent']['time'] - # output.append(f'meter {fw_name}_{rule_id} {{ ip saddr and 255.255.255.255 limit rate over {count}/{time} burst {count} packets }}') - # Waiting on input from nftables developers due to - # bug with above line and atomic chain flushing. + output.append(f'add @RECENT{def_suffix}_{fw_name}_{rule_id} {{ {ip_name} saddr limit rate over {count}/{time} burst {count} packets }}') if 'time' in rule_conf: output.append(parse_time(rule_conf['time'])) diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 9dec2143e..41df1b84a 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -278,6 +278,7 @@ def cleanup_rule(table, jump_chain): def cleanup_commands(firewall): commands = [] + commands_end = [] for table in ['ip filter', 'ip6 filter']: state_chain = 'VYOS_STATE_POLICY' if table == 'ip filter' else 'VYOS_STATE_POLICY6' json_str = cmd(f'nft -j list table {table}') @@ -308,7 +309,10 @@ def cleanup_commands(firewall): chain = rule['chain'] handle = rule['handle'] commands.append(f'delete rule {table} {chain} handle {handle}') - return commands + elif 'set' in item: + set_name = item['set']['name'] + commands_end.append(f'delete set {table} {set_name}') + return commands + commands_end def generate(firewall): if not os.path.exists(nftables_conf): diff --git a/src/migration-scripts/firewall/6-to-7 b/src/migration-scripts/firewall/6-to-7 index efc901530..5f4cff90d 100755 --- a/src/migration-scripts/firewall/6-to-7 +++ b/src/migration-scripts/firewall/6-to-7 @@ -104,6 +104,7 @@ if config.exists(base + ['name']): continue for rule in config.list_nodes(base + ['name', name, 'rule']): + rule_recent = base + ['name', name, 'rule', rule, 'recent'] rule_time = base + ['name', name, 'rule', rule, 'time'] rule_tcp_flags = base + ['name', name, 'rule', rule, 'tcp', 'flags'] rule_icmp = base + ['name', name, 'rule', rule, 'icmp'] @@ -114,6 +115,15 @@ if config.exists(base + ['name']): if config.exists(rule_time + ['utc']): config.delete(rule_time + ['utc']) + if config.exists(rule_recent + ['time']): + tmp = int(config.return_value(rule_recent + ['time'])) + unit = 'minute' + if tmp > 600: + unit = 'hour' + elif tmp < 10: + unit = 'second' + config.set(rule_recent + ['time'], value=unit) + if config.exists(rule_tcp_flags): tmp = config.return_value(rule_tcp_flags) config.delete(rule_tcp_flags) @@ -148,6 +158,7 @@ if config.exists(base + ['ipv6-name']): continue for rule in config.list_nodes(base + ['ipv6-name', name, 'rule']): + rule_recent = base + ['ipv6-name', name, 'rule', rule, 'recent'] rule_time = base + ['ipv6-name', name, 'rule', rule, 'time'] rule_tcp_flags = base + ['ipv6-name', name, 'rule', rule, 'tcp', 'flags'] rule_icmp = base + ['ipv6-name', name, 'rule', rule, 'icmpv6'] @@ -158,6 +169,15 @@ if config.exists(base + ['ipv6-name']): if config.exists(rule_time + ['utc']): config.delete(rule_time + ['utc']) + if config.exists(rule_recent + ['time']): + tmp = int(config.return_value(rule_recent + ['time'])) + unit = 'minute' + if tmp > 600: + unit = 'hour' + elif tmp < 10: + unit = 'second' + config.set(rule_recent + ['time'], value=unit) + if config.exists(rule_tcp_flags): tmp = config.return_value(rule_tcp_flags) config.delete(rule_tcp_flags) -- cgit v1.2.3 From 20090e7df2cc74763e5917c3b97b2262fbd909fc Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Mon, 7 Feb 2022 11:40:22 +0000 Subject: dhcp: T3600: Fix DHCP static table dhcp-interface route Static table dhcp-interface route required table in template Without table this route will be placed to table 'main' by default --- data/templates/frr/static_routes_macro.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'data') diff --git a/data/templates/frr/static_routes_macro.j2 b/data/templates/frr/static_routes_macro.j2 index 3b432b49b..86c7470ca 100644 --- a/data/templates/frr/static_routes_macro.j2 +++ b/data/templates/frr/static_routes_macro.j2 @@ -5,7 +5,7 @@ {% if prefix_config.dhcp_interface is defined and prefix_config.dhcp_interface is not none %} {% set next_hop = prefix_config.dhcp_interface | get_dhcp_router %} {% if next_hop is defined and next_hop is not none %} -{{ ip_ipv6 }} route {{ prefix }} {{ next_hop }} {{ prefix_config.dhcp_interface }} +{{ ip_ipv6 }} route {{ prefix }} {{ next_hop }} {{ prefix_config.dhcp_interface }} {{ 'table ' + table if table is defined and table is not none }} {% endif %} {% endif %} {% if prefix_config.interface is defined and prefix_config.interface is not none %} -- cgit v1.2.3 From 4ddfe9b7e72e4f1e1fc8e70c5239bf09644e6d9b Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Tue, 8 Feb 2022 08:38:12 +0000 Subject: monitoring: T3872: Add input filter for firewall InfluxDB2 Input filter for firewall allows to get bytes/counters from nftables in format, required for InfluxDB2 --- data/templates/monitoring/telegraf.tmpl | 3 +- .../custom_scripts/show_firewall_input_filter.py | 73 ++++++++++++++++++++++ 2 files changed, 75 insertions(+), 1 deletion(-) create mode 100755 src/etc/telegraf/custom_scripts/show_firewall_input_filter.py (limited to 'data') diff --git a/data/templates/monitoring/telegraf.tmpl b/data/templates/monitoring/telegraf.tmpl index 465b58c80..d3145a500 100644 --- a/data/templates/monitoring/telegraf.tmpl +++ b/data/templates/monitoring/telegraf.tmpl @@ -17,7 +17,7 @@ [[outputs.influxdb_v2]] urls = ["{{ url }}:{{ port }}"] insecure_skip_verify = true - token = "{{ authentication.token }}" + token = "$INFLUX_TOKEN" organization = "{{ authentication.organization }}" bucket = "{{ bucket }}" [[inputs.cpu]] @@ -52,6 +52,7 @@ syslog_standard = "RFC3164" [[inputs.exec]] commands = [ + "{{ custom_scripts_dir }}/show_firewall_input_filter.py", "{{ custom_scripts_dir }}/show_interfaces_input_filter.py", "{{ custom_scripts_dir }}/vyos_services_input_filter.py" ] diff --git a/src/etc/telegraf/custom_scripts/show_firewall_input_filter.py b/src/etc/telegraf/custom_scripts/show_firewall_input_filter.py new file mode 100755 index 000000000..bf4bfd05d --- /dev/null +++ b/src/etc/telegraf/custom_scripts/show_firewall_input_filter.py @@ -0,0 +1,73 @@ +#!/usr/bin/env python3 + +import json +import re +import time + +from vyos.util import cmd + + +def get_nft_filter_chains(): + """ + Get list of nft chains for table filter + """ + nft = cmd('/usr/sbin/nft --json list table ip filter') + nft = json.loads(nft) + chain_list = [] + + for output in nft['nftables']: + if 'chain' in output: + chain = output['chain']['name'] + chain_list.append(chain) + + return chain_list + + +def get_nftables_details(name): + """ + Get dict, counters packets and bytes for chain + """ + command = f'/usr/sbin/nft list chain ip filter {name}' + try: + results = cmd(command) + except: + return {} + + # Trick to remove 'NAME_' from chain name in the comment + # It was added to any chain T4218 + # counter packets 0 bytes 0 return comment "FOO default-action accept" + comment_name = name.replace("NAME_", "") + out = {} + for line in results.split('\n'): + comment_search = re.search(rf'{comment_name}[\- ](\d+|default-action)', line) + if not comment_search: + continue + + rule = {} + rule_id = comment_search[1] + counter_search = re.search(r'counter packets (\d+) bytes (\d+)', line) + if counter_search: + rule['packets'] = counter_search[1] + rule['bytes'] = counter_search[2] + + rule['conditions'] = re.sub(r'(\b(counter packets \d+ bytes \d+|drop|reject|return|log)\b|comment "[\w\-]+")', '', line).strip() + out[rule_id] = rule + return out + + +def get_nft_telegraf(name): + """ + Get data for telegraf in influxDB format + """ + for rule, rule_config in get_nftables_details(name).items(): + print(f'nftables,table=filter,chain={name},' + f'ruleid={rule} ' + f'pkts={rule_config["packets"]}i,' + f'bytes={rule_config["bytes"]}i ' + f'{str(int(time.time()))}000000000') + + +chains = get_nft_filter_chains() + +for chain in chains: + get_nft_telegraf(chain) -- cgit v1.2.3 From 230ac0a202acd7ae9ad9bccb9e777ee5a0e0b7b7 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Wed, 9 Feb 2022 16:07:55 +0000 Subject: openvpn: T3686: Fix for check local-address in script and tmpl Local-address should be checked/executed only if it exists in the openvpn configuration, dictionary, jinja2 template --- data/templates/openvpn/server.conf.tmpl | 10 ++++++---- src/conf_mode/interfaces-openvpn.py | 13 +++++++------ 2 files changed, 13 insertions(+), 10 deletions(-) (limited to 'data') diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl index 7a0470d0e..fb7ad9e16 100644 --- a/data/templates/openvpn/server.conf.tmpl +++ b/data/templates/openvpn/server.conf.tmpl @@ -141,11 +141,13 @@ ping {{ keep_alive.interval }} ping-restart {{ keep_alive.failure_count }} {% if device_type == 'tap' %} -{% for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %} -{% if laddr_conf is defined and laddr_conf.subnet_mask is defined and laddr_conf.subnet_mask is not none %} +{% if local_address is defined and local_address is not none %} +{% for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %} +{% if laddr_conf is defined and laddr_conf.subnet_mask is defined and laddr_conf.subnet_mask is not none %} ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }} -{% endif %} -{% endfor %} +{% endif %} +{% endfor %} +{% endif %} {% else %} {% for laddr in local_address if laddr | is_ipv4 %} {% for raddr in remote_address if raddr | is_ipv4 %} diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 3b8fae710..242fae9fb 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019-2021 VyOS maintainers and contributors +# Copyright (C) 2019-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -225,11 +225,12 @@ def verify(openvpn): if 'local_address' not in openvpn and 'is_bridge_member' not in openvpn: raise ConfigError('Must specify "local-address" or add interface to bridge') - if len([addr for addr in openvpn['local_address'] if is_ipv4(addr)]) > 1: - raise ConfigError('Only one IPv4 local-address can be specified') + if 'local_address' in openvpn: + if len([addr for addr in openvpn['local_address'] if is_ipv4(addr)]) > 1: + raise ConfigError('Only one IPv4 local-address can be specified') - if len([addr for addr in openvpn['local_address'] if is_ipv6(addr)]) > 1: - raise ConfigError('Only one IPv6 local-address can be specified') + if len([addr for addr in openvpn['local_address'] if is_ipv6(addr)]) > 1: + raise ConfigError('Only one IPv6 local-address can be specified') if openvpn['device_type'] == 'tun': if 'remote_address' not in openvpn: @@ -268,7 +269,7 @@ def verify(openvpn): if dict_search('remote_host', openvpn) in dict_search('remote_address', openvpn): raise ConfigError('"remote-address" and "remote-host" can not be the same') - if openvpn['device_type'] == 'tap': + if openvpn['device_type'] == 'tap' and 'local_address' in openvpn: # we can only have one local_address, this is ensured above v4addr = None for laddr in openvpn['local_address']: -- cgit v1.2.3 From 5fc9ef9e31eb566a601f8a150c69b183a4331564 Mon Sep 17 00:00:00 2001 From: fett0 Date: Fri, 18 Feb 2022 21:08:21 +0000 Subject: DHCP : T4258: Set correct port for dhcp-failover --- data/templates/dhcp-server/dhcpd.conf.tmpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'data') diff --git a/data/templates/dhcp-server/dhcpd.conf.tmpl b/data/templates/dhcp-server/dhcpd.conf.tmpl index da2f28ced..dbd864b5e 100644 --- a/data/templates/dhcp-server/dhcpd.conf.tmpl +++ b/data/templates/dhcp-server/dhcpd.conf.tmpl @@ -42,9 +42,9 @@ failover peer "{{ failover.name }}" { secondary; {% endif %} address {{ failover.source_address }}; - port 520; + port 647; peer address {{ failover.remote }}; - peer port 520; + peer port 647; max-response-delay 30; max-unacked-updates 10; load balance max seconds 3; -- cgit v1.2.3 From f6c2b5e4762e7713c5868bebf8e482ce732e3302 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Thu, 17 Feb 2022 21:18:37 +0000 Subject: vpn: T4254: Add cisco_flexvpn and install_virtual_ip_on options Ability to set Cisco FlexVPN vendor ID payload: charon.cisco_flexvpn charon.install_virtual_ip_on swanctl.connections..vips = x.x.x.x, z.z.z.z set vpn ipsec options flexvpn set vpn ipsec options virtual-ip set vpn ipsec options interface tunX set vpn ipsec site-to-site peer x.x.x.x virtual-address x.x.x.x --- data/templates/ipsec/charon.tmpl | 11 +++++ data/templates/ipsec/swanctl/peer.tmpl | 3 ++ interface-definitions/vpn_ipsec.xml.in | 27 +++++++++++++ smoketest/scripts/cli/test_vpn_ipsec.py | 71 +++++++++++++++++++++++++++++++++ 4 files changed, 112 insertions(+) (limited to 'data') diff --git a/data/templates/ipsec/charon.tmpl b/data/templates/ipsec/charon.tmpl index 4d710921e..b9b020dcd 100644 --- a/data/templates/ipsec/charon.tmpl +++ b/data/templates/ipsec/charon.tmpl @@ -20,6 +20,17 @@ charon { # Send Cisco Unity vendor ID payload (IKEv1 only). # cisco_unity = no + # Cisco FlexVPN +{% if options is defined %} + cisco_flexvpn = {{ 'yes' if options.flexvpn is defined else 'no' }} +{% if options.virtual_ip is defined %} + install_virtual_ip = yes +{% endif %} +{% if options.interface is defined and options.interface is not none %} + install_virtual_ip_on = {{ options.interface }} +{% endif %} +{% endif %} + # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. # close_ike_on_child_failure = no diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl index c6b71f2a1..f4e28d818 100644 --- a/data/templates/ipsec/swanctl/peer.tmpl +++ b/data/templates/ipsec/swanctl/peer.tmpl @@ -5,6 +5,9 @@ peer_{{ name }} { proposals = {{ ike | get_esp_ike_cipher | join(',') }} version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} +{% if peer_conf.virtual_address is defined and peer_conf.virtual_address is not none %} + vips = {{ peer_conf.virtual_address | join(', ') }} +{% endif %} local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }} {% if peer_conf.authentication is defined and peer_conf.authentication.mode is defined and peer_conf.authentication.mode == 'x509' %} diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index afa3d52a0..f7297a6e2 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -622,6 +622,19 @@ + + + Allow FlexVPN vendor ID payload (IKEv2 only) + + + + #include + + + Allow install virtual-ip addresses + + + @@ -1087,6 +1100,20 @@ + + + Initiator request virtual-address from peer + + ipv4 + Request IPv4 address from peer + + + ipv6 + Request IPv6 address from peer + + + + Virtual tunnel interface [REQUIRED] diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py index 1433c7329..2c3e55a57 100755 --- a/smoketest/scripts/cli/test_vpn_ipsec.py +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -28,6 +28,7 @@ vti_path = ['interfaces', 'vti'] nhrp_path = ['protocols', 'nhrp'] base_path = ['vpn', 'ipsec'] +charon_file = '/etc/strongswan.d/charon.conf' dhcp_waiting_file = '/tmp/ipsec_dhcp_waiting' swanctl_file = '/etc/swanctl/swanctl.conf' @@ -416,5 +417,75 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): # There is only one VTI test so no need to delete this globally in tearDown() self.cli_delete(vti_path) + + def test_06_flex_vpn_vips(self): + local_address = '192.0.2.5' + local_id = 'vyos-r1' + remote_id = 'vyos-r2' + peer_base_path = base_path + ['site-to-site', 'peer', peer_ip] + + self.cli_set(tunnel_path + ['tun1', 'encapsulation', 'gre']) + self.cli_set(tunnel_path + ['tun1', 'source-address', local_address]) + + self.cli_set(base_path + ['interface', interface]) + self.cli_set(base_path + ['options', 'flexvpn']) + self.cli_set(base_path + ['options', 'interface', 'tun1']) + self.cli_set(base_path + ['ike-group', ike_group, 'ikev2-reauth', 'no']) + self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev2']) + + self.cli_set(peer_base_path + ['authentication', 'id', local_id]) + self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret']) + self.cli_set(peer_base_path + ['authentication', 'pre-shared-secret', secret]) + self.cli_set(peer_base_path + ['authentication', 'remote-id', remote_id]) + self.cli_set(peer_base_path + ['connection-type', 'initiate']) + self.cli_set(peer_base_path + ['ike-group', ike_group]) + self.cli_set(peer_base_path + ['default-esp-group', esp_group]) + self.cli_set(peer_base_path + ['local-address', local_address]) + self.cli_set(peer_base_path + ['tunnel', '1', 'protocol', 'gre']) + + self.cli_set(peer_base_path + ['virtual-address', '203.0.113.55']) + self.cli_set(peer_base_path + ['virtual-address', '203.0.113.56']) + + self.cli_commit() + + # Verify strongSwan configuration + swanctl_conf = read_file(swanctl_file) + swanctl_conf_lines = [ + f'version = 2', + f'vips = 203.0.113.55, 203.0.113.56', + f'life_time = 3600s', # default value + f'local_addrs = {local_address} # dhcp:no', + f'remote_addrs = {peer_ip}', + f'peer_{peer_ip.replace(".","-")}_tunnel_1', + f'mode = tunnel', + ] + + for line in swanctl_conf_lines: + self.assertIn(line, swanctl_conf) + + swanctl_secrets_lines = [ + f'id-local = {local_address} # dhcp:no', + f'id-remote = {peer_ip}', + f'id-localid = {local_id}', + f'id-remoteid = {remote_id}', + f'secret = "{secret}"', + ] + + for line in swanctl_secrets_lines: + self.assertIn(line, swanctl_conf) + + # Verify charon configuration + charon_conf = read_file(charon_file) + charon_conf_lines = [ + f'# Cisco FlexVPN', + f'cisco_flexvpn = yes', + f'install_virtual_ip = yes', + f'install_virtual_ip_on = tun1', + ] + + for line in charon_conf_lines: + self.assertIn(line, charon_conf) + + if __name__ == '__main__': unittest.main(verbosity=2) -- cgit v1.2.3 From b693f929b63c0c847d9a3c6ee9160845ef501be1 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 20 Feb 2022 10:40:38 +0100 Subject: static: T4203: obey interface dhcp default route distance Commit 05aa22dc ("protocols: static: T3680: do not delete DHCP received routes") added a bug whenever a static route is modified - the DHCP interface will always end up with metric 210 - if there was a default route over a DHCP interface. --- data/templates/frr/staticd.frr.tmpl | 4 +- .../include/interface/dhcp-options.xml.i | 3 +- python/vyos/configdict.py | 54 ++++++++++++++++++---- 3 files changed, 48 insertions(+), 13 deletions(-) (limited to 'data') diff --git a/data/templates/frr/staticd.frr.tmpl b/data/templates/frr/staticd.frr.tmpl index bfe959c1d..5d833228a 100644 --- a/data/templates/frr/staticd.frr.tmpl +++ b/data/templates/frr/staticd.frr.tmpl @@ -17,10 +17,10 @@ vrf {{ vrf }} {% endif %} {# IPv4 default routes from DHCP interfaces #} {% if dhcp is defined and dhcp is not none %} -{% for interface in dhcp %} +{% for interface, interface_config in dhcp.items() %} {% set next_hop = interface | get_dhcp_router %} {% if next_hop is defined and next_hop is not none %} -{{ ip_prefix }} route 0.0.0.0/0 {{ next_hop }} {{ interface }} tag 210 210 +{{ ip_prefix }} route 0.0.0.0/0 {{ next_hop }} {{ interface }} tag 210 {{ interface_config.distance }} {% endif %} {% endfor %} {% endif %} diff --git a/interface-definitions/include/interface/dhcp-options.xml.i b/interface-definitions/include/interface/dhcp-options.xml.i index b65b0802a..f62b06640 100644 --- a/interface-definitions/include/interface/dhcp-options.xml.i +++ b/interface-definitions/include/interface/dhcp-options.xml.i @@ -30,12 +30,13 @@ Distance for the default route from DHCP server u32:1-255 - Distance for the default route from DHCP server (default 210) + Distance for the default route from DHCP server (default: 210) + 210 diff --git a/python/vyos/configdict.py b/python/vyos/configdict.py index efeb6dc1f..f2ec93520 100644 --- a/python/vyos/configdict.py +++ b/python/vyos/configdict.py @@ -319,34 +319,42 @@ def is_source_interface(conf, interface, intftype=None): def get_dhcp_interfaces(conf, vrf=None): """ Common helper functions to retrieve all interfaces from current CLI sessions that have DHCP configured. """ - dhcp_interfaces = [] + dhcp_interfaces = {} dict = conf.get_config_dict(['interfaces'], get_first_key=True) if not dict: return dhcp_interfaces def check_dhcp(config, ifname): - out = [] + tmp = {} if 'address' in config and 'dhcp' in config['address']: + options = {} + if 'dhcp_options' in config and 'default_route_distance' in config['dhcp_options']: + options.update({'distance' : config['dhcp_options']['default_route_distance']}) if 'vrf' in config: - if vrf is config['vrf']: out.append(ifname) - else: out.append(ifname) - return out + if vrf is config['vrf']: tmp.update({ifname : options}) + else: tmp.update({ifname : options}) + return tmp for section, interface in dict.items(): - for ifname, ifconfig in interface.items(): + for ifname in interface: + # we already have a dict representation of the config from get_config_dict(), + # but with the extended information from get_interface_dict() we also + # get the DHCP client default-route-distance default option if not specified. + ifconfig = get_interface_dict(conf, ['interfaces', section], ifname) + tmp = check_dhcp(ifconfig, ifname) - dhcp_interfaces.extend(tmp) + dhcp_interfaces.update(tmp) # check per VLAN interfaces for vif, vif_config in ifconfig.get('vif', {}).items(): tmp = check_dhcp(vif_config, f'{ifname}.{vif}') - dhcp_interfaces.extend(tmp) + dhcp_interfaces.update(tmp) # check QinQ VLAN interfaces for vif_s, vif_s_config in ifconfig.get('vif-s', {}).items(): tmp = check_dhcp(vif_s_config, f'{ifname}.{vif_s}') - dhcp_interfaces.extend(tmp) + dhcp_interfaces.update(tmp) for vif_c, vif_c_config in vif_s_config.get('vif-c', {}).items(): tmp = check_dhcp(vif_c_config, f'{ifname}.{vif_s}.{vif_c}') - dhcp_interfaces.extend(tmp) + dhcp_interfaces.update(tmp) return dhcp_interfaces @@ -405,6 +413,12 @@ def get_interface_dict(config, base, ifname=''): if 'deleted' not in dict: dict = dict_merge(default_values, dict) + # If interface does not request an IPv4 DHCP address there is no need + # to keep the dhcp-options key + if 'address' not in dict or 'dhcp' not in dict['address']: + if 'dhcp_options' in dict: + del dict['dhcp_options'] + # XXX: T2665: blend in proper DHCPv6-PD default values dict = T2665_set_dhcpv6pd_defaults(dict) @@ -475,6 +489,12 @@ def get_interface_dict(config, base, ifname=''): # XXX: T2665: blend in proper DHCPv6-PD default values dict['vif'][vif] = T2665_set_dhcpv6pd_defaults(dict['vif'][vif]) + # If interface does not request an IPv4 DHCP address there is no need + # to keep the dhcp-options key + if 'address' not in dict['vif'][vif] or 'dhcp' not in dict['vif'][vif]['address']: + if 'dhcp_options' in dict['vif'][vif]: + del dict['vif'][vif]['dhcp_options'] + # Check if we are a member of a bridge device bridge = is_member(config, f'{ifname}.{vif}', 'bridge') if bridge: dict['vif'][vif].update({'is_bridge_member' : bridge}) @@ -509,6 +529,13 @@ def get_interface_dict(config, base, ifname=''): # XXX: T2665: blend in proper DHCPv6-PD default values dict['vif_s'][vif_s] = T2665_set_dhcpv6pd_defaults(dict['vif_s'][vif_s]) + # If interface does not request an IPv4 DHCP address there is no need + # to keep the dhcp-options key + if 'address' not in dict['vif_s'][vif_s] or 'dhcp' not in \ + dict['vif_s'][vif_s]['address']: + if 'dhcp_options' in dict['vif_s'][vif_s]: + del dict['vif_s'][vif_s]['dhcp_options'] + # Check if we are a member of a bridge device bridge = is_member(config, f'{ifname}.{vif_s}', 'bridge') if bridge: dict['vif_s'][vif_s].update({'is_bridge_member' : bridge}) @@ -543,6 +570,13 @@ def get_interface_dict(config, base, ifname=''): dict['vif_s'][vif_s]['vif_c'][vif_c] = T2665_set_dhcpv6pd_defaults( dict['vif_s'][vif_s]['vif_c'][vif_c]) + # If interface does not request an IPv4 DHCP address there is no need + # to keep the dhcp-options key + if 'address' not in dict['vif_s'][vif_s]['vif_c'][vif_c] or 'dhcp' \ + not in dict['vif_s'][vif_s]['vif_c'][vif_c]['address']: + if 'dhcp_options' in dict['vif_s'][vif_s]['vif_c'][vif_c]: + del dict['vif_s'][vif_s]['vif_c'][vif_c]['dhcp_options'] + # Check if we are a member of a bridge device bridge = is_member(config, f'{ifname}.{vif_s}.{vif_c}', 'bridge') if bridge: dict['vif_s'][vif_s]['vif_c'][vif_c].update( -- cgit v1.2.3 From 6bf5a0b0dd489a480dce6030e1c61d29e77fa107 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Sun, 20 Feb 2022 18:30:44 +0000 Subject: ipsec: T1856: Ability to set SA life bytes and packets set vpn ipsec esp-group grp-ESP life-bytes '100000' set vpn ipsec esp-group grp-ESP life-packets '2000000' --- data/templates/ipsec/swanctl/peer.tmpl | 12 ++++++++++++ interface-definitions/vpn_ipsec.xml.in | 24 ++++++++++++++++++++++++ smoketest/scripts/cli/test_vpn_ipsec.py | 7 +++++++ 3 files changed, 43 insertions(+) (limited to 'data') diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl index c6b71f2a1..481ea7224 100644 --- a/data/templates/ipsec/swanctl/peer.tmpl +++ b/data/templates/ipsec/swanctl/peer.tmpl @@ -57,6 +57,12 @@ {% set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is defined else esp_group[ peer_conf.default_esp_group ] %} peer_{{ name }}_vti { esp_proposals = {{ vti_esp | get_esp_ike_cipher(ike) | join(',') }} +{% if vti_esp.life_bytes is defined and vti_esp.life_bytes is not none %} + life_bytes = {{ vti_esp.life_bytes }} +{% endif %} +{% if vti_esp.life_packets is defined and vti_esp.life_packets is not none %} + life_packets = {{ vti_esp.life_packets }} +{% endif %} life_time = {{ vti_esp.lifetime }}s local_ts = 0.0.0.0/0,::/0 remote_ts = 0.0.0.0/0,::/0 @@ -91,6 +97,12 @@ {% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %} peer_{{ name }}_tunnel_{{ tunnel_id }} { esp_proposals = {{ tunnel_esp | get_esp_ike_cipher(ike) | join(',') }} +{% if tunnel_esp.life_bytes is defined and tunnel_esp.life_bytes is not none %} + life_bytes = {{ tunnel_esp.life_bytes }} +{% endif %} +{% if tunnel_esp.life_packets is defined and tunnel_esp.life_packets is not none %} + life_packets = {{ tunnel_esp.life_packets }} +{% endif %} life_time = {{ tunnel_esp.lifetime }}s {% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %} {% if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %} diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index afa3d52a0..af92eec31 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -55,6 +55,30 @@ 3600 + + + ESP life in bytes + + u32:1024-26843545600000 + ESP life in bytes + + + + + + + + + ESP life in packets + + u32:1000-26843545600000 + ESP life in packets + + + + + + ESP mode diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py index 1433c7329..14079c905 100755 --- a/smoketest/scripts/cli/test_vpn_ipsec.py +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -171,8 +171,13 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): # Site to site local_address = '192.0.2.10' priority = '20' + life_bytes = '100000' + life_packets = '2000000' peer_base_path = base_path + ['site-to-site', 'peer', peer_ip] + self.cli_set(base_path + ['esp-group', esp_group, 'life-bytes', life_bytes]) + self.cli_set(base_path + ['esp-group', esp_group, 'life-packets', life_packets]) + self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret']) self.cli_set(peer_base_path + ['authentication', 'pre-shared-secret', secret]) self.cli_set(peer_base_path + ['ike-group', ike_group]) @@ -197,6 +202,8 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): swanctl_conf_lines = [ f'version = 2', f'auth = psk', + f'life_bytes = {life_bytes}', + f'life_packets = {life_packets}', f'rekey_time = 28800s', # default value f'proposals = aes128-sha1-modp1024', f'esp_proposals = aes128-sha1-modp1024', -- cgit v1.2.3 From 4ec6262629393bd8a88951970c367a5cc3d57a42 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Sun, 20 Feb 2022 20:32:06 +0000 Subject: ipsec: T3948: Add CLI site-to-site peer connection-type none set vpn ipsec site-to-site peer 192.0.2.14 connection-type none --- data/templates/ipsec/swanctl/peer.tmpl | 4 ++++ interface-definitions/vpn_ipsec.xml.in | 8 ++++++-- smoketest/scripts/cli/test_vpn_ipsec.py | 2 ++ 3 files changed, 12 insertions(+), 2 deletions(-) (limited to 'data') diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl index f4e28d818..673dc3375 100644 --- a/data/templates/ipsec/swanctl/peer.tmpl +++ b/data/templates/ipsec/swanctl/peer.tmpl @@ -77,6 +77,8 @@ start_action = start {% elif peer_conf.connection_type == 'respond' %} start_action = trap +{% elif peer_conf.connection_type == 'none' %} + start_action = none {% endif %} {% if ike.dead_peer_detection is defined %} {% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %} @@ -119,6 +121,8 @@ start_action = start {% elif peer_conf.connection_type == 'respond' %} start_action = trap +{% elif peer_conf.connection_type == 'none' %} + start_action = none {% endif %} {% if ike.dead_peer_detection is defined %} {% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %} diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index f7297a6e2..7b5074112 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -978,7 +978,7 @@ Connection type - initiate respond + initiate respond none initiate @@ -988,8 +988,12 @@ respond Bring the connection up only if traffic is detected + + none + Load the connection only + - ^(initiate|respond)$ + ^(initiate|respond|none)$ diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py index 2c3e55a57..699d854bb 100755 --- a/smoketest/scripts/cli/test_vpn_ipsec.py +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -238,6 +238,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): peer_base_path = base_path + ['site-to-site', 'peer', peer_ip] self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret']) self.cli_set(peer_base_path + ['authentication', 'pre-shared-secret', secret]) + self.cli_set(peer_base_path + ['connection-type', 'none']) self.cli_set(peer_base_path + ['ike-group', ike_group]) self.cli_set(peer_base_path + ['default-esp-group', esp_group]) self.cli_set(peer_base_path + ['local-address', local_address]) @@ -266,6 +267,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): f'mode = tunnel', f'local_ts = 172.16.10.0/24,172.16.11.0/24', f'remote_ts = 172.17.10.0/24,172.17.11.0/24', + f'start_action = none', f'if_id_in = {if_id}', # will be 11 for vti10 - shifted by one f'if_id_out = {if_id}', f'updown = "/etc/ipsec.d/vti-up-down {vti}"' -- cgit v1.2.3 From 0daf168d3d7583984431de2ef97682ff4c986f74 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 25 Feb 2022 22:30:34 +0100 Subject: zone-policy: T2199: bugfix defaultValue usage Instead of hardcoding the default behavior inside the Jinaj2 template, all defaults are required to be specified inside teh XML definition. This is required to automatically render the appropriate CLI tab completion commands. --- data/templates/zone_policy/nftables.tmpl | 12 ++++++------ interface-definitions/zone-policy.xml.in | 1 + src/conf_mode/zone_policy.py | 24 ++++++++++++++++++------ 3 files changed, 25 insertions(+), 12 deletions(-) (limited to 'data') diff --git a/data/templates/zone_policy/nftables.tmpl b/data/templates/zone_policy/nftables.tmpl index 093da6bd8..4a6bd2772 100644 --- a/data/templates/zone_policy/nftables.tmpl +++ b/data/templates/zone_policy/nftables.tmpl @@ -16,7 +16,7 @@ table ip filter { iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }} iifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} - counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }} + counter {{ zone_conf.default_action }} } chain VZONE_{{ zone_name }}_OUT { oifname lo counter return @@ -24,7 +24,7 @@ table ip filter { oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }} oifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} - counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }} + counter {{ zone_conf.default_action }} } {% else %} chain VZONE_{{ zone_name }} { @@ -38,7 +38,7 @@ table ip filter { iifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endif %} {% endfor %} - counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }} + counter {{ zone_conf.default_action }} } {% endif %} {% endfor %} @@ -53,7 +53,7 @@ table ip6 filter { iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }} iifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} - counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }} + counter {{ zone_conf.default_action }} } chain VZONE6_{{ zone_name }}_OUT { oifname lo counter return @@ -61,7 +61,7 @@ table ip6 filter { oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }} oifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} - counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }} + counter {{ zone_conf.default_action }} } {% else %} chain VZONE6_{{ zone_name }} { @@ -75,7 +75,7 @@ table ip6 filter { iifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endif %} {% endfor %} - counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }} + counter {{ zone_conf.default_action }} } {% endif %} {% endfor %} diff --git a/interface-definitions/zone-policy.xml.in b/interface-definitions/zone-policy.xml.in index b898c3ecd..eac63fa6b 100644 --- a/interface-definitions/zone-policy.xml.in +++ b/interface-definitions/zone-policy.xml.in @@ -37,6 +37,7 @@ ^(drop|reject)$ + drop diff --git a/src/conf_mode/zone_policy.py b/src/conf_mode/zone_policy.py index 683f8f034..dc0617353 100755 --- a/src/conf_mode/zone_policy.py +++ b/src/conf_mode/zone_policy.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021 VyOS maintainers and contributors +# Copyright (C) 2021-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -20,10 +20,12 @@ from json import loads from sys import exit from vyos.config import Config +from vyos.configdict import dict_merge from vyos.template import render from vyos.util import cmd from vyos.util import dict_search_args from vyos.util import run +from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -36,12 +38,22 @@ def get_config(config=None): else: conf = Config() base = ['zone-policy'] - zone_policy = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, - no_tag_node_value_mangle=True) + zone_policy = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) - if zone_policy: - zone_policy['firewall'] = conf.get_config_dict(['firewall'], key_mangling=('-', '_'), get_first_key=True, - no_tag_node_value_mangle=True) + zone_policy['firewall'] = conf.get_config_dict(['firewall'], + key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) + + if 'zone' in zone_policy: + # We have gathered the dict representation of the CLI, but there are default + # options which we need to update into the dictionary retrived. + default_values = defaults(base + ['zone']) + for zone in zone_policy['zone']: + zone_policy['zone'][zone] = dict_merge(default_values, + zone_policy['zone'][zone]) return zone_policy -- cgit v1.2.3 From 291558023bbd1bdbef6e00c4eec173cf5c9575d8 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 26 Feb 2022 16:30:10 +0100 Subject: lldp: T4272: migrate to get_config_dict() --- data/templates/lldp/lldpd.tmpl | 3 +- data/templates/lldp/vyos.conf.tmpl | 35 +++--- interface-definitions/lldp.xml.in | 22 ++-- src/conf_mode/lldp.py | 235 ++++++++++--------------------------- 4 files changed, 94 insertions(+), 201 deletions(-) (limited to 'data') diff --git a/data/templates/lldp/lldpd.tmpl b/data/templates/lldp/lldpd.tmpl index 3db955b48..819e70c84 100644 --- a/data/templates/lldp/lldpd.tmpl +++ b/data/templates/lldp/lldpd.tmpl @@ -1,3 +1,2 @@ ### Autogenerated by lldp.py ### -DAEMON_ARGS="-M 4{% if options.snmp %} -x{% endif %}{% if options.cdp %} -c{% endif %}{% if options.edp %} -e{% endif %}{% if options.fdp %} -f{% endif %}{% if options.sonmp %} -s{% endif %}" - +DAEMON_ARGS="-M 4{% if snmp is defined and snmp.enable is defined %} -x{% endif %}{% if legacy_protocols is defined and legacy_protocols.cdp is defined %} -c{% endif %}{% if legacy_protocols is defined and legacy_protocols.edp is defined %} -e{% endif %}{% if legacy_protocols is defined and legacy_protocols.fdp is defined %} -f{% endif %}{% if legacy_protocols is defined and legacy_protocols.sonmp is defined %} -s{% endif %}" diff --git a/data/templates/lldp/vyos.conf.tmpl b/data/templates/lldp/vyos.conf.tmpl index 07bbaf604..592dcf61f 100644 --- a/data/templates/lldp/vyos.conf.tmpl +++ b/data/templates/lldp/vyos.conf.tmpl @@ -1,20 +1,25 @@ ### Autogenerated by lldp.py ### configure system platform VyOS -configure system description "VyOS {{ options.description }}" -{% if options.listen_on %} -configure system interface pattern "{{ ( options.listen_on | select('equalto','all') | map('replace','all','*') | list + options.listen_on | select('equalto','!all') | map('replace','!all','!*') | list + options.listen_on | reject('equalto','all') | reject('equalto','!all') | list ) | unique | join(",") }}" +configure system description "VyOS {{ version }}" +{% if interface is defined and interface is not none %} +{% set tmp = [] %} +{% for iface, iface_options in interface.items() if not iface_options.disable %} +{% if iface == 'all' %} +{% set iface = '*' %} +{% endif %} +{% set _ = tmp.append(iface) %} +{% if iface_options.location is defined and iface_options.location is not none %} +{% if iface_options.location.elin is defined and iface_options.location.elin is not none %} +configure ports {{ iface }} med location elin "{{ iface_options.location.elin }}" +{% endif %} +{% if iface_options.location is defined and iface_options.location.coordinate_based is not none and iface_options.location.coordinate_based is not none %} +configure ports {{ iface }} med location coordinate latitude "{{ iface_options.location.coordinate_based.latitude }}" longitude "{{ iface_options.location.coordinate_based.longitude }}" altitude "{{ iface_options.location.coordinate_based.altitude }}m" datum "{{ iface_options.location.coordinate_based.datum }}" +{% endif %} +{% endif %} +{% endfor %} +configure system interface pattern "{{ tmp | join(",") }}" {% endif %} -{% if options.mgmt_addr %} -configure system ip management pattern {{ options.mgmt_addr | join(",") }} +{% if management_address is defined and management_address is not none %} +configure system ip management pattern {{ management_address | join(",") }} {% endif %} -{% for loc in location %} -{% if loc.elin %} -configure ports {{ loc.name }} med location elin "{{ loc.elin }}" -{% endif %} -{% if loc.coordinate_based %} -configure ports {{ loc.name }} med location coordinate {% if loc.coordinate_based.latitude %}latitude {{ loc.coordinate_based.latitude }}{% endif %} {% if loc.coordinate_based.longitude %}longitude {{ loc.coordinate_based.longitude }}{% endif %} {% if loc.coordinate_based.altitude %}altitude {{ loc.coordinate_based.altitude }} m{% endif %} {% if loc.coordinate_based.datum %}datum {{ loc.coordinate_based.datum }}{% endif %} -{% endif %} - - -{% endfor %} diff --git a/interface-definitions/lldp.xml.in b/interface-definitions/lldp.xml.in index 32ef0ad14..b9ffe234c 100644 --- a/interface-definitions/lldp.xml.in +++ b/interface-definitions/lldp.xml.in @@ -28,7 +28,7 @@ #include - LLDP-MED location data [REQUIRED] + LLDP-MED location data @@ -39,6 +39,10 @@ Altitude in meters + + 0 + No altitude + [+-]<meters> Altitude in meters @@ -48,13 +52,14 @@ + 0 Coordinate datum type WGS84 - WGS84 (default) + WGS84 NAD83 @@ -69,33 +74,34 @@ Datum should be WGS84, NAD83, or MLLW - ^(WGS84|NAD83|MLLW)$ + (WGS84|NAD83|MLLW) + WGS84 - Latitude [REQUIRED] + Latitude <latitude> Latitude (example "37.524449N") Latitude should be a number followed by S or N - (\d+)(\.\d+)?[nNsS]$ + (\d+)(\.\d+)?[nNsS] - Longitude [REQUIRED] + Longitude <longitude> Longitude (example "122.267255W") Longiture should be a number followed by E or W - (\d+)(\.\d+)?[eEwW]$ + (\d+)(\.\d+)?[eEwW] @@ -109,7 +115,7 @@ Emergency Call Service ELIN number (between 10-25 numbers) - [0-9]{10,25}$ + [0-9]{10,25} ELIN number must be between 10-25 numbers diff --git a/src/conf_mode/lldp.py b/src/conf_mode/lldp.py index 082c3e128..db8328259 100755 --- a/src/conf_mode/lldp.py +++ b/src/conf_mode/lldp.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2017-2020 VyOS maintainers and contributors +# Copyright (C) 2017-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -15,19 +15,19 @@ # along with this program. If not, see . import os -import re -from copy import deepcopy from sys import exit from vyos.config import Config +from vyos.configdict import dict_merge from vyos.validate import is_addr_assigned from vyos.validate import is_loopback_addr from vyos.version import get_version_data -from vyos import ConfigError from vyos.util import call +from vyos.util import dict_search +from vyos.xml import defaults from vyos.template import render - +from vyos import ConfigError from vyos import airbag airbag.enable() @@ -35,178 +35,73 @@ config_file = "/etc/default/lldpd" vyos_config_file = "/etc/lldpd.d/01-vyos.conf" base = ['service', 'lldp'] -default_config_data = { - "options": '', - "interface_list": '', - "location": '' -} - -def get_options(config): - options = {} - config.set_level(base) - - options['listen_vlan'] = config.exists('listen-vlan') - options['mgmt_addr'] = [] - for addr in config.return_values('management-address'): - if is_addr_assigned(addr) and not is_loopback_addr(addr): - options['mgmt_addr'].append(addr) - else: - message = 'WARNING: LLDP management address {0} invalid - '.format(addr) - if is_loopback_addr(addr): - message += '(loopback address).' - else: - message += 'address not found.' - print(message) - - snmp = config.exists('snmp enable') - options["snmp"] = snmp - if snmp: - config.set_level('') - options["sys_snmp"] = config.exists('service snmp') - config.set_level(base) - - config.set_level(base + ['legacy-protocols']) - options['cdp'] = config.exists('cdp') - options['edp'] = config.exists('edp') - options['fdp'] = config.exists('fdp') - options['sonmp'] = config.exists('sonmp') - - # start with an unknown version information - version_data = get_version_data() - options['description'] = version_data['version'] - options['listen_on'] = [] - - return options - -def get_interface_list(config): - config.set_level(base) - intfs_names = config.list_nodes(['interface']) - if len(intfs_names) < 0: - return 0 - - interface_list = [] - for name in intfs_names: - config.set_level(base + ['interface', name]) - disable = config.exists(['disable']) - intf = { - 'name': name, - 'disable': disable - } - interface_list.append(intf) - return interface_list - - -def get_location_intf(config, name): - path = base + ['interface', name] - config.set_level(path) - - config.set_level(path + ['location']) - elin = '' - coordinate_based = {} - - if config.exists('elin'): - elin = config.return_value('elin') - - if config.exists('coordinate-based'): - config.set_level(path + ['location', 'coordinate-based']) - - coordinate_based['latitude'] = config.return_value(['latitude']) - coordinate_based['longitude'] = config.return_value(['longitude']) - - coordinate_based['altitude'] = '0' - if config.exists(['altitude']): - coordinate_based['altitude'] = config.return_value(['altitude']) - - coordinate_based['datum'] = 'WGS84' - if config.exists(['datum']): - coordinate_based['datum'] = config.return_value(['datum']) - - intf = { - 'name': name, - 'elin': elin, - 'coordinate_based': coordinate_based - - } - return intf - - -def get_location(config): - config.set_level(base) - intfs_names = config.list_nodes(['interface']) - if len(intfs_names) < 0: - return 0 - - if config.exists('disable'): - return 0 - - intfs_location = [] - for name in intfs_names: - intf = get_location_intf(config, name) - intfs_location.append(intf) - - return intfs_location - - def get_config(config=None): - lldp = deepcopy(default_config_data) if config: conf = config else: conf = Config() + if not conf.exists(base): - return None - else: - lldp['options'] = get_options(conf) - lldp['interface_list'] = get_interface_list(conf) - lldp['location'] = get_location(conf) + return {} - return lldp + lldp = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + if conf.exists(['service', 'snmp']): + lldp['system_snmp_enabled'] = '' + + version_data = get_version_data() + lldp['version'] = version_data['version'] + + # We have gathered the dict representation of the CLI, but there are default + # options which we need to update into the dictionary retrived. + # location coordinates have a default value + if 'interface' in lldp: + for interface, interface_config in lldp['interface'].items(): + default_values = defaults(base + ['interface']) + if dict_search('location.coordinate_based', interface_config) == None: + # no location specified - no need to add defaults + del default_values['location']['coordinate_based']['datum'] + del default_values['location']['coordinate_based']['altitude'] + + # cleanup default_values dictionary from inner to outer + # this might feel overkill here, but it does support easy extension + # in the future with additional default values + if len(default_values['location']['coordinate_based']) == 0: + del default_values['location']['coordinate_based'] + if len(default_values['location']) == 0: + del default_values['location'] + + lldp['interface'][interface] = dict_merge(default_values, + lldp['interface'][interface]) + + return lldp def verify(lldp): # bail out early - looks like removal from running config if lldp is None: return - # check location - for location in lldp['location']: - # check coordinate-based - if len(location['coordinate_based']) > 0: - # check longitude and latitude - if not location['coordinate_based']['longitude']: - raise ConfigError('Must define longitude for interface {0}'.format(location['name'])) - - if not location['coordinate_based']['latitude']: - raise ConfigError('Must define latitude for interface {0}'.format(location['name'])) - - if not re.match(r'^(\d+)(\.\d+)?[nNsS]$', location['coordinate_based']['latitude']): - raise ConfigError('Invalid location for interface {0}:\n' \ - 'latitude should be a number followed by S or N'.format(location['name'])) - - if not re.match(r'^(\d+)(\.\d+)?[eEwW]$', location['coordinate_based']['longitude']): - raise ConfigError('Invalid location for interface {0}:\n' \ - 'longitude should be a number followed by E or W'.format(location['name'])) - - # check altitude and datum if exist - if location['coordinate_based']['altitude']: - if not re.match(r'^[-+0-9\.]+$', location['coordinate_based']['altitude']): - raise ConfigError('Invalid location for interface {0}:\n' \ - 'altitude should be a positive or negative number'.format(location['name'])) - - if location['coordinate_based']['datum']: - if not re.match(r'^(WGS84|NAD83|MLLW)$', location['coordinate_based']['datum']): - raise ConfigError("Invalid location for interface {0}:\n' \ - 'datum should be WGS84, NAD83, or MLLW".format(location['name'])) - - # check elin - elif location['elin']: - if not re.match(r'^[0-9]{10,25}$', location['elin']): - raise ConfigError('Invalid location for interface {0}:\n' \ - 'ELIN number must be between 10-25 numbers'.format(location['name'])) + if 'management_address' in lldp: + for address in lldp['management_address']: + message = f'WARNING: LLDP management address "{address}" is invalid' + if is_loopback_addr(address): + print(f'{message} - loopback address') + elif not is_addr_assigned(address): + print(f'{message} - not assigned to any interface') + + if 'interface' in lldp: + for interface, interface_config in lldp['interface'].items(): + # bail out early if no location info present in interface config + if 'location' not in interface_config: + continue + if 'coordinate_based' in interface_config['location']: + if not {'latitude', 'latitude'} <= set(interface_config['location']['coordinate_based']): + raise ConfigError(f'Must define both longitude and latitude for "{interface}" location!') # check options - if lldp['options']['snmp']: - if not lldp['options']['sys_snmp']: + if 'snmp' in lldp and 'enable' in lldp['snmp']: + if 'system_snmp_enabled' not in lldp: raise ConfigError('SNMP must be configured to enable LLDP SNMP') @@ -215,29 +110,17 @@ def generate(lldp): if lldp is None: return - # generate listen on interfaces - for intf in lldp['interface_list']: - tmp = '' - # add exclamation mark if interface is disabled - if intf['disable']: - tmp = '!' - - tmp += intf['name'] - lldp['options']['listen_on'].append(tmp) - - # generate /etc/default/lldpd render(config_file, 'lldp/lldpd.tmpl', lldp) - # generate /etc/lldpd.d/01-vyos.conf render(vyos_config_file, 'lldp/vyos.conf.tmpl', lldp) - def apply(lldp): + systemd_service = 'lldpd.service' if lldp: # start/restart lldp service - call('systemctl restart lldpd.service') + call(f'systemctl restart {systemd_service}') else: # LLDP service has been terminated - call('systemctl stop lldpd.service') + call(f'systemctl stop {systemd_service}') if os.path.isfile(config_file): os.unlink(config_file) if os.path.isfile(vyos_config_file): -- cgit v1.2.3 From 17602c2d63aacc972d4e2f6f21aeeded243d4fa1 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 26 Feb 2022 23:06:37 +0100 Subject: lldp: T4272: minor bugfix in Jinja2 template for location --- data/templates/lldp/vyos.conf.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'data') diff --git a/data/templates/lldp/vyos.conf.tmpl b/data/templates/lldp/vyos.conf.tmpl index 592dcf61f..14395a223 100644 --- a/data/templates/lldp/vyos.conf.tmpl +++ b/data/templates/lldp/vyos.conf.tmpl @@ -13,7 +13,7 @@ configure system description "VyOS {{ version }}" {% if iface_options.location.elin is defined and iface_options.location.elin is not none %} configure ports {{ iface }} med location elin "{{ iface_options.location.elin }}" {% endif %} -{% if iface_options.location is defined and iface_options.location.coordinate_based is not none and iface_options.location.coordinate_based is not none %} +{% if iface_options.location is defined and iface_options.location.coordinate_based is defined and iface_options.location.coordinate_based is not none %} configure ports {{ iface }} med location coordinate latitude "{{ iface_options.location.coordinate_based.latitude }}" longitude "{{ iface_options.location.coordinate_based.longitude }}" altitude "{{ iface_options.location.coordinate_based.altitude }}m" datum "{{ iface_options.location.coordinate_based.datum }}" {% endif %} {% endif %} -- cgit v1.2.3 From 42c011224e5aef3c27f9de6b5a74e594a404131e Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Tue, 1 Mar 2022 19:09:12 +0100 Subject: flow-accounting: T4277: support sending flow-data via VRF interface It should be possible to send the gathered data via a VRF bound interface to the collector. This is somehow related to T3981 but it's the opposite side of the netflow process. set system flow-accounting vrf --- data/templates/netflow/uacctd.conf.tmpl | 74 ---------------------- data/templates/pmacct/override.conf.tmpl | 17 +++++ data/templates/pmacct/uacctd.conf.tmpl | 74 ++++++++++++++++++++++ interface-definitions/flow-accounting-conf.xml.in | 1 + .../scripts/cli/test_system_flow-accounting.py | 5 +- src/conf_mode/flow_accounting_conf.py | 14 ++-- .../systemd/system/uacctd.service.d/override.conf | 14 ---- 7 files changed, 106 insertions(+), 93 deletions(-) delete mode 100644 data/templates/netflow/uacctd.conf.tmpl create mode 100644 data/templates/pmacct/override.conf.tmpl create mode 100644 data/templates/pmacct/uacctd.conf.tmpl delete mode 100644 src/etc/systemd/system/uacctd.service.d/override.conf (limited to 'data') diff --git a/data/templates/netflow/uacctd.conf.tmpl b/data/templates/netflow/uacctd.conf.tmpl deleted file mode 100644 index f81002dc1..000000000 --- a/data/templates/netflow/uacctd.conf.tmpl +++ /dev/null @@ -1,74 +0,0 @@ -# Genereated from VyOS configuration -daemonize: true -promisc: false -pidfile: /run/pmacct/uacctd.pid -uacctd_group: 2 -uacctd_nl_size: 2097152 -snaplen: {{ packet_length }} -aggregate: in_iface{{ ',out_iface' if enable_egress is defined }},src_mac,dst_mac,vlan,src_host,dst_host,src_port,dst_port,proto,tos,flows -{% set pipe_size = buffer_size | int *1024 *1024 %} -plugin_pipe_size: {{ pipe_size }} -{# We need an integer division (//) without any remainder or fraction #} -plugin_buffer_size: {{ pipe_size // 1000 }} -{% if syslog_facility is defined and syslog_facility is not none %} -syslog: {{ syslog_facility }} -{% endif %} -{% if disable_imt is not defined %} -imt_path: /tmp/uacctd.pipe -imt_mem_pools_number: 169 -{% endif %} - -{% set plugin = [] %} -{% if disable_imt is not defined %} -{% set plugin = ['memory'] %} -{% endif %} -{% if netflow is defined and netflow.server is defined and netflow.server is not none %} -{% for server in netflow.server %} -{% set plugin = plugin.append('nfprobe[nf_' ~ server ~ ']') %} -{% endfor %} -{% endif %} -{% if sflow is defined and sflow.server is defined and sflow.server is not none %} -{% for server in sflow.server %} -{% set plugin = plugin.append('sfprobe[sf_' ~ server ~ ']') %} -{% endfor %} -{% endif %} -plugins: {{ plugin | join(',') }} - -{% if netflow is defined and netflow.server is defined and netflow.server is not none %} -# NetFlow servers -{% for server, server_config in netflow.server.items() %} -nfprobe_receiver[nf_{{ server }}]: {{ server }}:{{ server_config.port }} -nfprobe_version[nf_{{ server }}]: {{ netflow.version }} -{% if netflow.engine_id is defined and netflow.engine_id is not none %} -nfprobe_engine[nf_{{ server }}]: {{ netflow.engine_id }} -{% endif %} -{% if netflow.max_flows is defined and netflow.max_flows is not none %} -nfprobe_maxflows[nf_{{ server }}]: {{ netflow.max_flows }} -{% endif %} -{% if netflow.sampling_rate is defined and netflow.sampling_rate is not none %} -sampling_rate[nf_{{ server }}]: {{ netflow.sampling_rate }} -{% endif %} -{% if netflow.source_address is defined and netflow.source_address is not none %} -nfprobe_source_ip[nf_{{ server }}]: {{ netflow.source_address }} -{% endif %} -{% if netflow.timeout is defined and netflow.timeout is not none %} -nfprobe_timeouts[nf_{{ server }}]: expint={{ netflow.timeout.expiry_interval }}:general={{ netflow.timeout.flow_generic }}:icmp={{ netflow.timeout.icmp }}:maxlife={{ netflow.timeout.max_active_life }}:tcp.fin={{ netflow.timeout.tcp_fin }}:tcp={{ netflow.timeout.tcp_generic }}:tcp.rst={{ netflow.timeout.tcp_rst }}:udp={{ netflow.timeout.udp }} -{% endif %} - -{% endfor %} -{% endif %} - -{% if sflow is defined and sflow.server is defined and sflow.server is not none %} -# sFlow servers -{% for server, server_config in sflow.server.items() %} -sfprobe_receiver[sf_{{ server }}]: {{ server }}:{{ server_config.port }} -sfprobe_agentip[sf_{{ server }}]: {{ sflow.agent_address }} -{% if sflow.sampling_rate is defined and sflow.sampling_rate is not none %} -sampling_rate[sf_{{ server }}]: {{ sflow.sampling_rate }} -{% endif %} -{% if sflow.source_address is defined and sflow.source_address is not none %} -sfprobe_source_ip[sf_{{ server }}]: {{ sflow.source_address }} -{% endif %} - -{% endfor %} -{% endif %} diff --git a/data/templates/pmacct/override.conf.tmpl b/data/templates/pmacct/override.conf.tmpl new file mode 100644 index 000000000..216927666 --- /dev/null +++ b/data/templates/pmacct/override.conf.tmpl @@ -0,0 +1,17 @@ +{% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} +[Unit] +After= +After=vyos-router.service +ConditionPathExists= +ConditionPathExists=/run/pmacct/uacctd.conf + +[Service] +EnvironmentFile= +ExecStart= +ExecStart={{vrf_command}}/usr/sbin/uacctd -f /run/pmacct/uacctd.conf +WorkingDirectory= +WorkingDirectory=/run/pmacct +PIDFile= +PIDFile=/run/pmacct/uacctd.pid +Restart=always +RestartSec=10 diff --git a/data/templates/pmacct/uacctd.conf.tmpl b/data/templates/pmacct/uacctd.conf.tmpl new file mode 100644 index 000000000..b58f7c796 --- /dev/null +++ b/data/templates/pmacct/uacctd.conf.tmpl @@ -0,0 +1,74 @@ +# Genereated from VyOS configuration +daemonize: true +promisc: false +pidfile: /run/pmacct/uacctd.pid +uacctd_group: 2 +uacctd_nl_size: 2097152 +snaplen: {{ packet_length }} +aggregate: in_iface{{ ',out_iface' if enable_egress is defined }},src_mac,dst_mac,vlan,src_host,dst_host,src_port,dst_port,proto,tos,flows +{% set pipe_size = buffer_size | int *1024 *1024 %} +plugin_pipe_size: {{ pipe_size }} +{# We need an integer division (//) without any remainder or fraction #} +plugin_buffer_size: {{ pipe_size // 1000 }} +{% if syslog_facility is defined and syslog_facility is not none %} +syslog: {{ syslog_facility }} +{% endif %} +{% if disable_imt is not defined %} +imt_path: /tmp/uacctd.pipe +imt_mem_pools_number: 169 +{% endif %} + +{% set plugin = [] %} +{% if netflow is defined and netflow.server is defined and netflow.server is not none %} +{% for server in netflow.server %} +{% set _ = plugin.append('nfprobe[nf_' ~ server ~ ']') %} +{% endfor %} +{% endif %} +{% if sflow is defined and sflow.server is defined and sflow.server is not none %} +{% for server in sflow.server %} +{% set _ = plugin.append('sfprobe[sf_' ~ server ~ ']') %} +{% endfor %} +{% endif %} +{% if disable_imt is not defined %} +{% set _ = plugin.append('memory') %} +{% endif %} +plugins: {{ plugin | join(',') }} + +{% if netflow is defined and netflow.server is defined and netflow.server is not none %} +# NetFlow servers +{% for server, server_config in netflow.server.items() %} +nfprobe_receiver[nf_{{ server }}]: {{ server }}:{{ server_config.port }} +nfprobe_version[nf_{{ server }}]: {{ netflow.version }} +{% if netflow.engine_id is defined and netflow.engine_id is not none %} +nfprobe_engine[nf_{{ server }}]: {{ netflow.engine_id }} +{% endif %} +{% if netflow.max_flows is defined and netflow.max_flows is not none %} +nfprobe_maxflows[nf_{{ server }}]: {{ netflow.max_flows }} +{% endif %} +{% if netflow.sampling_rate is defined and netflow.sampling_rate is not none %} +sampling_rate[nf_{{ server }}]: {{ netflow.sampling_rate }} +{% endif %} +{% if netflow.source_address is defined and netflow.source_address is not none %} +nfprobe_source_ip[nf_{{ server }}]: {{ netflow.source_address }} +{% endif %} +{% if netflow.timeout is defined and netflow.timeout is not none %} +nfprobe_timeouts[nf_{{ server }}]: expint={{ netflow.timeout.expiry_interval }}:general={{ netflow.timeout.flow_generic }}:icmp={{ netflow.timeout.icmp }}:maxlife={{ netflow.timeout.max_active_life }}:tcp.fin={{ netflow.timeout.tcp_fin }}:tcp={{ netflow.timeout.tcp_generic }}:tcp.rst={{ netflow.timeout.tcp_rst }}:udp={{ netflow.timeout.udp }} +{% endif %} + +{% endfor %} +{% endif %} + +{% if sflow is defined and sflow.server is defined and sflow.server is not none %} +# sFlow servers +{% for server, server_config in sflow.server.items() %} +sfprobe_receiver[sf_{{ server }}]: {{ server }}:{{ server_config.port }} +sfprobe_agentip[sf_{{ server }}]: {{ sflow.agent_address }} +{% if sflow.sampling_rate is defined and sflow.sampling_rate is not none %} +sampling_rate[sf_{{ server }}]: {{ sflow.sampling_rate }} +{% endif %} +{% if sflow.source_address is defined and sflow.source_address is not none %} +sfprobe_source_ip[sf_{{ server }}]: {{ sflow.source_address }} +{% endif %} + +{% endfor %} +{% endif %} diff --git a/interface-definitions/flow-accounting-conf.xml.in b/interface-definitions/flow-accounting-conf.xml.in index 05cf5e170..133e45c72 100644 --- a/interface-definitions/flow-accounting-conf.xml.in +++ b/interface-definitions/flow-accounting-conf.xml.in @@ -431,6 +431,7 @@ #include + #include diff --git a/smoketest/scripts/cli/test_system_flow-accounting.py b/smoketest/scripts/cli/test_system_flow-accounting.py index 857df1be6..84f17bcb0 100755 --- a/smoketest/scripts/cli/test_system_flow-accounting.py +++ b/smoketest/scripts/cli/test_system_flow-accounting.py @@ -39,6 +39,9 @@ class TestSystemFlowAccounting(VyOSUnitTestSHIM.TestCase): cls.cli_delete(cls, base_path) def tearDown(self): + # after service removal process must no longer run + self.assertTrue(process_named_running(PROCESS_NAME)) + self.cli_delete(base_path) self.cli_commit() @@ -213,9 +216,9 @@ class TestSystemFlowAccounting(VyOSUnitTestSHIM.TestCase): uacctd = read_file(uacctd_conf) tmp = [] - tmp.append('memory') for server, server_config in netflow_server.items(): tmp.append(f'nfprobe[nf_{server}]') + tmp.append('memory') self.assertIn('plugins: ' + ','.join(tmp), uacctd) for server, server_config in netflow_server.items(): diff --git a/src/conf_mode/flow_accounting_conf.py b/src/conf_mode/flow_accounting_conf.py index 975f19acf..25bf54790 100755 --- a/src/conf_mode/flow_accounting_conf.py +++ b/src/conf_mode/flow_accounting_conf.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2021 VyOS maintainers and contributors +# Copyright (C) 2018-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -27,6 +27,7 @@ from vyos.configdict import dict_merge from vyos.ifconfig import Section from vyos.ifconfig import Interface from vyos.template import render +from vyos.util import call from vyos.util import cmd from vyos.validate import is_addr_assigned from vyos.xml import defaults @@ -35,6 +36,8 @@ from vyos import airbag airbag.enable() uacctd_conf_path = '/run/pmacct/uacctd.conf' +systemd_service = 'uacctd.service' +systemd_override = f'/etc/systemd/system/{systemd_service}.d/override.conf' nftables_nflog_table = 'raw' nftables_nflog_chain = 'VYOS_CT_PREROUTING_HOOK' egress_nftables_nflog_table = 'inet mangle' @@ -236,7 +239,10 @@ def generate(flow_config): if not flow_config: return None - render(uacctd_conf_path, 'netflow/uacctd.conf.tmpl', flow_config) + render(uacctd_conf_path, 'pmacct/uacctd.conf.tmpl', flow_config) + render(systemd_override, 'pmacct/override.conf.tmpl', flow_config) + # Reload systemd manager configuration + call('systemctl daemon-reload') def apply(flow_config): action = 'restart' @@ -246,13 +252,13 @@ def apply(flow_config): _nftables_config([], 'egress') # Stop flow-accounting daemon and remove configuration file - cmd('systemctl stop uacctd.service') + call(f'systemctl stop {systemd_service}') if os.path.exists(uacctd_conf_path): os.unlink(uacctd_conf_path) return # Start/reload flow-accounting daemon - cmd(f'systemctl restart uacctd.service') + call(f'systemctl restart {systemd_service}') # configure nftables rules for defined interfaces if 'interface' in flow_config: diff --git a/src/etc/systemd/system/uacctd.service.d/override.conf b/src/etc/systemd/system/uacctd.service.d/override.conf deleted file mode 100644 index 38bcce515..000000000 --- a/src/etc/systemd/system/uacctd.service.d/override.conf +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -After= -After=vyos-router.service -ConditionPathExists= -ConditionPathExists=/run/pmacct/uacctd.conf - -[Service] -EnvironmentFile= -ExecStart= -ExecStart=/usr/sbin/uacctd -f /run/pmacct/uacctd.conf -WorkingDirectory= -WorkingDirectory=/run/pmacct -PIDFile= -PIDFile=/run/pmacct/uacctd.pid -- cgit v1.2.3 From bb78f3a9ad28f62896a536719783011794deb64c Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 3 Mar 2022 20:23:09 +0100 Subject: static: T4283: support "reject" routes - emit an ICMP unreachable when matched --- data/templates/frr/static_routes_macro.j2 | 3 ++ .../include/static/static-route-reject.xml.i | 12 +++++ .../include/static/static-route.xml.i | 1 + .../include/static/static-route6.xml.i | 1 + smoketest/scripts/cli/test_protocols_static.py | 57 +++++++++++++++++++--- src/conf_mode/protocols_static.py | 4 ++ 6 files changed, 70 insertions(+), 8 deletions(-) create mode 100644 interface-definitions/include/static/static-route-reject.xml.i (limited to 'data') diff --git a/data/templates/frr/static_routes_macro.j2 b/data/templates/frr/static_routes_macro.j2 index 86c7470ca..8359357b7 100644 --- a/data/templates/frr/static_routes_macro.j2 +++ b/data/templates/frr/static_routes_macro.j2 @@ -2,6 +2,9 @@ {% if prefix_config.blackhole is defined %} {{ ip_ipv6 }} route {{ prefix }} blackhole {{ prefix_config.blackhole.distance if prefix_config.blackhole.distance is defined }} {{ 'tag ' + prefix_config.blackhole.tag if prefix_config.blackhole.tag is defined }} {{ 'table ' + table if table is defined and table is not none }} {% endif %} +{% if prefix_config.reject is defined %} +{{ ip_ipv6 }} route {{ prefix }} reject {{ prefix_config.reject.distance if prefix_config.reject.distance is defined }} {{ 'tag ' + prefix_config.reject.tag if prefix_config.reject.tag is defined }} {{ 'table ' + table if table is defined and table is not none }} +{% endif %} {% if prefix_config.dhcp_interface is defined and prefix_config.dhcp_interface is not none %} {% set next_hop = prefix_config.dhcp_interface | get_dhcp_router %} {% if next_hop is defined and next_hop is not none %} diff --git a/interface-definitions/include/static/static-route-reject.xml.i b/interface-definitions/include/static/static-route-reject.xml.i new file mode 100644 index 000000000..81d4f9afd --- /dev/null +++ b/interface-definitions/include/static/static-route-reject.xml.i @@ -0,0 +1,12 @@ + + + + Emit an ICMP unreachable when matched + + + #include + #include + + + + diff --git a/interface-definitions/include/static/static-route.xml.i b/interface-definitions/include/static/static-route.xml.i index 8433703a5..2de5dc58f 100644 --- a/interface-definitions/include/static/static-route.xml.i +++ b/interface-definitions/include/static/static-route.xml.i @@ -12,6 +12,7 @@ #include + #include #include diff --git a/interface-definitions/include/static/static-route6.xml.i b/interface-definitions/include/static/static-route6.xml.i index 124b2b062..35feef41c 100644 --- a/interface-definitions/include/static/static-route6.xml.i +++ b/interface-definitions/include/static/static-route6.xml.i @@ -12,6 +12,7 @@ #include + #include IPv6 gateway interface name diff --git a/smoketest/scripts/cli/test_protocols_static.py b/smoketest/scripts/cli/test_protocols_static.py index 4c4eb5a7c..3ef9c76d8 100755 --- a/smoketest/scripts/cli/test_protocols_static.py +++ b/smoketest/scripts/cli/test_protocols_static.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021 VyOS maintainers and contributors +# Copyright (C) 2021-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -52,9 +52,16 @@ routes = { }, 'blackhole' : { 'distance' : '90' }, }, - '100.64.0.0/10' : { + '100.64.0.0/16' : { 'blackhole' : { }, }, + '100.65.0.0/16' : { + 'reject' : { 'distance' : '10', 'tag' : '200' }, + }, + '100.66.0.0/16' : { + 'blackhole' : { }, + 'reject' : { 'distance' : '10', 'tag' : '200' }, + }, '2001:db8:100::/40' : { 'next_hop' : { '2001:db8::1' : { 'distance' : '10' }, @@ -74,6 +81,9 @@ routes = { }, 'blackhole' : { 'distance' : '250', 'tag' : '500' }, }, + '2001:db8:300::/40' : { + 'reject' : { 'distance' : '250', 'tag' : '500' }, + }, '2001:db8::/32' : { 'blackhole' : { 'distance' : '200', 'tag' : '600' }, }, @@ -82,9 +92,15 @@ routes = { tables = ['80', '81', '82'] class TestProtocolsStatic(VyOSUnitTestSHIM.TestCase): - def setUp(self): - # This is our "target" VRF when leaking routes: - self.cli_set(['vrf', 'name', 'black', 'table', '43210']) + @classmethod + def setUpClass(cls): + super(cls, cls).setUpClass() + cls.cli_set(cls, ['vrf', 'name', 'black', 'table', '43210']) + + @classmethod + def tearDownClass(cls): + cls.cli_delete(cls, ['vrf']) + super(cls, cls).tearDownClass() def tearDown(self): for route, route_config in routes.items(): @@ -135,6 +151,20 @@ class TestProtocolsStatic(VyOSUnitTestSHIM.TestCase): if 'tag' in route_config['blackhole']: self.cli_set(base + ['blackhole', 'tag', route_config['blackhole']['tag']]) + if 'reject' in route_config: + self.cli_set(base + ['reject']) + if 'distance' in route_config['reject']: + self.cli_set(base + ['reject', 'distance', route_config['reject']['distance']]) + if 'tag' in route_config['reject']: + self.cli_set(base + ['reject', 'tag', route_config['reject']['tag']]) + + if {'blackhole', 'reject'} <= set(route_config): + # Can not use blackhole and reject at the same time + with self.assertRaises(ConfigSessionError): + self.cli_commit() + self.cli_delete(base + ['blackhole']) + self.cli_delete(base + ['reject']) + # commit changes self.cli_commit() @@ -177,6 +207,11 @@ class TestProtocolsStatic(VyOSUnitTestSHIM.TestCase): else: self.assertIn(tmp, frrconfig) + if {'blackhole', 'reject'} <= set(route_config): + # Can not use blackhole and reject at the same time + # Config error validated above - skip this route + continue + if 'blackhole' in route_config: tmp = f'{ip_ipv6} route {route} blackhole' if 'tag' in route_config['blackhole']: @@ -186,6 +221,15 @@ class TestProtocolsStatic(VyOSUnitTestSHIM.TestCase): self.assertIn(tmp, frrconfig) + if 'reject' in route_config: + tmp = f'{ip_ipv6} route {route} reject' + if 'tag' in route_config['reject']: + tmp += ' tag ' + route_config['reject']['tag'] + if 'distance' in route_config['reject']: + tmp += ' ' + route_config['reject']['distance'] + + self.assertIn(tmp, frrconfig) + def test_02_static_table(self): for table in tables: for route, route_config in routes.items(): @@ -389,11 +433,8 @@ class TestProtocolsStatic(VyOSUnitTestSHIM.TestCase): self.assertIn(tmp, frrconfig) - self.cli_delete(['vrf']) - def test_04_static_zebra_route_map(self): # Implemented because of T3328 - self.debug = True route_map = 'foo-static-in' self.cli_set(['policy', 'route-map', route_map, 'rule', '10', 'action', 'permit']) diff --git a/src/conf_mode/protocols_static.py b/src/conf_mode/protocols_static.py index c1e427b16..f0ec48de4 100755 --- a/src/conf_mode/protocols_static.py +++ b/src/conf_mode/protocols_static.py @@ -82,6 +82,10 @@ def verify(static): for interface, interface_config in prefix_options[type].items(): verify_vrf(interface_config) + if {'blackhole', 'reject'} <= set(prefix_options): + raise ConfigError(f'Can not use both blackhole and reject for '\ + 'prefix "{prefix}"!') + return None def generate(static): -- cgit v1.2.3 From ebb524702e1cd60a74b00727b7bd24d375648c78 Mon Sep 17 00:00:00 2001 From: zsdc Date: Mon, 7 Mar 2022 18:20:53 +0200 Subject: logrotate: T4250: Fixed logrotate config generation * Removed `/var/log/auth.log` and `/var/log/messages` from `/etc/logrotate.d/rsyslog`, because they conflict with VyOS-controlled items what leads to service error. * Removed generation config file for `/var/log/messages` from `system-syslog.py` - this should be done from `syslom logs` now. * Generate each logfile from `system syslog file` to a dedicated logrotate config file. * Fixed logrotate config file names in `/etc/rsyslog.d/vyos-rsyslog.conf`. * Added default logrotate settins for `/var/log/messages` --- data/templates/syslog/logrotate.tmpl | 9 ++++----- debian/vyos-1x.postinst | 4 ++++ src/conf_mode/system-syslog.py | 14 +++++++++++--- src/etc/logrotate.d/vyos-rsyslog | 12 ++++++++++++ 4 files changed, 31 insertions(+), 8 deletions(-) create mode 100644 src/etc/logrotate.d/vyos-rsyslog (limited to 'data') diff --git a/data/templates/syslog/logrotate.tmpl b/data/templates/syslog/logrotate.tmpl index f758265e4..c1b951e8b 100644 --- a/data/templates/syslog/logrotate.tmpl +++ b/data/templates/syslog/logrotate.tmpl @@ -1,12 +1,11 @@ -{% for file in files %} -{{files[file]['log-file']}} { +{{ config_render['log-file'] }} { missingok notifempty create - rotate {{files[file]['max-files']}} - size={{files[file]['max-size']//1024}}k + rotate {{ config_render['max-files'] }} + size={{ config_render['max-size'] // 1024 }}k postrotate invoke-rc.d rsyslog rotate > /dev/null endscript } -{% endfor %} + diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 1a4c830cc..1ca6687a3 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -93,3 +93,7 @@ for file in $DELETE; do rm -f ${file} fi done + +# Remove logrotate items controlled via CLI and VyOS defaults +sed -i '/^\/var\/log\/messages$/d' /etc/logrotate.d/rsyslog +sed -i '/^\/var\/log\/auth.log$/d' /etc/logrotate.d/rsyslog diff --git a/src/conf_mode/system-syslog.py b/src/conf_mode/system-syslog.py index 3d8a51cd8..309b4bdb0 100755 --- a/src/conf_mode/system-syslog.py +++ b/src/conf_mode/system-syslog.py @@ -17,6 +17,7 @@ import os import re +from pathlib import Path from sys import exit from vyos.config import Config @@ -89,7 +90,7 @@ def get_config(config=None): filename: { 'log-file': '/var/log/user/' + filename, 'max-files': '5', - 'action-on-max-size': '/usr/sbin/logrotate /etc/logrotate.d/' + filename, + 'action-on-max-size': '/usr/sbin/logrotate /etc/logrotate.d/vyos-rsyslog-generated-' + filename, 'selectors': '*.err', 'max-size': 262144 } @@ -205,10 +206,17 @@ def generate(c): conf = '/etc/rsyslog.d/vyos-rsyslog.conf' render(conf, 'syslog/rsyslog.conf.tmpl', c) + # cleanup current logrotate config files + logrotate_files = Path('/etc/logrotate.d/').glob('vyos-rsyslog-generated-*') + for file in logrotate_files: + file.unlink() + # eventually write for each file its own logrotate file, since size is # defined it shouldn't matter - conf = '/etc/logrotate.d/vyos-rsyslog' - render(conf, 'syslog/logrotate.tmpl', c) + for filename, fileconfig in c.get('files', {}).items(): + if fileconfig['log-file'].startswith('/var/log/user/'): + conf = '/etc/logrotate.d/vyos-rsyslog-generated-' + filename + render(conf, 'syslog/logrotate.tmpl', { 'config_render': fileconfig }) def verify(c): diff --git a/src/etc/logrotate.d/vyos-rsyslog b/src/etc/logrotate.d/vyos-rsyslog new file mode 100644 index 000000000..3c087b94e --- /dev/null +++ b/src/etc/logrotate.d/vyos-rsyslog @@ -0,0 +1,12 @@ +/var/log/messages { + create + missingok + nomail + notifempty + rotate 10 + size 1M + postrotate + # inform rsyslog service about rotation + /usr/lib/rsyslog/rsyslog-rotate + endscript +} -- cgit v1.2.3 From 7549c847c3df9155c4315efcccfaf798af9fb402 Mon Sep 17 00:00:00 2001 From: Paul Lettington Date: Wed, 9 Mar 2022 14:24:16 +0000 Subject: policy: T2493 ip-next-hop unchanged & peer-address Also add ipv6-next-hop peer-address --- data/templates/frr/policy.frr.tmpl | 3 +++ interface-definitions/policy.xml.in | 16 ++++++++++++++++ 2 files changed, 19 insertions(+) (limited to 'data') diff --git a/data/templates/frr/policy.frr.tmpl b/data/templates/frr/policy.frr.tmpl index d3d3957a5..97eb15331 100644 --- a/data/templates/frr/policy.frr.tmpl +++ b/data/templates/frr/policy.frr.tmpl @@ -276,6 +276,9 @@ route-map {{ route_map }} {{ rule_config.action }} {{ rule }} {% if rule_config.set.ipv6_next_hop is defined and rule_config.set.ipv6_next_hop.local is defined and rule_config.set.ipv6_next_hop.local is not none %} set ipv6 next-hop local {{ rule_config.set.ipv6_next_hop.local }} {% endif %} +{% if rule_config.set.ipv6_next_hop is defined and rule_config.set.ipv6_next_hop.peer_address is defined %} + set ipv6 next-hop peer-address +{% endif %} {% if rule_config.set.ipv6_next_hop is defined and rule_config.set.ipv6_next_hop.prefer_global is defined %} set ipv6 next-hop prefer-global {% endif %} diff --git a/interface-definitions/policy.xml.in b/interface-definitions/policy.xml.in index 9767285dd..5e037b558 100644 --- a/interface-definitions/policy.xml.in +++ b/interface-definitions/policy.xml.in @@ -1115,13 +1115,23 @@ Nexthop IP address + unchanged peer-address ipv4 IP address + + unchanged + Set the BGP nexthop address as unchanged + + + peer-address + Set the BGP nexthop address to the address of the peer + + ^(unchanged|peer-address)$ @@ -1160,6 +1170,12 @@ + + + Use peer address (for BGP only) + + + Prefer global address as the nexthop -- cgit v1.2.3 From fd9cb1574f2ef9bca648c040074820635ad301b1 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Tue, 15 Mar 2022 21:07:11 +0100 Subject: frr: T4302: upgrade to version 8.2 --- data/templates/frr/policy.frr.tmpl | 2 +- smoketest/scripts/cli/test_policy.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'data') diff --git a/data/templates/frr/policy.frr.tmpl b/data/templates/frr/policy.frr.tmpl index 97eb15331..60e15f4fd 100644 --- a/data/templates/frr/policy.frr.tmpl +++ b/data/templates/frr/policy.frr.tmpl @@ -204,7 +204,7 @@ route-map {{ route_map }} {{ rule_config.action }} {{ rule }} match ipv6 address prefix-list {{ rule_config.match.ipv6.address.prefix_list }} {% endif %} {% if rule_config.match.ipv6 is defined and rule_config.match.ipv6.nexthop is defined and rule_config.match.ipv6.nexthop is not none %} - match ipv6 next-hop {{ rule_config.match.ipv6.nexthop }} + match ipv6 next-hop address {{ rule_config.match.ipv6.nexthop }} {% endif %} {% if rule_config.match.large_community is defined and rule_config.match.large_community.large_community_list is defined and rule_config.match.large_community.large_community_list is not none %} match large-community {{ rule_config.match.large_community.large_community_list }} diff --git a/smoketest/scripts/cli/test_policy.py b/smoketest/scripts/cli/test_policy.py index 491f1766d..0acd41903 100755 --- a/smoketest/scripts/cli/test_policy.py +++ b/smoketest/scripts/cli/test_policy.py @@ -1030,7 +1030,7 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase): tmp = f'match ipv6 address prefix-list {rule_config["match"]["ipv6-address-pfx"]}' self.assertIn(tmp, config) if 'ipv6-nexthop' in rule_config['match']: - tmp = f'match ipv6 next-hop {rule_config["match"]["ipv6-nexthop"]}' + tmp = f'match ipv6 next-hop address {rule_config["match"]["ipv6-nexthop"]}' self.assertIn(tmp, config) if 'large-community' in rule_config['match']: tmp = f'match large-community {rule_config["match"]["large-community"]}' -- cgit v1.2.3 From 71805191d1e663af47ac1c2c11f7861d84677525 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Wed, 16 Mar 2022 20:32:28 +0100 Subject: frr: T4302: fix Jinja2 template to match new FRR syntax According to a wrong bug [1] there is no longer a vrf suffix available for interfaces. This got changed in [2] which no longer print vrf name for interface config when using vrf-lite. 1: https://github.com/FRRouting/frr/issues/10805 2: https://github.com/FRRouting/frr/pull/10411 --- data/templates/frr/isisd.frr.tmpl | 2 +- data/templates/frr/ospf6d.frr.tmpl | 2 +- data/templates/frr/ospfd.frr.tmpl | 2 +- smoketest/scripts/cli/test_protocols_ospfv3.py | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) (limited to 'data') diff --git a/data/templates/frr/isisd.frr.tmpl b/data/templates/frr/isisd.frr.tmpl index b1e3f825b..c68dda443 100644 --- a/data/templates/frr/isisd.frr.tmpl +++ b/data/templates/frr/isisd.frr.tmpl @@ -1,7 +1,7 @@ ! {% if interface is defined and interface is not none %} {% for iface, iface_config in interface.items() %} -interface {{ iface }} {{ 'vrf ' + vrf if vrf is defined and vrf is not none }} +interface {{ iface }} ip router isis VyOS ipv6 router isis VyOS {% if iface_config.bfd is defined %} diff --git a/data/templates/frr/ospf6d.frr.tmpl b/data/templates/frr/ospf6d.frr.tmpl index 8279e5abb..a73c6cac3 100644 --- a/data/templates/frr/ospf6d.frr.tmpl +++ b/data/templates/frr/ospf6d.frr.tmpl @@ -1,7 +1,7 @@ ! {% if interface is defined and interface is not none %} {% for iface, iface_config in interface.items() %} -interface {{ iface }} {{ 'vrf ' + vrf if vrf is defined and vrf is not none }} +interface {{ iface }} {% if iface_config.area is defined and iface_config.area is not none %} ipv6 ospf6 area {{ iface_config.area }} {% endif %} diff --git a/data/templates/frr/ospfd.frr.tmpl b/data/templates/frr/ospfd.frr.tmpl index a6618b6af..12213f162 100644 --- a/data/templates/frr/ospfd.frr.tmpl +++ b/data/templates/frr/ospfd.frr.tmpl @@ -1,7 +1,7 @@ ! {% if interface is defined and interface is not none %} {% for iface, iface_config in interface.items() %} -interface {{ iface }} {{ 'vrf ' + vrf if vrf is defined and vrf is not none }} +interface {{ iface }} {% if iface_config.authentication is defined and iface_config.authentication is not none %} {% if iface_config.authentication.plaintext_password is defined and iface_config.authentication.plaintext_password is not none %} ip ospf authentication-key {{ iface_config.authentication.plaintext_password }} diff --git a/smoketest/scripts/cli/test_protocols_ospfv3.py b/smoketest/scripts/cli/test_protocols_ospfv3.py index 114733002..2fc694fd7 100755 --- a/smoketest/scripts/cli/test_protocols_ospfv3.py +++ b/smoketest/scripts/cli/test_protocols_ospfv3.py @@ -265,8 +265,8 @@ class TestProtocolsOSPFv3(VyOSUnitTestSHIM.TestCase): self.assertIn(f'router ospf6', frrconfig) self.assertIn(f' ospf6 router-id {router_id}', frrconfig) - frrconfig = self.getFRRconfig(f'interface {vrf_iface} vrf {vrf}') - self.assertIn(f'interface {vrf_iface} vrf {vrf}', frrconfig) + frrconfig = self.getFRRconfig(f'interface {vrf_iface}') + self.assertIn(f'interface {vrf_iface}', frrconfig) self.assertIn(f' ipv6 ospf6 bfd', frrconfig) frrconfig = self.getFRRconfig(f'router ospf6 vrf {vrf}') -- cgit v1.2.3 From c29c6d3d654c7280fdd4ea9fa66b5e84ef267285 Mon Sep 17 00:00:00 2001 From: fett0 Date: Thu, 17 Mar 2022 17:35:02 +0000 Subject: OSPF : T4304: Set import/export filter inter-area prefix --- data/templates/frr/ospfd.frr.tmpl | 6 +++++ .../include/ospf/protocol-common-config.xml.i | 30 ++++++++++++++++++++++ 2 files changed, 36 insertions(+) (limited to 'data') diff --git a/data/templates/frr/ospfd.frr.tmpl b/data/templates/frr/ospfd.frr.tmpl index 12213f162..59d936b55 100644 --- a/data/templates/frr/ospfd.frr.tmpl +++ b/data/templates/frr/ospfd.frr.tmpl @@ -97,6 +97,12 @@ router ospf {{ 'vrf ' + vrf if vrf is defined and vrf is not none }} {% endif %} {% endfor %} {% endif %} +{% if area_config.export_list is defined and area_config.export_list is not none %} + area {{ area_id }} export-list {{ area_config.export_list }} +{% endif %} +{% if area_config.import_list is defined and area_config.import_list is not none %} + area {{ area_id }} import-list {{ area_config.import_list }} +{% endif %} {% if area_config.shortcut is defined and area_config.shortcut is not none %} area {{ area_id }} shortcut {{ area_config.shortcut }} {% endif %} diff --git a/interface-definitions/include/ospf/protocol-common-config.xml.i b/interface-definitions/include/ospf/protocol-common-config.xml.i index 088bee2de..3a3372e47 100644 --- a/interface-definitions/include/ospf/protocol-common-config.xml.i +++ b/interface-definitions/include/ospf/protocol-common-config.xml.i @@ -256,6 +256,36 @@ + + + Set the filter for networks announced to other areas + + policy access-list + + + u32 + Access-list number + + + + + + + + + Set the filter for networks from other areas announced + + policy access-list + + + u32 + Access-list number + + + + + + Virtual link -- cgit v1.2.3 From 3584691b35f35e40a1bfc22c34da031141fd0dfa Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 21 Mar 2022 21:41:41 +0100 Subject: qos: T4284: initial XML interface definitions for rewrite --- Makefile | 6 + data/configd-include.json | 1 + .../include/interface/redirect.xml.i | 17 + .../include/interface/traffic-policy.xml.i | 43 ++ .../include/interface/vif-s.xml.i | 4 + interface-definitions/include/interface/vif.xml.i | 4 +- interface-definitions/include/qos/bandwidth.xml.i | 15 + interface-definitions/include/qos/burst.xml.i | 16 + .../include/qos/codel-quantum.xml.i | 16 + interface-definitions/include/qos/dscp.xml.i | 143 ++++ interface-definitions/include/qos/flows.xml.i | 16 + interface-definitions/include/qos/hfsc-d.xml.i | 15 + interface-definitions/include/qos/hfsc-m1.xml.i | 32 + interface-definitions/include/qos/hfsc-m2.xml.i | 32 + interface-definitions/include/qos/interval.xml.i | 16 + interface-definitions/include/qos/match.xml.i | 221 +++++++ interface-definitions/include/qos/max-length.xml.i | 15 + .../include/qos/queue-limit-1-4294967295.xml.i | 15 + .../include/qos/queue-limit-2-10999.xml.i | 16 + interface-definitions/include/qos/queue-type.xml.i | 30 + interface-definitions/include/qos/set-dscp.xml.i | 63 ++ interface-definitions/include/qos/target.xml.i | 16 + interface-definitions/include/qos/tcp-flags.xml.i | 21 + interface-definitions/interfaces-bonding.xml.in | 2 + interface-definitions/interfaces-bridge.xml.in | 2 + interface-definitions/interfaces-dummy.xml.in | 2 + interface-definitions/interfaces-ethernet.xml.in | 2 + interface-definitions/interfaces-geneve.xml.in | 2 + interface-definitions/interfaces-input.xml.in | 30 + interface-definitions/interfaces-l2tpv3.xml.in | 1 + interface-definitions/interfaces-loopback.xml.in | 2 + interface-definitions/interfaces-macsec.xml.in | 2 + interface-definitions/interfaces-openvpn.xml.in | 2 + interface-definitions/interfaces-pppoe.xml.in | 4 +- .../interfaces-pseudo-ethernet.xml.in | 2 + interface-definitions/interfaces-tunnel.xml.in | 4 +- interface-definitions/interfaces-vti.xml.in | 2 + interface-definitions/interfaces-vxlan.xml.in | 2 + interface-definitions/interfaces-wireguard.xml.in | 4 +- interface-definitions/interfaces-wireless.xml.in | 2 + interface-definitions/interfaces-wwan.xml.in | 4 +- interface-definitions/qos.xml.in | 721 +++++++++++++++++++++ python/vyos/configverify.py | 16 + src/conf_mode/interfaces-bonding.py | 4 +- src/conf_mode/interfaces-bridge.py | 2 + src/conf_mode/interfaces-dummy.py | 2 + src/conf_mode/interfaces-ethernet.py | 2 + src/conf_mode/interfaces-geneve.py | 2 + src/conf_mode/interfaces-l2tpv3.py | 2 + src/conf_mode/interfaces-loopback.py | 2 + src/conf_mode/interfaces-macsec.py | 2 + src/conf_mode/interfaces-pppoe.py | 2 + src/conf_mode/interfaces-pseudo-ethernet.py | 2 + src/conf_mode/interfaces-tunnel.py | 2 + src/conf_mode/interfaces-vti.py | 2 + src/conf_mode/interfaces-vxlan.py | 2 + src/conf_mode/interfaces-wireguard.py | 2 + src/conf_mode/interfaces-wireless.py | 2 + src/conf_mode/interfaces-wwan.py | 2 + src/conf_mode/qos.py | 90 +++ 60 files changed, 1699 insertions(+), 6 deletions(-) create mode 100644 interface-definitions/include/interface/redirect.xml.i create mode 100644 interface-definitions/include/interface/traffic-policy.xml.i create mode 100644 interface-definitions/include/qos/bandwidth.xml.i create mode 100644 interface-definitions/include/qos/burst.xml.i create mode 100644 interface-definitions/include/qos/codel-quantum.xml.i create mode 100644 interface-definitions/include/qos/dscp.xml.i create mode 100644 interface-definitions/include/qos/flows.xml.i create mode 100644 interface-definitions/include/qos/hfsc-d.xml.i create mode 100644 interface-definitions/include/qos/hfsc-m1.xml.i create mode 100644 interface-definitions/include/qos/hfsc-m2.xml.i create mode 100644 interface-definitions/include/qos/interval.xml.i create mode 100644 interface-definitions/include/qos/match.xml.i create mode 100644 interface-definitions/include/qos/max-length.xml.i create mode 100644 interface-definitions/include/qos/queue-limit-1-4294967295.xml.i create mode 100644 interface-definitions/include/qos/queue-limit-2-10999.xml.i create mode 100644 interface-definitions/include/qos/queue-type.xml.i create mode 100644 interface-definitions/include/qos/set-dscp.xml.i create mode 100644 interface-definitions/include/qos/target.xml.i create mode 100644 interface-definitions/include/qos/tcp-flags.xml.i create mode 100644 interface-definitions/interfaces-input.xml.in create mode 100644 interface-definitions/qos.xml.in create mode 100755 src/conf_mode/qos.py (limited to 'data') diff --git a/Makefile b/Makefile index 29744b323..431f3a8c2 100644 --- a/Makefile +++ b/Makefile @@ -29,6 +29,12 @@ interface_definitions: $(config_xml_obj) # XXX: delete top level node.def's that now live in other packages # IPSec VPN EAP-RADIUS does not support source-address rm -rf $(TMPL_DIR)/vpn/ipsec/remote-access/radius/source-address + + # T4284 neq QoS implementation is not yet live + find $(TMPL_DIR)/interfaces -name traffic-policy -type d -exec rm -rf {} \; + find $(TMPL_DIR)/interfaces -name redirect -type d -exec rm -rf {} \; + rm -rf $(TMPL_DIR)/interfaces/input + # XXX: test if there are empty node.def files - this is not allowed as these # could mask help strings or mandatory priority statements find $(TMPL_DIR) -name node.def -type f -empty -exec false {} + || sh -c 'echo "There are empty node.def files! Check your interface definitions." && exit 1' diff --git a/data/configd-include.json b/data/configd-include.json index c85ab0725..b77d48001 100644 --- a/data/configd-include.json +++ b/data/configd-include.json @@ -48,6 +48,7 @@ "protocols_ripng.py", "protocols_static.py", "protocols_static_multicast.py", +"qos.py", "salt-minion.py", "service_console-server.py", "service_ids_fastnetmon.py", diff --git a/interface-definitions/include/interface/redirect.xml.i b/interface-definitions/include/interface/redirect.xml.i new file mode 100644 index 000000000..3be9ee16b --- /dev/null +++ b/interface-definitions/include/interface/redirect.xml.i @@ -0,0 +1,17 @@ + + + + Incoming packet redirection destination + + + + + txt + Interface name + + + + + + + diff --git a/interface-definitions/include/interface/traffic-policy.xml.i b/interface-definitions/include/interface/traffic-policy.xml.i new file mode 100644 index 000000000..cd60b62a5 --- /dev/null +++ b/interface-definitions/include/interface/traffic-policy.xml.i @@ -0,0 +1,43 @@ + + + + Traffic-policy for interface + + + + + Ingress traffic policy for interface + + traffic-policy drop-tail + traffic-policy fair-queue + traffic-policy fq-codel + traffic-policy limiter + traffic-policy network-emulator + traffic-policy priority-queue + traffic-policy random-detect + traffic-policy rate-control + traffic-policy round-robin + traffic-policy shaper + traffic-policy shaper-hfsc + + + txt + Policy name + + + + + + Egress traffic policy for interface + + traffic-policy + + + txt + Policy name + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/interface/vif-s.xml.i b/interface-definitions/include/interface/vif-s.xml.i index f1a61ff64..59a47b5ff 100644 --- a/interface-definitions/include/interface/vif-s.xml.i +++ b/interface-definitions/include/interface/vif-s.xml.i @@ -64,11 +64,15 @@ #include #include #include + #include + #include #include #include #include + #include + #include #include diff --git a/interface-definitions/include/interface/vif.xml.i b/interface-definitions/include/interface/vif.xml.i index 11ba7e2f8..8a1475711 100644 --- a/interface-definitions/include/interface/vif.xml.i +++ b/interface-definitions/include/interface/vif.xml.i @@ -18,7 +18,6 @@ #include #include #include - #include #include #include @@ -51,6 +50,9 @@ #include #include #include + #include + #include + #include diff --git a/interface-definitions/include/qos/bandwidth.xml.i b/interface-definitions/include/qos/bandwidth.xml.i new file mode 100644 index 000000000..82af22f42 --- /dev/null +++ b/interface-definitions/include/qos/bandwidth.xml.i @@ -0,0 +1,15 @@ + + + + Traffic-limit used for this class + + <number> + Rate in kbit (kilobit per second) + + + <number><suffix> + Rate with scaling suffix (mbit, mbps, ...) + + + + diff --git a/interface-definitions/include/qos/burst.xml.i b/interface-definitions/include/qos/burst.xml.i new file mode 100644 index 000000000..761618027 --- /dev/null +++ b/interface-definitions/include/qos/burst.xml.i @@ -0,0 +1,16 @@ + + + + Burst size for this class + + <number> + Bytes + + + <number><suffix> + Bytes with scaling suffix (kb, mb, gb) + + + 15k + + diff --git a/interface-definitions/include/qos/codel-quantum.xml.i b/interface-definitions/include/qos/codel-quantum.xml.i new file mode 100644 index 000000000..bc24630b6 --- /dev/null +++ b/interface-definitions/include/qos/codel-quantum.xml.i @@ -0,0 +1,16 @@ + + + + Deficit in the fair queuing algorithm + + u32:0-1048576 + Number of bytes used as 'deficit' + + + + + Interval must be in range 0 to 1048576 + + 1514 + + diff --git a/interface-definitions/include/qos/dscp.xml.i b/interface-definitions/include/qos/dscp.xml.i new file mode 100644 index 000000000..bb90850ac --- /dev/null +++ b/interface-definitions/include/qos/dscp.xml.i @@ -0,0 +1,143 @@ + + + + Match on Differentiated Services Codepoint (DSCP) + + default reliability throughput lowdelay priority immediate flash flash-override critical internet network AF11 AF12 AF13 AF21 AF22 AF23 AF31 AF32 AF33 AF41 AF42 AF43 CS1 CS2 CS3 CS4 CS5 CS6 CS7 EF + + + u32:0-63 + Differentiated Services Codepoint (DSCP) value + + + default + match DSCP (000000) + + + reliability + match DSCP (000001) + + + throughput + match DSCP (000010) + + + lowdelay + match DSCP (000100) + + + priority + match DSCP (001000) + + + immediate + match DSCP (010000) + + + flash + match DSCP (011000) + + + flash-override + match DSCP (100000) + + + critical + match DSCP (101000) + + + internet + match DSCP (110000) + + + network + match DSCP (111000) + + + AF11 + High-throughput data + + + AF12 + High-throughput data + + + AF13 + High-throughput data + + + AF21 + Low-latency data + + + AF22 + Low-latency data + + + AF23 + Low-latency data + + + AF31 + Multimedia streaming + + + AF32 + Multimedia streaming + + + AF33 + Multimedia streaming + + + AF41 + Multimedia conferencing + + + AF42 + Multimedia conferencing + + + AF43 + Multimedia conferencing + + + CS1 + Low-priority data + + + CS2 + OAM + + + CS3 + Broadcast video + + + CS4 + Real-time interactive + + + CS5 + Signaling + + + CS6 + Network control + + + CS7 + + + + EF + Expedited Forwarding + + + + (default|reliability|throughput|lowdelay|priority|immediate|flash|flash-override|critical|internet|network|AF11|AF12|AF13|AF21|AF22|AF23|AF31|AF32|AF33|AF41|AF42|AF43|CS1|CS2|CS3|CS4|CS5|CS6|CS7|EF) + + Priority must be between 0 and 63 + + + diff --git a/interface-definitions/include/qos/flows.xml.i b/interface-definitions/include/qos/flows.xml.i new file mode 100644 index 000000000..a7d7c6422 --- /dev/null +++ b/interface-definitions/include/qos/flows.xml.i @@ -0,0 +1,16 @@ + + + + Number of flows into which the incoming packets are classified + + u32:1-65536 + Number of flows + + + + + Interval must be in range 1 to 65536 + + 1024 + + diff --git a/interface-definitions/include/qos/hfsc-d.xml.i b/interface-definitions/include/qos/hfsc-d.xml.i new file mode 100644 index 000000000..2a513509c --- /dev/null +++ b/interface-definitions/include/qos/hfsc-d.xml.i @@ -0,0 +1,15 @@ + + + + Service curve delay + + <number> + Time in milliseconds + + + + + Priority must be between 0 and 65535 + + + diff --git a/interface-definitions/include/qos/hfsc-m1.xml.i b/interface-definitions/include/qos/hfsc-m1.xml.i new file mode 100644 index 000000000..749d01f57 --- /dev/null +++ b/interface-definitions/include/qos/hfsc-m1.xml.i @@ -0,0 +1,32 @@ + + + + Linkshare m1 parameter for class traffic + + <number> + Rate in kbit (kilobit per second) + + + <number>%% + Percentage of overall rate + + + <number>bit + bit(1), kbit(10^3), mbit(10^6), gbit, tbit + + + <number>ibit + kibit(1024), mibit(1024^2), gibit(1024^3), tbit(1024^4) + + + <number>ibps + kibps(1024*8), mibps(1024^2*8), gibps, tibps - Byte/sec + + + <number>bps + bps(8),kbps(8*10^3),mbps(8*10^6), gbps, tbps - Byte/sec + + + 100% + + diff --git a/interface-definitions/include/qos/hfsc-m2.xml.i b/interface-definitions/include/qos/hfsc-m2.xml.i new file mode 100644 index 000000000..24e8f5d63 --- /dev/null +++ b/interface-definitions/include/qos/hfsc-m2.xml.i @@ -0,0 +1,32 @@ + + + + Linkshare m2 parameter for class traffic + + <number> + Rate in kbit (kilobit per second) + + + <number>%% + Percentage of overall rate + + + <number>bit + bit(1), kbit(10^3), mbit(10^6), gbit, tbit + + + <number>ibit + kibit(1024), mibit(1024^2), gibit(1024^3), tbit(1024^4) + + + <number>ibps + kibps(1024*8), mibps(1024^2*8), gibps, tibps - Byte/sec + + + <number>bps + bps(8),kbps(8*10^3),mbps(8*10^6), gbps, tbps - Byte/sec + + + 100% + + diff --git a/interface-definitions/include/qos/interval.xml.i b/interface-definitions/include/qos/interval.xml.i new file mode 100644 index 000000000..41896ac9c --- /dev/null +++ b/interface-definitions/include/qos/interval.xml.i @@ -0,0 +1,16 @@ + + + + Interval used to measure the delay + + u32 + Interval in milliseconds + + + + + Interval must be in range 0 to 4294967295 + + 100 + + diff --git a/interface-definitions/include/qos/match.xml.i b/interface-definitions/include/qos/match.xml.i new file mode 100644 index 000000000..7d89e4460 --- /dev/null +++ b/interface-definitions/include/qos/match.xml.i @@ -0,0 +1,221 @@ + + + + Class matching rule name + + [^-].* + + Match queue name cannot start with hyphen (-) + + + #include + + + Ethernet header match + + + + + Ethernet destination address for this match + + macaddr + MAC address to match + + + + + + + + + Ethernet protocol for this match + + + all 802.1Q 802_2 802_3 aarp aoe arp atalk dec ip ipv6 ipx lat localtalk rarp snap x25 + + + u32:0-65535 + Ethernet protocol number + + + txt + Ethernet protocol name + + + all + Any protocol + + + ip + Internet IP (IPv4) + + + ipv6 + Internet IP (IPv6) + + + arp + Address Resolution Protocol + + + atalk + Appletalk + + + ipx + Novell Internet Packet Exchange + + + 802.1Q + 802.1Q VLAN tag + + + + + + + + + Ethernet source address for this match + + macaddr + MAC address to match + + + + + + + + + #include + + + Match IP protocol header + + + + + Match on destination port or address + + + + + IPv4 destination address for this match + + ipv4net + IPv4 address and prefix length + + + + + + + #include + + + #include + #include + #include + + + Match on source port or address + + + + + IPv4 source address for this match + + ipv4net + IPv4 address and prefix length + + + + + + + #include + + + #include + + + + + Match IPv6 protocol header + + + + + Match on destination port or address + + + + + IPv6 destination address for this match + + ipv6net + IPv6 address and prefix length + + + + + + + #include + + + #include + #include + #include + + + Match on source port or address + + + + + IPv6 source address for this match + + ipv6net + IPv6 address and prefix length + + + + + + + #include + + + #include + + + + + Match on mark applied by firewall + + txt + FW mark to match + + + + + + + + + Virtual Local Area Network (VLAN) ID for this match + + u32:0-4095 + Virtual Local Area Network (VLAN) tag + + + + + VLAN ID must be between 0 and 4095 + + + + + diff --git a/interface-definitions/include/qos/max-length.xml.i b/interface-definitions/include/qos/max-length.xml.i new file mode 100644 index 000000000..4cc20f8c4 --- /dev/null +++ b/interface-definitions/include/qos/max-length.xml.i @@ -0,0 +1,15 @@ + + + + Maximum packet length (ipv4) + + u32:0-65535 + Maximum packet/payload length + + + + + Maximum IPv4 total packet length is 65535 + + + diff --git a/interface-definitions/include/qos/queue-limit-1-4294967295.xml.i b/interface-definitions/include/qos/queue-limit-1-4294967295.xml.i new file mode 100644 index 000000000..2f2d44631 --- /dev/null +++ b/interface-definitions/include/qos/queue-limit-1-4294967295.xml.i @@ -0,0 +1,15 @@ + + + + Maximum queue size + + u32:1-4294967295 + Queue size in packets + + + + + Queue limit must be greater than zero + + + diff --git a/interface-definitions/include/qos/queue-limit-2-10999.xml.i b/interface-definitions/include/qos/queue-limit-2-10999.xml.i new file mode 100644 index 000000000..7a9c8266b --- /dev/null +++ b/interface-definitions/include/qos/queue-limit-2-10999.xml.i @@ -0,0 +1,16 @@ + + + + Upper limit of the queue + + u32:2-10999 + Queue size in packets + + + + + Queue limit must greater than 1 and less than 11000 + + 10240 + + diff --git a/interface-definitions/include/qos/queue-type.xml.i b/interface-definitions/include/qos/queue-type.xml.i new file mode 100644 index 000000000..634f61024 --- /dev/null +++ b/interface-definitions/include/qos/queue-type.xml.i @@ -0,0 +1,30 @@ + + + + Queue type for default traffic + + fq-codel fair-queue drop-tail random-detect + + + fq-codel + Fair Queue Codel + + + fair-queue + Stochastic Fair Queue (SFQ) + + + drop-tail + First-In-First-Out (FIFO) + + + random-detect + Random Early Detection (RED) + + + (fq-codel|fair-queue|drop-tail|random-detect) + + + drop-tail + + diff --git a/interface-definitions/include/qos/set-dscp.xml.i b/interface-definitions/include/qos/set-dscp.xml.i new file mode 100644 index 000000000..55c0ea44d --- /dev/null +++ b/interface-definitions/include/qos/set-dscp.xml.i @@ -0,0 +1,63 @@ + + + + Change the Differentiated Services (DiffServ) field in the IP header + + default reliability throughput lowdelay priority immediate flash flash-override critical internet network + + + u32:0-63 + Priority order for bandwidth pool + + + default + match DSCP (000000) + + + reliability + match DSCP (000001) + + + throughput + match DSCP (000010) + + + lowdelay + match DSCP (000100) + + + priority + match DSCP (001000) + + + immediate + match DSCP (010000) + + + flash + match DSCP (011000) + + + flash-override + match DSCP (100000) + + + critical + match DSCP (101000) + + + internet + match DSCP (110000) + + + network + match DSCP (111000) + + + + (default|reliability|throughput|lowdelay|priority|immediate|flash|flash-override|critical|internet|network) + + Priority must be between 0 and 63 + + + diff --git a/interface-definitions/include/qos/target.xml.i b/interface-definitions/include/qos/target.xml.i new file mode 100644 index 000000000..bf6342ac9 --- /dev/null +++ b/interface-definitions/include/qos/target.xml.i @@ -0,0 +1,16 @@ + + + + Acceptable minimum standing/persistent queue delay + + u32 + Queue delay in milliseconds + + + + + Delay must be in range 0 to 4294967295 + + 5 + + diff --git a/interface-definitions/include/qos/tcp-flags.xml.i b/interface-definitions/include/qos/tcp-flags.xml.i new file mode 100644 index 000000000..81d70d1f3 --- /dev/null +++ b/interface-definitions/include/qos/tcp-flags.xml.i @@ -0,0 +1,21 @@ + + + + TCP Flags matching + + + + + Match TCP ACK + + + + + + Match TCP SYN + + + + + + diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in index b98f4b960..20ece5137 100644 --- a/interface-definitions/interfaces-bonding.xml.in +++ b/interface-definitions/interfaces-bonding.xml.in @@ -207,6 +207,8 @@ + #include + #include #include #include #include diff --git a/interface-definitions/interfaces-bridge.xml.in b/interface-definitions/interfaces-bridge.xml.in index fabfb917a..6957067cd 100644 --- a/interface-definitions/interfaces-bridge.xml.in +++ b/interface-definitions/interfaces-bridge.xml.in @@ -210,6 +210,8 @@ + #include + #include #include diff --git a/interface-definitions/interfaces-dummy.xml.in b/interface-definitions/interfaces-dummy.xml.in index 3bca8b950..109ed1b50 100644 --- a/interface-definitions/interfaces-dummy.xml.in +++ b/interface-definitions/interfaces-dummy.xml.in @@ -30,6 +30,8 @@ #include + #include + #include #include diff --git a/interface-definitions/interfaces-ethernet.xml.in b/interface-definitions/interfaces-ethernet.xml.in index be7bddfa4..7d28912c0 100644 --- a/interface-definitions/interfaces-ethernet.xml.in +++ b/interface-definitions/interfaces-ethernet.xml.in @@ -196,6 +196,8 @@ + #include + #include #include #include #include diff --git a/interface-definitions/interfaces-geneve.xml.in b/interface-definitions/interfaces-geneve.xml.in index dd4d324d4..aa5809e60 100644 --- a/interface-definitions/interfaces-geneve.xml.in +++ b/interface-definitions/interfaces-geneve.xml.in @@ -50,6 +50,8 @@ + #include + #include #include #include diff --git a/interface-definitions/interfaces-input.xml.in b/interface-definitions/interfaces-input.xml.in new file mode 100644 index 000000000..f2eb01c58 --- /dev/null +++ b/interface-definitions/interfaces-input.xml.in @@ -0,0 +1,30 @@ + + + + + + + Input Functional Block (IFB) interface name + + 310 + + ifb[0-9]+ + + Input interface must be named ifbN + + ifbN + Input interface name + + + + #include + #include + #include + #include + #include + #include + + + + + diff --git a/interface-definitions/interfaces-l2tpv3.xml.in b/interface-definitions/interfaces-l2tpv3.xml.in index ba9bcb0a2..124863653 100644 --- a/interface-definitions/interfaces-l2tpv3.xml.in +++ b/interface-definitions/interfaces-l2tpv3.xml.in @@ -125,6 +125,7 @@ + #include #include diff --git a/interface-definitions/interfaces-loopback.xml.in b/interface-definitions/interfaces-loopback.xml.in index 7be15ab89..ffffc0220 100644 --- a/interface-definitions/interfaces-loopback.xml.in +++ b/interface-definitions/interfaces-loopback.xml.in @@ -26,6 +26,8 @@ #include + #include + #include diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in index 7206e57b1..311e95c2f 100644 --- a/interface-definitions/interfaces-macsec.xml.in +++ b/interface-definitions/interfaces-macsec.xml.in @@ -122,6 +122,8 @@ 1460 #include + #include + #include #include diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index eb574eb52..73e30e590 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -816,6 +816,8 @@ + #include + #include #include diff --git a/interface-definitions/interfaces-pppoe.xml.in b/interface-definitions/interfaces-pppoe.xml.in index ed0e45840..1d888236e 100644 --- a/interface-definitions/interfaces-pppoe.xml.in +++ b/interface-definitions/interfaces-pppoe.xml.in @@ -49,7 +49,6 @@ #include #include #include - #include Delay before disconnecting idle session (in seconds) @@ -134,6 +133,9 @@ Service name must be alphanumeric only + #include + #include + #include diff --git a/interface-definitions/interfaces-pseudo-ethernet.xml.in b/interface-definitions/interfaces-pseudo-ethernet.xml.in index bf7055f8d..7baeac537 100644 --- a/interface-definitions/interfaces-pseudo-ethernet.xml.in +++ b/interface-definitions/interfaces-pseudo-ethernet.xml.in @@ -59,6 +59,8 @@ private #include + #include + #include #include #include diff --git a/interface-definitions/interfaces-tunnel.xml.in b/interface-definitions/interfaces-tunnel.xml.in index eb1708aaa..bc9297c86 100644 --- a/interface-definitions/interfaces-tunnel.xml.in +++ b/interface-definitions/interfaces-tunnel.xml.in @@ -20,7 +20,6 @@ #include #include #include - #include #include 1476 @@ -288,6 +287,9 @@ + #include + #include + #include diff --git a/interface-definitions/interfaces-vti.xml.in b/interface-definitions/interfaces-vti.xml.in index f03c7476d..538194c2b 100644 --- a/interface-definitions/interfaces-vti.xml.in +++ b/interface-definitions/interfaces-vti.xml.in @@ -34,6 +34,8 @@ #include #include #include + #include + #include #include #include #include diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in index 0546b4199..18abf9f20 100644 --- a/interface-definitions/interfaces-vxlan.xml.in +++ b/interface-definitions/interfaces-vxlan.xml.in @@ -99,6 +99,8 @@ #include #include #include + #include + #include #include #include diff --git a/interface-definitions/interfaces-wireguard.xml.in b/interface-definitions/interfaces-wireguard.xml.in index 1b4b4a816..2f130c6f2 100644 --- a/interface-definitions/interfaces-wireguard.xml.in +++ b/interface-definitions/interfaces-wireguard.xml.in @@ -19,7 +19,6 @@ #include #include #include - #include #include #include #include @@ -120,6 +119,9 @@ + #include + #include + #include diff --git a/interface-definitions/interfaces-wireless.xml.in b/interface-definitions/interfaces-wireless.xml.in index 9db9fd757..eebe8f841 100644 --- a/interface-definitions/interfaces-wireless.xml.in +++ b/interface-definitions/interfaces-wireless.xml.in @@ -778,6 +778,8 @@ monitor + #include + #include #include #include diff --git a/interface-definitions/interfaces-wwan.xml.in b/interface-definitions/interfaces-wwan.xml.in index 03554feed..7007a67ae 100644 --- a/interface-definitions/interfaces-wwan.xml.in +++ b/interface-definitions/interfaces-wwan.xml.in @@ -30,7 +30,6 @@ #include #include #include - #include #include #include @@ -41,6 +40,9 @@ #include #include #include + #include + #include + #include diff --git a/interface-definitions/qos.xml.in b/interface-definitions/qos.xml.in new file mode 100644 index 000000000..d4468543c --- /dev/null +++ b/interface-definitions/qos.xml.in @@ -0,0 +1,721 @@ + + + + + Quality of Service (QOS) policy type + 900 + + + + + Packet limited First In, First Out queue + + txt + Policy name + + + [[:alnum:]][-_[:alnum:]]* + + Only alpha-numeric policy name allowed + + + #include + #include + + + + + Stochastic Fairness Queueing + + txt + Policy name + + + [[:alnum:]][-_[:alnum:]]* + + Only alpha-numeric policy name allowed + + + #include + + + Interval in seconds for queue algorithm perturbation + + u32:0 + No perturbation + + + u32:1-127 + Interval in seconds for queue algorithm perturbation (advised: 10) + + + + + Interval must be in range 0 to 127 + + 0 + + + + Upper limit of the SFQ + + u32:2-127 + Queue size in packets + + + + + Queue limit must greater than 1 and less than 128 + + 127 + + + + + + Fair Queuing Controlled Delay + + txt + Policy name + + + [[:alnum:]][-_[:alnum:]]* + + Only alpha-numeric policy name allowed + + + #include + #include + #include + #include + #include + #include + + + + + Traffic input limiting policy + + txt + Policy name + + + [[:alnum:]][-_[:alnum:]]* + + Only alpha-numeric policy name allowed + + + + + Class ID + + u32:1-4090 + Class Identifier + + + + + Class identifier must be between 1 and 4090 + + + #include + #include + #include + #include + + + Priority for rule evaluation + + u32:0-20 + Priority for match rule evaluation + + + + + Priority must be between 0 and 20 + + 20 + + + + + + Default policy + + + #include + #include + + + #include + + + + + Network emulator policy + + txt + Policy name + + + [[:alnum:]][-_[:alnum:]]* + + Only alpha-numeric policy name allowed + + + #include + #include + #include + + + Adds delay to packets outgoing to chosen network interface + + <number> + Time in milliseconds + + + + + Priority must be between 0 and 65535 + + + + + Introducing error in a random position for chosen percent of packets + + <number> + Percentage of packets affected + + + + + Priority must be between 0 and 100 + + + + + Add independent loss probability to the packets outgoing to chosen network interface + + <number> + Percentage of packets affected + + + + + Must be between 0 and 100 + + + + + Add independent loss probability to the packets outgoing to chosen network interface + + <number> + Percentage of packets affected + + + + + Must be between 0 and 100 + + + + + Packet reordering percentage + + <number> + Percentage of packets affected + + + + + Must be between 0 and 100 + + + #include + + + + + Priority queuing based policy + + txt + Policy name + + + [[:alnum:]][-_[:alnum:]]* + + Only alpha-numeric policy name allowed + + + + + Class Handle + + u32:1-7 + Priority + + + + + Class handle must be between 1 and 7 + + + #include + #include + #include + #include + #include + #include + #include + #include + + + + + Default policy + + + #include + #include + #include + #include + #include + #include + #include + + + #include + + + + + Priority queuing based policy + + txt + Policy name + + + [[:alnum:]][-_[:alnum:]]* + + Only alpha-numeric policy name allowed + + + #include + + auto + + #include + + + IP precedence + + u32:0-7 + IP precedence value + + + + + IP precedence value must be between 0 and 7 + + + #include + + + Average packet size (bytes) + + u32:16-10240 + Average packet size in bytes + + + + + Average packet size must be between 16 and 10240 + + 1024 + + + + Mark probability for this precedence + + <number> + Numeric value (1/N) + + + + + Mark probability must be greater than 0 + + + + + Maximum threshold for random detection + + u32:0-4096 + Maximum Threshold in packets + + + + + Threshold must be between 0 and 4096 + + + + + Minimum threshold for random detection + + u32:0-4096 + Maximum Threshold in packets + + + + + Threshold must be between 0 and 4096 + + + + + + + + + Rate limiting policy (Token Bucket Filter) + + txt + Policy name + + + [[:alnum:]][-_[:alnum:]]* + + Only alpha-numeric policy name allowed + + + #include + #include + #include + + + Maximum latency + + <number> + Time in milliseconds + + + + + Threshold must be between 0 and 4096 + + 50 + + + + + + Round-Robin based policy + + txt + Policy name + + + [[:alnum:]][-_[:alnum:]]* + + Only alpha-numeric policy name allowed + + + #include + + + Class ID + + u32:1-4095 + Class Identifier + + + + + Class identifier must be between 1 and 4095 + + + #include + #include + #include + #include + #include + + + Packet scheduling quantum + + u32:1-4294967295 + Packet scheduling quantum (bytes) + + + + + Quantum must be in range 1 to 4294967295 + + + #include + #include + #include + + + + + + + Hierarchical Fair Service Curve's policy + + txt + Policy name + + + [[:alnum:]][-_[:alnum:]]* + + Only alpha-numeric policy name allowed + + + #include + + auto + + #include + + + Class ID + + u32:1-4095 + Class Identifier + + + + + Class identifier must be between 1 and 4095 + + + #include + + + Linkshare class settings + + + #include + #include + #include + + + #include + + + Realtime class settings + + + #include + #include + #include + + + + + Upperlimit class settings + + + #include + #include + #include + + + + + + + Default policy + + + + + Linkshare class settings + + + #include + #include + #include + + + + + Realtime class settings + + + #include + #include + #include + + + + + Upperlimit class settings + + + #include + #include + #include + + + + + + + + + Traffic shaping based policy (Hierarchy Token Bucket) + + txt + Policy name + + + [[:alnum:]][-_[:alnum:]]* + + Only alpha-numeric policy name allowed + + + #include + + auto + + + + Class ID + + u32:2-4095 + Class Identifier + + + + + Class identifier must be between 2 and 4095 + + + #include + + 100% + + #include + + + Bandwidth limit for this class + + <number> + Rate in kbit (kilobit per second) + + + <number>%% + Percentage of overall rate + + + <number>bit + bit(1), kbit(10^3), mbit(10^6), gbit, tbit + + + <number>ibit + kibit(1024), mibit(1024^2), gibit(1024^3), tbit(1024^4) + + + <number>ibps + kibps(1024*8), mibps(1024^2*8), gibps, tibps - Byte/sec + + + <number>bps + bps(8),kbps(8*10^3),mbps(8*10^6), gbps, tbps - Byte/sec + + + + #include + #include + #include + #include + #include + + + Priority for usage of excess bandwidth + + u32:0-7 + Priority order for bandwidth pool + + + + + Priority must be between 0 and 7 + + 20 + + #include + #include + #include + #include + + + #include + + + Default policy + + + #include + #include + + + Bandwidth limit for this class + + <number> + Rate in kbit (kilobit per second) + + + <number>%% + Percentage of overall rate + + + <number>bit + bit(1), kbit(10^3), mbit(10^6), gbit, tbit + + + <number>ibit + kibit(1024), mibit(1024^2), gibit(1024^3), tbit(1024^4) + + + <number>ibps + kibps(1024*8), mibps(1024^2*8), gibps, tibps - Byte/sec + + + <number>bps + bps(8),kbps(8*10^3),mbps(8*10^6), gbps, tbps - Byte/sec + + + + #include + #include + #include + #include + + + Priority for usage of excess bandwidth + + u32:0-7 + Priority order for bandwidth pool + + + + + Priority must be between 0 and 7 + + 20 + + #include + #include + #include + #include + + + + + + + diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py index fab88bc72..7f1258575 100644 --- a/python/vyos/configverify.py +++ b/python/vyos/configverify.py @@ -191,6 +191,19 @@ def verify_mirror(config): raise ConfigError(f'Can not mirror "{direction}" traffic back ' \ 'the originating interface!') +def verify_redirect(config): + """ + Common helper function used by interface implementations to perform + recurring validation of the redirect interface configuration. + + It makes no sense to mirror and redirect traffic at the same time! + """ + if {'mirror', 'redirect'} <= set(config): + raise ConfigError('Can not do both redirect and mirror') + + if dict_search('traffic_policy.in', config) != None: + raise ConfigError('Can not use ingress policy and redirect') + def verify_authentication(config): """ Common helper function used by interface implementations to perform @@ -315,6 +328,7 @@ def verify_vlan_config(config): verify_dhcpv6(vlan) verify_address(vlan) verify_vrf(vlan) + verify_redirect(vlan) verify_mtu_parent(vlan, config) # 802.1ad (Q-in-Q) VLANs @@ -323,6 +337,7 @@ def verify_vlan_config(config): verify_dhcpv6(s_vlan) verify_address(s_vlan) verify_vrf(s_vlan) + verify_redirect(s_vlan) verify_mtu_parent(s_vlan, config) for c_vlan in s_vlan.get('vif_c', {}): @@ -330,6 +345,7 @@ def verify_vlan_config(config): verify_dhcpv6(c_vlan) verify_address(c_vlan) verify_vrf(c_vlan) + verify_redirect(c_vlan) verify_mtu_parent(c_vlan, config) verify_mtu_parent(c_vlan, s_vlan) diff --git a/src/conf_mode/interfaces-bonding.py b/src/conf_mode/interfaces-bonding.py index bb53cd6c2..661dc2298 100755 --- a/src/conf_mode/interfaces-bonding.py +++ b/src/conf_mode/interfaces-bonding.py @@ -27,9 +27,10 @@ from vyos.configdict import is_source_interface from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_dhcpv6 -from vyos.configverify import verify_source_interface from vyos.configverify import verify_mirror from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_redirect +from vyos.configverify import verify_source_interface from vyos.configverify import verify_vlan_config from vyos.configverify import verify_vrf from vyos.ifconfig import BondIf @@ -151,6 +152,7 @@ def verify(bond): verify_dhcpv6(bond) verify_vrf(bond) verify_mirror(bond) + verify_redirect(bond) # use common function to verify VLAN configuration verify_vlan_config(bond) diff --git a/src/conf_mode/interfaces-bridge.py b/src/conf_mode/interfaces-bridge.py index 9f840cb58..e16c0e9f4 100755 --- a/src/conf_mode/interfaces-bridge.py +++ b/src/conf_mode/interfaces-bridge.py @@ -28,6 +28,7 @@ from vyos.configdict import has_vlan_subinterface_configured from vyos.configdict import dict_merge from vyos.configverify import verify_dhcpv6 from vyos.configverify import verify_mirror +from vyos.configverify import verify_redirect from vyos.configverify import verify_vrf from vyos.ifconfig import BridgeIf from vyos.validate import has_address_configured @@ -107,6 +108,7 @@ def verify(bridge): verify_dhcpv6(bridge) verify_vrf(bridge) verify_mirror(bridge) + verify_redirect(bridge) ifname = bridge['ifname'] diff --git a/src/conf_mode/interfaces-dummy.py b/src/conf_mode/interfaces-dummy.py index 55c783f38..4072c4452 100755 --- a/src/conf_mode/interfaces-dummy.py +++ b/src/conf_mode/interfaces-dummy.py @@ -21,6 +21,7 @@ from vyos.configdict import get_interface_dict from vyos.configverify import verify_vrf from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete +from vyos.configverify import verify_redirect from vyos.ifconfig import DummyIf from vyos import ConfigError from vyos import airbag @@ -46,6 +47,7 @@ def verify(dummy): verify_vrf(dummy) verify_address(dummy) + verify_redirect(dummy) return None diff --git a/src/conf_mode/interfaces-ethernet.py b/src/conf_mode/interfaces-ethernet.py index 2a8a126f2..3eeddf190 100755 --- a/src/conf_mode/interfaces-ethernet.py +++ b/src/conf_mode/interfaces-ethernet.py @@ -28,6 +28,7 @@ from vyos.configverify import verify_interface_exists from vyos.configverify import verify_mirror from vyos.configverify import verify_mtu from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_redirect from vyos.configverify import verify_vlan_config from vyos.configverify import verify_vrf from vyos.ethtool import Ethtool @@ -84,6 +85,7 @@ def verify(ethernet): verify_vrf(ethernet) verify_eapol(ethernet) verify_mirror(ethernet) + verify_redirect(ethernet) ethtool = Ethtool(ifname) # No need to check speed and duplex keys as both have default values. diff --git a/src/conf_mode/interfaces-geneve.py b/src/conf_mode/interfaces-geneve.py index 2a63b60aa..a94b5e1f7 100755 --- a/src/conf_mode/interfaces-geneve.py +++ b/src/conf_mode/interfaces-geneve.py @@ -24,6 +24,7 @@ from vyos.configdict import get_interface_dict from vyos.configverify import verify_address from vyos.configverify import verify_mtu_ipv6 from vyos.configverify import verify_bridge_delete +from vyos.configverify import verify_redirect from vyos.ifconfig import GeneveIf from vyos import ConfigError @@ -50,6 +51,7 @@ def verify(geneve): verify_mtu_ipv6(geneve) verify_address(geneve) + verify_redirect(geneve) if 'remote' not in geneve: raise ConfigError('Remote side must be configured') diff --git a/src/conf_mode/interfaces-l2tpv3.py b/src/conf_mode/interfaces-l2tpv3.py index 9b6ddd5aa..5ea7159dc 100755 --- a/src/conf_mode/interfaces-l2tpv3.py +++ b/src/conf_mode/interfaces-l2tpv3.py @@ -25,6 +25,7 @@ from vyos.configdict import leaf_node_changed from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_redirect from vyos.ifconfig import L2TPv3If from vyos.util import check_kmod from vyos.validate import is_addr_assigned @@ -76,6 +77,7 @@ def verify(l2tpv3): verify_mtu_ipv6(l2tpv3) verify_address(l2tpv3) + verify_redirect(l2tpv3) return None def generate(l2tpv3): diff --git a/src/conf_mode/interfaces-loopback.py b/src/conf_mode/interfaces-loopback.py index 193334443..e6a851113 100755 --- a/src/conf_mode/interfaces-loopback.py +++ b/src/conf_mode/interfaces-loopback.py @@ -20,6 +20,7 @@ from sys import exit from vyos.config import Config from vyos.configdict import get_interface_dict +from vyos.configverify import verify_redirect from vyos.ifconfig import LoopbackIf from vyos import ConfigError from vyos import airbag @@ -39,6 +40,7 @@ def get_config(config=None): return loopback def verify(loopback): + verify_redirect(loopback) return None def generate(loopback): diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py index eab69f36e..6a29fdb11 100755 --- a/src/conf_mode/interfaces-macsec.py +++ b/src/conf_mode/interfaces-macsec.py @@ -29,6 +29,7 @@ from vyos.configverify import verify_vrf from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_redirect from vyos.configverify import verify_source_interface from vyos import ConfigError from vyos import airbag @@ -66,6 +67,7 @@ def verify(macsec): verify_vrf(macsec) verify_mtu_ipv6(macsec) verify_address(macsec) + verify_redirect(macsec) if not (('security' in macsec) and ('cipher' in macsec['security'])): diff --git a/src/conf_mode/interfaces-pppoe.py b/src/conf_mode/interfaces-pppoe.py index 584adc75e..9962e0a08 100755 --- a/src/conf_mode/interfaces-pppoe.py +++ b/src/conf_mode/interfaces-pppoe.py @@ -28,6 +28,7 @@ from vyos.configverify import verify_source_interface from vyos.configverify import verify_interface_exists from vyos.configverify import verify_vrf from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_redirect from vyos.ifconfig import PPPoEIf from vyos.template import render from vyos.util import call @@ -85,6 +86,7 @@ def verify(pppoe): verify_authentication(pppoe) verify_vrf(pppoe) verify_mtu_ipv6(pppoe) + verify_redirect(pppoe) if {'connect_on_demand', 'vrf'} <= set(pppoe): raise ConfigError('On-demand dialing and VRF can not be used at the same time') diff --git a/src/conf_mode/interfaces-pseudo-ethernet.py b/src/conf_mode/interfaces-pseudo-ethernet.py index 945a2ea9c..f57e41cc4 100755 --- a/src/conf_mode/interfaces-pseudo-ethernet.py +++ b/src/conf_mode/interfaces-pseudo-ethernet.py @@ -25,6 +25,7 @@ from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_source_interface from vyos.configverify import verify_vlan_config from vyos.configverify import verify_mtu_parent +from vyos.configverify import verify_redirect from vyos.ifconfig import MACVLANIf from vyos import ConfigError @@ -60,6 +61,7 @@ def verify(peth): verify_vrf(peth) verify_address(peth) verify_mtu_parent(peth, peth['parent']) + verify_redirect(peth) # use common function to verify VLAN configuration verify_vlan_config(peth) diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces-tunnel.py index 433764b8a..005fae5eb 100755 --- a/src/conf_mode/interfaces-tunnel.py +++ b/src/conf_mode/interfaces-tunnel.py @@ -26,6 +26,7 @@ from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_interface_exists from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_redirect from vyos.configverify import verify_vrf from vyos.configverify import verify_tunnel from vyos.ifconfig import Interface @@ -157,6 +158,7 @@ def verify(tunnel): verify_mtu_ipv6(tunnel) verify_address(tunnel) verify_vrf(tunnel) + verify_redirect(tunnel) if 'source_interface' in tunnel: verify_interface_exists(tunnel['source_interface']) diff --git a/src/conf_mode/interfaces-vti.py b/src/conf_mode/interfaces-vti.py index 57950ffea..30e13536f 100755 --- a/src/conf_mode/interfaces-vti.py +++ b/src/conf_mode/interfaces-vti.py @@ -19,6 +19,7 @@ from sys import exit from vyos.config import Config from vyos.configdict import get_interface_dict +from vyos.configverify import verify_redirect from vyos.ifconfig import VTIIf from vyos.util import dict_search from vyos import ConfigError @@ -39,6 +40,7 @@ def get_config(config=None): return vti def verify(vti): + verify_redirect(vti) return None def generate(vti): diff --git a/src/conf_mode/interfaces-vxlan.py b/src/conf_mode/interfaces-vxlan.py index 29b16af89..a29836efd 100755 --- a/src/conf_mode/interfaces-vxlan.py +++ b/src/conf_mode/interfaces-vxlan.py @@ -25,6 +25,7 @@ from vyos.configdict import leaf_node_changed from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_redirect from vyos.configverify import verify_source_interface from vyos.ifconfig import Interface from vyos.ifconfig import VXLANIf @@ -140,6 +141,7 @@ def verify(vxlan): verify_mtu_ipv6(vxlan) verify_address(vxlan) + verify_redirect(vxlan) return None def generate(vxlan): diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py index da64dd076..dc0fe7b9c 100755 --- a/src/conf_mode/interfaces-wireguard.py +++ b/src/conf_mode/interfaces-wireguard.py @@ -28,6 +28,7 @@ from vyos.configverify import verify_vrf from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_redirect from vyos.ifconfig import WireGuardIf from vyos.util import check_kmod from vyos.util import check_port_availability @@ -70,6 +71,7 @@ def verify(wireguard): verify_mtu_ipv6(wireguard) verify_address(wireguard) verify_vrf(wireguard) + verify_redirect(wireguard) if 'private_key' not in wireguard: raise ConfigError('Wireguard private-key not defined') diff --git a/src/conf_mode/interfaces-wireless.py b/src/conf_mode/interfaces-wireless.py index af35b5f03..fdf9e3988 100755 --- a/src/conf_mode/interfaces-wireless.py +++ b/src/conf_mode/interfaces-wireless.py @@ -27,6 +27,7 @@ from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_dhcpv6 from vyos.configverify import verify_source_interface +from vyos.configverify import verify_redirect from vyos.configverify import verify_vlan_config from vyos.configverify import verify_vrf from vyos.ifconfig import WiFiIf @@ -189,6 +190,7 @@ def verify(wifi): verify_address(wifi) verify_vrf(wifi) + verify_redirect(wifi) # use common function to verify VLAN configuration verify_vlan_config(wifi) diff --git a/src/conf_mode/interfaces-wwan.py b/src/conf_mode/interfaces-wwan.py index a4b033374..367a50e82 100755 --- a/src/conf_mode/interfaces-wwan.py +++ b/src/conf_mode/interfaces-wwan.py @@ -23,6 +23,7 @@ from vyos.config import Config from vyos.configdict import get_interface_dict from vyos.configverify import verify_authentication from vyos.configverify import verify_interface_exists +from vyos.configverify import verify_redirect from vyos.configverify import verify_vrf from vyos.ifconfig import WWANIf from vyos.util import cmd @@ -77,6 +78,7 @@ def verify(wwan): verify_interface_exists(ifname) verify_authentication(wwan) verify_vrf(wwan) + verify_redirect(wwan) return None diff --git a/src/conf_mode/qos.py b/src/conf_mode/qos.py new file mode 100755 index 000000000..cf447d4b5 --- /dev/null +++ b/src/conf_mode/qos.py @@ -0,0 +1,90 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from sys import exit + +from vyos.config import Config +from vyos.configdict import dict_merge +from vyos.xml import defaults +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['traffic-policy'] + if not conf.exists(base): + return None + + qos = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + + for traffic_policy in ['drop-tail', 'fair-queue', 'fq-codel', 'limiter', + 'network-emulator', 'priority-queue', 'random-detect', + 'rate-control', 'round-robin', 'shaper', 'shaper-hfsc']: + traffic_policy_us = traffic_policy.replace('-','_') + # Individual policy type not present on CLI - no need to blend in + # any default values + if traffic_policy_us not in qos: + continue + + default_values = defaults(base + [traffic_policy_us]) + + # class is another tag node which requires individual handling + class_default_values = defaults(base + [traffic_policy_us, 'class']) + if 'class' in default_values: + del default_values['class'] + + for policy, policy_config in qos[traffic_policy_us].items(): + qos[traffic_policy_us][policy] = dict_merge( + default_values, qos[traffic_policy_us][policy]) + + if 'class' in policy_config: + for policy_class in policy_config['class']: + qos[traffic_policy_us][policy]['class'][policy_class] = dict_merge( + class_default_values, qos[traffic_policy_us][policy]['class'][policy_class]) + + import pprint + pprint.pprint(qos) + return qos + +def verify(qos): + if not qos: + return None + + # network policy emulator + # reorder rerquires delay to be set + + raise ConfigError('123') + return None + +def generate(qos): + return None + +def apply(qos): + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) -- cgit v1.2.3 From 78a4676f787e5e37f67afd5c2453ce06e3f0f9e9 Mon Sep 17 00:00:00 2001 From: srividya0208 Date: Fri, 18 Mar 2022 08:39:14 -0400 Subject: ike-group: T4288 : close-action is missing in swanctl.conf close-action parameter is missing in the swanctl.conf file --- data/templates/ipsec/swanctl/peer.tmpl | 6 +++-- interface-definitions/vpn_ipsec.xml.in | 8 ++---- src/migration-scripts/ipsec/8-to-9 | 49 ++++++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+), 8 deletions(-) create mode 100755 src/migration-scripts/ipsec/8-to-9 (limited to 'data') diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl index 562e8fdd5..a622cbf74 100644 --- a/data/templates/ipsec/swanctl/peer.tmpl +++ b/data/templates/ipsec/swanctl/peer.tmpl @@ -87,9 +87,10 @@ start_action = none {% endif %} {% if ike.dead_peer_detection is defined %} -{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %} +{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %} dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} {% endif %} + close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }} } {% elif peer_conf.tunnel is defined %} {% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %} @@ -137,9 +138,10 @@ start_action = none {% endif %} {% if ike.dead_peer_detection is defined %} -{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %} +{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %} dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} {% endif %} + close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }} {% if peer_conf.vti is defined and peer_conf.vti.bind is defined %} updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}" {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index d8c06a310..a86951ce8 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -231,7 +231,7 @@ Action to take if a child SA is unexpectedly closed - none hold clear restart + none hold restart none @@ -241,16 +241,12 @@ hold Attempt to re-negotiate when matching traffic is seen - - clear - Remove the connection immediately - restart Attempt to re-negotiate the connection immediately - ^(none|hold|clear|restart)$ + ^(none|hold|restart)$ diff --git a/src/migration-scripts/ipsec/8-to-9 b/src/migration-scripts/ipsec/8-to-9 new file mode 100755 index 000000000..209cd8ac9 --- /dev/null +++ b/src/migration-scripts/ipsec/8-to-9 @@ -0,0 +1,49 @@ + +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from sys import argv +from sys import exit + +from vyos.configtree import ConfigTree + +if (len(argv) < 1): + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +base = ['vpn', 'ipsec', 'ike-group'] +config = ConfigTree(config_file) + +if not config.exists(base): + # Nothing to do + exit(0) +else: + for ike_group in config.list_nodes(base): + base_closeaction = base + [ike_group, 'close-action'] + if config.exists(base_closeaction) and config.return_value(base_closeaction) == 'clear': + config.set(base_closeaction, 'none', replace=True) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print(f'Failed to save the modified config: {e}') + exit(1) -- cgit v1.2.3