From a5ad98b2307af974dd498a84caec94fa613f7491 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Mon, 10 Jan 2022 01:00:12 +0100
Subject: firewall: validators: T2199: Improve port validation
---
interface-definitions/include/firewall/port.xml.i | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/firewall/port.xml.i b/interface-definitions/include/firewall/port.xml.i
index 59d92978b..3bacafff8 100644
--- a/interface-definitions/include/firewall/port.xml.i
+++ b/interface-definitions/include/firewall/port.xml.i
@@ -16,8 +16,11 @@
- \n\n Multiple destination ports can be specified as a comma-separated list.\n The whole list can also be negated using '!'.\n For example: '!22,telnet,http,123,1001-1005'
+ \n\n Multiple destination ports can be specified as a comma-separated list.\n For example: 'telnet,http,123,1001-1005'
+
+
+
--
cgit v1.2.3
From 05b5d09ca70c5cc868f2108df4bcd3fcf6a7d865 Mon Sep 17 00:00:00 2001
From: Christian Poessinger
Date: Sun, 9 Jan 2022 20:54:39 +0100
Subject: conntrack: T3579: migrate "conntrack ignore" tree to vyos-1x and
nftables
---
data/templates/conntrack/nftables-ct-ignore.tmpl | 40 ++++
.../include/conntrack/log-common.xml.i | 20 ++
interface-definitions/system-conntrack.xml.in | 205 +++++++++++++++++++++
src/conf_mode/conntrack.py | 12 ++
4 files changed, 277 insertions(+)
create mode 100644 data/templates/conntrack/nftables-ct-ignore.tmpl
create mode 100644 interface-definitions/include/conntrack/log-common.xml.i
(limited to 'interface-definitions/include')
diff --git a/data/templates/conntrack/nftables-ct-ignore.tmpl b/data/templates/conntrack/nftables-ct-ignore.tmpl
new file mode 100644
index 000000000..59c1cb1d2
--- /dev/null
+++ b/data/templates/conntrack/nftables-ct-ignore.tmpl
@@ -0,0 +1,40 @@
+#!/usr/sbin/nft -f
+
+# we first flush the chains content and then render the new statements from CLI
+# if applicable
+{% set nft_ct_ignore_name = 'VYOS_CT_IGNORE' %}
+flush chain raw {{ nft_ct_ignore_name }}
+table raw {
+ chain {{ nft_ct_ignore_name }} {
+{% if ignore is defined and ignore.rule is defined and ignore.rule is not none %}
+{% for rule, rule_config in ignore.rule.items() %}
+ # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is defined and rule_config.description is not none }}
+{% set nft_command = '' %}
+{% if rule_config.inbound_interface is defined and rule_config.inbound_interface is not none %}
+{% set nft_command = nft_command ~ ' iifname ' ~ rule_config.inbound_interface %}
+{% endif %}
+{% if rule_config.protocol is defined and rule_config.protocol is not none %}
+{% set nft_command = nft_command ~ ' ip protocol ' ~ rule_config.protocol %}
+{% endif %}
+{% if rule_config.destination is defined and rule_config.destination is not none %}
+{% if rule_config.destination.address is defined and rule_config.destination.address is not none %}
+{% set nft_command = nft_command ~ ' ip daddr ' ~ rule_config.destination.address %}
+{% endif %}
+{% if rule_config.destination.port is defined and rule_config.destination.port is not none %}
+{% set nft_command = nft_command ~ ' ' ~ rule_config.protocol ~ ' dport { ' ~ rule_config.destination.port ~ ' }' %}
+{% endif %}
+{% endif %}
+{% if rule_config.source is defined and rule_config.source is not none %}
+{% if rule_config.source.address is defined and rule_config.source.address is not none %}
+{% set nft_command = nft_command ~ ' ip saddr ' ~ rule_config.source.address %}
+{% endif %}
+{% if rule_config.source.port is defined and rule_config.source.port is not none %}
+{% set nft_command = nft_command ~ ' ' ~ rule_config.protocol ~ ' sport { ' ~ rule_config.source.port ~ ' }' %}
+{% endif %}
+{% endif %}
+ {{ nft_command }} counter return comment ignore-{{ rule }}
+{% endfor %}
+{% endif %}
+ return
+ }
+}
diff --git a/interface-definitions/include/conntrack/log-common.xml.i b/interface-definitions/include/conntrack/log-common.xml.i
new file mode 100644
index 000000000..38799f8f4
--- /dev/null
+++ b/interface-definitions/include/conntrack/log-common.xml.i
@@ -0,0 +1,20 @@
+
+
+
+ Log connection deletion
+
+
+
+
+
+ Log connection creation
+
+
+
+
+
+ Log connection updates
+
+
+
+
diff --git a/interface-definitions/system-conntrack.xml.in b/interface-definitions/system-conntrack.xml.in
index daa4177c9..88f96a078 100644
--- a/interface-definitions/system-conntrack.xml.in
+++ b/interface-definitions/system-conntrack.xml.in
@@ -35,6 +35,128 @@
32768
+
+
+ Customized rules to ignore selective connection tracking
+
+
+
+
+ Rule number
+
+ u32:1-999999
+ Number of conntrack ignore rule
+
+
+
+
+ Ignore rule number must be between 1 and 999999
+
+
+ #include
+
+
+ Destination parameters
+
+
+ #include
+ #include
+
+
+
+
+ Interface to ignore connections tracking on
+
+ any
+
+
+
+
+ #include
+
+
+ Protocol to match (protocol name, number, or "all")
+
+
+ all tcp_udp
+
+
+ all
+ All IP protocols
+
+
+ tcp_udp
+ Both TCP and UDP
+
+
+ u32:0-255
+ IP protocol number
+
+
+ <protocol>
+ IP protocol name
+
+
+ !<protocol>
+ IP protocol name
+
+
+
+
+
+
+
+
+ Source parameters
+
+
+ #include
+ #include
+
+
+
+
+
+
+
+
+ Log connection tracking events per protocol
+
+
+
+
+ Log connection tracking events for ICMP
+
+
+ #include
+
+
+
+
+ Log connection tracking events for all protocols other than TCP, UDP and ICMP
+
+
+ #include
+
+
+
+
+ Log connection tracking events for TCP
+
+
+ #include
+
+
+
+
+ Log connection tracking events for UDP
+
+
+ #include
+
+
+
+
Connection tracking modules
@@ -155,6 +277,89 @@
Connection timeout options
+
+
+ Define custom timeouts per connection
+
+
+
+
+ Rule number
+
+ u32:1-999999
+ Number of conntrack rule
+
+
+
+
+ Ignore rule number must be between 1 and 999999
+
+
+ #include
+
+
+ Destination parameters
+
+
+ #include
+ #include
+
+
+
+
+ Interface to ignore connections tracking on
+
+ any
+
+
+
+
+ #include
+
+
+ Protocol to match (protocol name, number, or "all")
+
+
+ all tcp_udp
+
+
+ all
+ All IP protocols
+
+
+ tcp_udp
+ Both TCP and UDP
+
+
+ u32:0-255
+ IP protocol number
+
+
+ <protocol>
+ IP protocol name
+
+
+ !<protocol>
+ IP protocol name
+
+
+
+
+
+
+
+
+ Source parameters
+
+
+ #include
+ #include
+
+
+
+
+
+
ICMP timeout in seconds
diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py
index c65ef9540..3cb0dd1e2 100755
--- a/src/conf_mode/conntrack.py
+++ b/src/conf_mode/conntrack.py
@@ -35,6 +35,7 @@ airbag.enable()
conntrack_config = r'/etc/modprobe.d/vyatta_nf_conntrack.conf'
sysctl_file = r'/run/sysctl/10-vyos-conntrack.conf'
+nftables_ct_ignore_file = r'/run/nftables-ct-ignore.conf'
# Every ALG (Application Layer Gateway) consists of either a Kernel Object
# also called a Kernel Module/Driver or some rules present in iptables
@@ -86,11 +87,19 @@ def get_config(config=None):
return conntrack
def verify(conntrack):
+ if dict_search('ignore.rule', conntrack) != None:
+ for rule, rule_config in conntrack['ignore']['rule'].items():
+ if dict_search('destination.port', rule_config) or \
+ dict_search('source.port', rule_config):
+ if 'protocol' not in rule_config or rule_config['protocol'] not in ['tcp', 'udp']:
+ raise ConfigError(f'Port requires tcp or udp as protocol in rule {rule}')
+
return None
def generate(conntrack):
render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.tmpl', conntrack)
render(sysctl_file, 'conntrack/sysctl.conf.tmpl', conntrack)
+ render(nftables_ct_ignore_file, 'conntrack/nftables-ct-ignore.tmpl', conntrack)
return None
@@ -127,6 +136,9 @@ def apply(conntrack):
if not find_nftables_ct_rule(rule):
cmd(f'nft insert rule ip raw VYOS_CT_HELPER {rule}')
+ # Load new nftables ruleset
+ cmd(f'nft -f {nftables_ct_ignore_file}')
+
if process_named_running('conntrackd'):
# Reload conntrack-sync daemon to fetch new sysctl values
resync_conntrackd()
--
cgit v1.2.3
From fd1b1ff19b0ff852d796e979ab3b596651686f2f Mon Sep 17 00:00:00 2001
From: Christian Poessinger
Date: Mon, 10 Jan 2022 22:26:39 +0100
Subject: conntrack: T3579: make the timeout tree re-usable as XML include
---
.../conntrack/timeout-common-protocols.xml.i | 172 +++++++++++++++++
interface-definitions/system-conntrack.xml.in | 207 +--------------------
2 files changed, 179 insertions(+), 200 deletions(-)
create mode 100644 interface-definitions/include/conntrack/timeout-common-protocols.xml.i
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/conntrack/timeout-common-protocols.xml.i b/interface-definitions/include/conntrack/timeout-common-protocols.xml.i
new file mode 100644
index 000000000..2676d846e
--- /dev/null
+++ b/interface-definitions/include/conntrack/timeout-common-protocols.xml.i
@@ -0,0 +1,172 @@
+
+
+
+ ICMP timeout in seconds
+
+ u32:1-21474836
+ ICMP timeout in seconds
+
+
+
+
+
+ 30
+
+
+
+ Generic connection timeout in seconds
+
+ u32:1-21474836
+ Generic connection timeout in seconds
+
+
+
+
+
+ 600
+
+
+
+ TCP connection timeout options
+
+
+
+
+ TCP CLOSE-WAIT timeout in seconds
+
+ u32:1-21474836
+ TCP CLOSE-WAIT timeout in seconds
+
+
+
+
+
+ 60
+
+
+
+ TCP CLOSE timeout in seconds
+
+ u32:1-21474836
+ TCP CLOSE timeout in seconds
+
+
+
+
+
+ 10
+
+
+
+ TCP ESTABLISHED timeout in seconds
+
+ u32:1-21474836
+ TCP ESTABLISHED timeout in seconds
+
+
+
+
+
+ 432000
+
+
+
+ TCP FIN-WAIT timeout in seconds
+
+ u32:1-21474836
+ TCP FIN-WAIT timeout in seconds
+
+
+
+
+
+ 120
+
+
+
+ TCP LAST-ACK timeout in seconds
+
+ u32:1-21474836
+ TCP LAST-ACK timeout in seconds
+
+
+
+
+
+ 30
+
+
+
+ TCP SYN-RECEIVED timeout in seconds
+
+ u32:1-21474836
+ TCP SYN-RECEIVED timeout in seconds
+
+
+
+
+
+ 60
+
+
+
+ TCP SYN-SENT timeout in seconds
+
+ u32:1-21474836
+ TCP SYN-SENT timeout in seconds
+
+
+
+
+
+ 120
+
+
+
+ TCP TIME-WAIT timeout in seconds
+
+ u32:1-21474836
+ TCP TIME-WAIT timeout in seconds
+
+
+
+
+
+ 120
+
+
+
+
+
+ UDP timeout options
+
+
+
+
+ UDP generic timeout in seconds
+
+ u32:1-21474836
+ UDP generic timeout in seconds
+
+
+
+
+
+ 30
+
+
+
+ UDP stream timeout in seconds
+
+ u32:1-21474836
+ UDP stream timeout in seconds
+
+
+
+
+
+ 180
+
+
+
+
diff --git a/interface-definitions/system-conntrack.xml.in b/interface-definitions/system-conntrack.xml.in
index 88f96a078..65edab839 100644
--- a/interface-definitions/system-conntrack.xml.in
+++ b/interface-definitions/system-conntrack.xml.in
@@ -315,38 +315,14 @@
#include
-
+
- Protocol to match (protocol name, number, or "all")
-
-
- all tcp_udp
-
-
- all
- All IP protocols
-
-
- tcp_udp
- Both TCP and UDP
-
-
- u32:0-255
- IP protocol number
-
-
- <protocol>
- IP protocol name
-
-
- !<protocol>
- IP protocol name
-
-
-
-
+ Customize protocol specific timers, one protocol configuration per rule
-
+
+ #include
+
+
Source parameters
@@ -360,176 +336,7 @@
-
-
- ICMP timeout in seconds
-
- u32:1-21474836
- ICMP timeout in seconds
-
-
-
-
-
- 30
-
-
-
- Generic connection timeout in seconds
-
- u32:1-21474836
- Generic connection timeout in seconds
-
-
-
-
-
- 600
-
-
-
- TCP connection timeout options
-
-
-
-
- TCP CLOSE-WAIT timeout in seconds
-
- u32:1-21474836
- TCP CLOSE-WAIT timeout in seconds
-
-
-
-
-
- 60
-
-
-
- TCP CLOSE timeout in seconds
-
- u32:1-21474836
- TCP CLOSE timeout in seconds
-
-
-
-
-
- 10
-
-
-
- TCP ESTABLISHED timeout in seconds
-
- u32:1-21474836
- TCP ESTABLISHED timeout in seconds
-
-
-
-
-
- 432000
-
-
-
- TCP FIN-WAIT timeout in seconds
-
- u32:1-21474836
- TCP FIN-WAIT timeout in seconds
-
-
-
-
-
- 120
-
-
-
- TCP LAST-ACK timeout in seconds
-
- u32:1-21474836
- TCP LAST-ACK timeout in seconds
-
-
-
-
-
- 30
-
-
-
- TCP SYN-RECEIVED timeout in seconds
-
- u32:1-21474836
- TCP SYN-RECEIVED timeout in seconds
-
-
-
-
-
- 60
-
-
-
- TCP SYN-SENT timeout in seconds
-
- u32:1-21474836
- TCP SYN-SENT timeout in seconds
-
-
-
-
-
- 120
-
-
-
- TCP TIME-WAIT timeout in seconds
-
- u32:1-21474836
- TCP TIME-WAIT timeout in seconds
-
-
-
-
-
- 120
-
-
-
-
-
- UDP timeout options
-
-
-
-
- UDP generic timeout in seconds
-
- u32:1-21474836
- UDP generic timeout in seconds
-
-
-
-
-
- 30
-
-
-
- UDP stream timeout in seconds
-
- u32:1-21474836
- UDP stream timeout in seconds
-
-
-
-
-
- 180
-
-
-
+ #include
--
cgit v1.2.3
From 6cf5767524b8519f86981943ab71ff288bf77d67 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Tue, 11 Jan 2022 01:10:59 +0100
Subject: policy: T2199: Refactor policy route script for better error handling
* Migrates all policy route references from `ipv6-route` to `route6`
* Update test config `dialup-router-medium-vpn` to test migration of `ipv6-route` to `route6`
---
data/templates/firewall/nftables-policy.tmpl | 6 +
.../include/interface/interface-policy-vif-c.xml.i | 4 +-
.../include/interface/interface-policy-vif.xml.i | 4 +-
.../include/interface/interface-policy.xml.i | 4 +-
smoketest/configs/dialup-router-medium-vpn | 24 +++
smoketest/scripts/cli/test_policy_route.py | 28 +++-
src/conf_mode/policy-route-interface.py | 8 +-
src/conf_mode/policy-route.py | 169 +++++++++++++++------
src/migration-scripts/policy/1-to-2 | 18 +++
src/op_mode/policy_route.py | 10 +-
10 files changed, 213 insertions(+), 62 deletions(-)
(limited to 'interface-definitions/include')
diff --git a/data/templates/firewall/nftables-policy.tmpl b/data/templates/firewall/nftables-policy.tmpl
index 668ec7388..484b6f203 100644
--- a/data/templates/firewall/nftables-policy.tmpl
+++ b/data/templates/firewall/nftables-policy.tmpl
@@ -1,5 +1,11 @@
#!/usr/sbin/nft -f
+{% if cleanup_commands is defined %}
+{% for command in cleanup_commands %}
+{{ command }}
+{% endfor %}
+{% endif %}
+
include "/run/nftables_defines.conf"
table ip mangle {
diff --git a/interface-definitions/include/interface/interface-policy-vif-c.xml.i b/interface-definitions/include/interface/interface-policy-vif-c.xml.i
index 5dad6422b..866fcd5c0 100644
--- a/interface-definitions/include/interface/interface-policy-vif-c.xml.i
+++ b/interface-definitions/include/interface/interface-policy-vif-c.xml.i
@@ -13,11 +13,11 @@
-
+
IPv6 policy route ruleset for interface
- policy ipv6-route
+ policy route6
diff --git a/interface-definitions/include/interface/interface-policy-vif.xml.i b/interface-definitions/include/interface/interface-policy-vif.xml.i
index 5ee80ae13..83510fe59 100644
--- a/interface-definitions/include/interface/interface-policy-vif.xml.i
+++ b/interface-definitions/include/interface/interface-policy-vif.xml.i
@@ -13,11 +13,11 @@
-
+
IPv6 policy route ruleset for interface
- policy ipv6-route
+ policy route6
diff --git a/interface-definitions/include/interface/interface-policy.xml.i b/interface-definitions/include/interface/interface-policy.xml.i
index 06f025af1..42a8fd009 100644
--- a/interface-definitions/include/interface/interface-policy.xml.i
+++ b/interface-definitions/include/interface/interface-policy.xml.i
@@ -13,11 +13,11 @@
-
+
IPv6 policy route ruleset for interface
- policy ipv6-route
+ policy route6
diff --git a/smoketest/configs/dialup-router-medium-vpn b/smoketest/configs/dialup-router-medium-vpn
index af7c075e4..7ca540b66 100644
--- a/smoketest/configs/dialup-router-medium-vpn
+++ b/smoketest/configs/dialup-router-medium-vpn
@@ -83,6 +83,7 @@ interfaces {
}
policy {
route LAN-POLICY-BASED-ROUTING
+ ipv6-route LAN6-POLICY-BASED-ROUTING
}
smp-affinity auto
speed auto
@@ -383,6 +384,29 @@ nat {
}
}
policy {
+ ipv6-route LAN6-POLICY-BASED-ROUTING {
+ rule 10 {
+ destination {
+ }
+ disable
+ set {
+ table 10
+ }
+ source {
+ address 2002::1
+ }
+ }
+ rule 20 {
+ destination {
+ }
+ set {
+ table 100
+ }
+ source {
+ address 2008::f
+ }
+ }
+ }
prefix-list user2-routes {
rule 1 {
action permit
diff --git a/smoketest/scripts/cli/test_policy_route.py b/smoketest/scripts/cli/test_policy_route.py
index 70a234187..4463a2255 100755
--- a/smoketest/scripts/cli/test_policy_route.py
+++ b/smoketest/scripts/cli/test_policy_route.py
@@ -31,8 +31,9 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
def tearDown(self):
self.cli_delete(['interfaces', 'ethernet', 'eth0'])
+ self.cli_delete(['protocols', 'static'])
self.cli_delete(['policy', 'route'])
- self.cli_delete(['policy', 'ipv6-route'])
+ self.cli_delete(['policy', 'route6'])
self.cli_commit()
def test_pbr_mark(self):
@@ -65,13 +66,19 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'protocol', 'tcp_udp'])
self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'destination', 'port', '8888'])
self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'set', 'table', table_id])
+ self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '1', 'protocol', 'tcp_udp'])
+ self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '1', 'destination', 'port', '8888'])
+ self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '1', 'set', 'table', table_id])
self.cli_set(['interfaces', 'ethernet', 'eth0', 'policy', 'route', 'smoketest'])
+ self.cli_set(['interfaces', 'ethernet', 'eth0', 'policy', 'route6', 'smoketest6'])
self.cli_commit()
mark_hex = "{0:#010x}".format(table_mark_offset - int(table_id))
+ # IPv4
+
nftables_search = [
['iifname "eth0"', 'jump VYOS_PBR_smoketest'],
['meta l4proto { tcp, udp }', 'th dport { 8888 }', 'meta mark set ' + mark_hex]
@@ -87,6 +94,25 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
break
self.assertTrue(matched)
+ # IPv6
+
+ nftables6_search = [
+ ['iifname "eth0"', 'jump VYOS_PBR6_smoketest'],
+ ['meta l4proto { tcp, udp }', 'th dport { 8888 }', 'meta mark set ' + mark_hex]
+ ]
+
+ nftables6_output = cmd('sudo nft list table ip6 mangle')
+
+ for search in nftables6_search:
+ matched = False
+ for line in nftables6_output.split("\n"):
+ if all(item in line for item in search):
+ matched = True
+ break
+ self.assertTrue(matched)
+
+ # IP rule fwmark -> table
+
ip_rule_search = [
['fwmark ' + hex(table_mark_offset - int(table_id)), 'lookup ' + table_id]
]
diff --git a/src/conf_mode/policy-route-interface.py b/src/conf_mode/policy-route-interface.py
index e81135a74..1108aebe6 100755
--- a/src/conf_mode/policy-route-interface.py
+++ b/src/conf_mode/policy-route-interface.py
@@ -52,7 +52,7 @@ def verify(if_policy):
if not if_policy:
return None
- for route in ['route', 'ipv6_route']:
+ for route in ['route', 'route6']:
if route in if_policy:
if route not in if_policy['policy']:
raise ConfigError('Policy route not configured')
@@ -71,7 +71,7 @@ def cleanup_rule(table, chain, ifname, new_name=None):
results = cmd(f'nft -a list chain {table} {chain}').split("\n")
retval = None
for line in results:
- if f'oifname "{ifname}"' in line:
+ if f'ifname "{ifname}"' in line:
if new_name and f'jump {new_name}' in line:
# new_name is used to clear rules for any previously referenced chains
# returns true when rule exists and doesn't need to be created
@@ -98,8 +98,8 @@ def apply(if_policy):
else:
cleanup_rule('ip mangle', route_chain, ifname)
- if 'ipv6_route' in if_policy:
- name = 'VYOS_PBR6_' + if_policy['ipv6_route']
+ if 'route6' in if_policy:
+ name = 'VYOS_PBR6_' + if_policy['route6']
rule_exists = cleanup_rule('ip6 mangle', ipv6_route_chain, ifname, name)
if not rule_exists:
diff --git a/src/conf_mode/policy-route.py b/src/conf_mode/policy-route.py
index 9edab4b47..c5904309f 100755
--- a/src/conf_mode/policy-route.py
+++ b/src/conf_mode/policy-route.py
@@ -31,6 +31,35 @@ airbag.enable()
mark_offset = 0x7FFFFFFF
nftables_conf = '/run/nftables_policy.conf'
+preserve_chains = [
+ 'VYOS_PBR_PREROUTING',
+ 'VYOS_PBR_POSTROUTING',
+ 'VYOS_PBR6_PREROUTING',
+ 'VYOS_PBR6_POSTROUTING'
+]
+
+valid_groups = [
+ 'address_group',
+ 'network_group',
+ 'port_group'
+]
+
+def get_policy_interfaces(conf):
+ out = {}
+ interfaces = conf.get_config_dict(['interfaces'], key_mangling=('-', '_'), get_first_key=True,
+ no_tag_node_value_mangle=True)
+ def find_interfaces(iftype_conf, output={}, prefix=''):
+ for ifname, if_conf in iftype_conf.items():
+ if 'policy' in if_conf:
+ output[prefix + ifname] = if_conf['policy']
+ for vif in ['vif', 'vif_s', 'vif_c']:
+ if vif in if_conf:
+ output.update(find_interfaces(if_conf[vif], output, f'{prefix}{ifname}.'))
+ return output
+ for iftype, iftype_conf in interfaces.items():
+ out.update(find_interfaces(iftype_conf))
+ return out
+
def get_config(config=None):
if config:
conf = config
@@ -38,61 +67,117 @@ def get_config(config=None):
conf = Config()
base = ['policy']
- if not conf.exists(base + ['route']) and not conf.exists(base + ['ipv6-route']):
- return None
-
policy = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True,
no_tag_node_value_mangle=True)
+ policy['firewall_group'] = conf.get_config_dict(['firewall', 'group'], key_mangling=('-', '_'), get_first_key=True,
+ no_tag_node_value_mangle=True)
+ policy['interfaces'] = get_policy_interfaces(conf)
+
return policy
-def verify(policy):
- # bail out early - looks like removal from running config
- if not policy:
- return None
+def verify_rule(policy, rule_conf, ipv6):
+ icmp = 'icmp' if not ipv6 else 'icmpv6'
+ if icmp in rule_conf:
+ icmp_defined = False
+ if 'type_name' in rule_conf[icmp]:
+ icmp_defined = True
+ if 'code' in rule_conf[icmp] or 'type' in rule_conf[icmp]:
+ raise ConfigError(f'{name} rule {rule_id}: Cannot use ICMP type/code with ICMP type-name')
+ if 'code' in rule_conf[icmp]:
+ icmp_defined = True
+ if 'type' not in rule_conf[icmp]:
+ raise ConfigError(f'{name} rule {rule_id}: ICMP code can only be defined if ICMP type is defined')
+ if 'type' in rule_conf[icmp]:
+ icmp_defined = True
+
+ if icmp_defined and 'protocol' not in rule_conf or rule_conf['protocol'] != icmp:
+ raise ConfigError(f'{name} rule {rule_id}: ICMP type/code or type-name can only be defined if protocol is ICMP')
+ if 'set' in rule_conf:
+ if 'tcp_mss' in rule_conf['set']:
+ tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags')
+ if not tcp_flags or 'SYN' not in tcp_flags.split(","):
+ raise ConfigError(f'{name} rule {rule_id}: TCP SYN flag must be set to modify TCP-MSS')
+ if 'tcp' in rule_conf:
+ if 'flags' in rule_conf['tcp']:
+ if 'protocol' not in rule_conf or rule_conf['protocol'] != 'tcp':
+ raise ConfigError(f'{name} rule {rule_id}: TCP flags can only be set if protocol is set to TCP')
+
+ for side in ['destination', 'source']:
+ if side in rule_conf:
+ side_conf = rule_conf[side]
+
+ if 'group' in side_conf:
+ if {'address_group', 'network_group'} <= set(side_conf['group']):
+ raise ConfigError('Only one address-group or network-group can be specified')
+
+ for group in valid_groups:
+ if group in side_conf['group']:
+ group_name = side_conf['group'][group]
+ fw_group = f'ipv6_{group}' if ipv6 and group in ['address_group', 'network_group'] else group
+ error_group = fw_group.replace("_", "-")
+ group_obj = dict_search_args(policy['firewall_group'], fw_group, group_name)
+
+ if group_obj is None:
+ raise ConfigError(f'Invalid {error_group} "{group_name}" on policy route rule')
+
+ if not group_obj:
+ print(f'WARNING: {error_group} "{group_name}" has no members')
+
+ if 'port' in side_conf or dict_search_args(side_conf, 'group', 'port_group'):
+ if 'protocol' not in rule_conf:
+ raise ConfigError('Protocol must be defined if specifying a port or port-group')
+
+ if rule_conf['protocol'] not in ['tcp', 'udp', 'tcp_udp']:
+ raise ConfigError('Protocol must be tcp, udp, or tcp_udp when specifying a port or port-group')
+def verify(policy):
for route in ['route', 'route6']:
+ ipv6 = route == 'route6'
if route in policy:
for name, pol_conf in policy[route].items():
if 'rule' in pol_conf:
- for rule_id, rule_conf in pol_conf.items():
- icmp = 'icmp' if route == 'route' else 'icmpv6'
- if icmp in rule_conf:
- icmp_defined = False
- if 'type_name' in rule_conf[icmp]:
- icmp_defined = True
- if 'code' in rule_conf[icmp] or 'type' in rule_conf[icmp]:
- raise ConfigError(f'{name} rule {rule_id}: Cannot use ICMP type/code with ICMP type-name')
- if 'code' in rule_conf[icmp]:
- icmp_defined = True
- if 'type' not in rule_conf[icmp]:
- raise ConfigError(f'{name} rule {rule_id}: ICMP code can only be defined if ICMP type is defined')
- if 'type' in rule_conf[icmp]:
- icmp_defined = True
-
- if icmp_defined and 'protocol' not in rule_conf or rule_conf['protocol'] != icmp:
- raise ConfigError(f'{name} rule {rule_id}: ICMP type/code or type-name can only be defined if protocol is ICMP')
- if 'set' in rule_conf:
- if 'tcp_mss' in rule_conf['set']:
- tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags')
- if not tcp_flags or 'SYN' not in tcp_flags.split(","):
- raise ConfigError(f'{name} rule {rule_id}: TCP SYN flag must be set to modify TCP-MSS')
- if 'tcp' in rule_conf:
- if 'flags' in rule_conf['tcp']:
- if 'protocol' not in rule_conf or rule_conf['protocol'] != 'tcp':
- raise ConfigError(f'{name} rule {rule_id}: TCP flags can only be set if protocol is set to TCP')
+ for rule_id, rule_conf in pol_conf['rule'].items():
+ verify_rule(policy, rule_conf, ipv6)
+
+ for ifname, if_policy in policy['interfaces'].items():
+ name = dict_search_args(if_policy, 'route')
+ ipv6_name = dict_search_args(if_policy, 'route6')
+ if name and not dict_search_args(policy, 'route', name):
+ raise ConfigError(f'Policy route "{name}" is still referenced on interface {ifname}')
+
+ if ipv6_name and not dict_search_args(policy, 'route6', ipv6_name):
+ raise ConfigError(f'Policy route6 "{ipv6_name}" is still referenced on interface {ifname}')
return None
-def generate(policy):
- if not policy:
- if os.path.exists(nftables_conf):
- os.unlink(nftables_conf)
- return None
+def cleanup_commands(policy):
+ commands = []
+ for table in ['ip mangle', 'ip6 mangle']:
+ json_str = cmd(f'nft -j list table {table}')
+ obj = loads(json_str)
+ if 'nftables' not in obj:
+ continue
+ for item in obj['nftables']:
+ if 'chain' in item:
+ chain = item['chain']['name']
+ if not chain.startswith("VYOS_PBR"):
+ continue
+ if chain not in preserve_chains:
+ if table == 'ip mangle' and dict_search_args(policy, 'route', chain.replace("VYOS_PBR_", "", 1)):
+ commands.append(f'flush chain {table} {chain}')
+ elif table == 'ip6 mangle' and dict_search_args(policy, 'route6', chain.replace("VYOS_PBR6_", "", 1)):
+ commands.append(f'flush chain {table} {chain}')
+ else:
+ commands.append(f'delete chain {table} {chain}')
+ return commands
+def generate(policy):
if not os.path.exists(nftables_conf):
policy['first_install'] = True
+ else:
+ policy['cleanup_commands'] = cleanup_commands(policy)
render(nftables_conf, 'firewall/nftables-policy.tmpl', policy)
return None
@@ -124,14 +209,6 @@ def cleanup_table_marks():
cmd(f'ip rule del fwmark {fwmark} table {table}')
def apply(policy):
- if not policy or 'first_install' not in policy:
- run(f'nft flush table ip mangle')
- run(f'nft flush table ip6 mangle')
-
- if not policy:
- cleanup_table_marks()
- return None
-
install_result = run(f'nft -f {nftables_conf}')
if install_result == 1:
raise ConfigError('Failed to apply policy based routing')
diff --git a/src/migration-scripts/policy/1-to-2 b/src/migration-scripts/policy/1-to-2
index 3e46227de..7ffceef22 100755
--- a/src/migration-scripts/policy/1-to-2
+++ b/src/migration-scripts/policy/1-to-2
@@ -41,6 +41,24 @@ if not config.exists(base):
config.rename(base, 'route6')
config.set_tag(['policy', 'route6'])
+if config.exists(['interfaces']):
+ def if_policy_rename(config, path):
+ if config.exists(path + ['policy', 'ipv6-route']):
+ config.rename(path + ['policy', 'ipv6-route'], 'route6')
+
+ for if_type in config.list_nodes(['interfaces']):
+ for ifname in config.list_nodes(['interfaces', if_type]):
+ if_path = ['interfaces', if_type, ifname]
+ if_policy_rename(config, if_path)
+
+ for vif_type in ['vif', 'vif-s']:
+ if config.exists(if_path + [vif_type]):
+ for vifname in config.list_nodes(if_path + [vif_type]):
+ if_policy_rename(config, if_path + [vif_type, vifname])
+
+ if config.exists(if_path + [vif_type, vifname, 'vif-c']):
+ for vifcname in config.list_nodes(if_path + [vif_type, vifname, 'vif-c']):
+ if_policy_rename(config, if_path + [vif_type, vifname, 'vif-c', vifcname])
try:
with open(file_name, 'w') as f:
f.write(config.to_string())
diff --git a/src/op_mode/policy_route.py b/src/op_mode/policy_route.py
index e0b4ac514..95a7eadac 100755
--- a/src/op_mode/policy_route.py
+++ b/src/op_mode/policy_route.py
@@ -26,7 +26,7 @@ def get_policy_interfaces(conf, policy, name=None, ipv6=False):
interfaces = conf.get_config_dict(['interfaces'], key_mangling=('-', '_'),
get_first_key=True, no_tag_node_value_mangle=True)
- routes = ['route', 'ipv6_route']
+ routes = ['route', 'route6']
def parse_if(ifname, if_conf):
if 'policy' in if_conf:
@@ -52,7 +52,7 @@ def get_policy_interfaces(conf, policy, name=None, ipv6=False):
def get_config_policy(conf, name=None, ipv6=False, interfaces=True):
config_path = ['policy']
if name:
- config_path += ['ipv6-route' if ipv6 else 'route', name]
+ config_path += ['route6' if ipv6 else 'route', name]
policy = conf.get_config_dict(config_path, key_mangling=('-', '_'),
get_first_key=True, no_tag_node_value_mangle=True)
@@ -64,7 +64,7 @@ def get_config_policy(conf, name=None, ipv6=False, interfaces=True):
for route_name, route_conf in policy['route'].items():
route_conf['interface'] = []
- if 'ipv6_route' in policy:
+ if 'route6' in policy:
for route_name, route_conf in policy['ipv6_route'].items():
route_conf['interface'] = []
@@ -151,8 +151,8 @@ def show_policy(ipv6=False):
for route, route_conf in policy['route'].items():
output_policy_route(route, route_conf, ipv6=False)
- if ipv6 and 'ipv6_route' in policy:
- for route, route_conf in policy['ipv6_route'].items():
+ if ipv6 and 'route6' in policy:
+ for route, route_conf in policy['route6'].items():
output_policy_route(route, route_conf, ipv6=True)
def show_policy_name(name, ipv6=False):
--
cgit v1.2.3
From df5a862beb84145dfc8434efde7d7fee783199cf Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Thu, 13 Jan 2022 12:58:37 +0100
Subject: firewall: T4178: Use lowercase for TCP flags and add an validator
---
.../include/firewall/common-rule.xml.i | 34 ++++++++++++++++++++--
.../include/policy/route-common-rule-ipv6.xml.i | 34 ++++++++++++++++++++--
.../include/policy/route-common-rule.xml.i | 34 ++++++++++++++++++++--
python/vyos/firewall.py | 7 ++---
src/conf_mode/firewall.py | 3 ++
src/conf_mode/policy-route.py | 10 +++----
src/validators/tcp-flag | 19 ++++++++++++
7 files changed, 126 insertions(+), 15 deletions(-)
create mode 100755 src/validators/tcp-flag
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i
index 92950cc68..6e8203c88 100644
--- a/interface-definitions/include/firewall/common-rule.xml.i
+++ b/interface-definitions/include/firewall/common-rule.xml.i
@@ -274,12 +274,42 @@
TCP flags to match
txt
- TCP flags to match
+ Multiple comma-separated flags
+
+
+ syn
+ Syncronise flag
+
+
+ ack
+ Acknowledge flag
+
+
+ fin
+ Finish flag
+
+
+ rst
+ Reset flag
+
+
+ urg
+ Urgent flag
+
+
+ psh
+ Push flag
- \n\n Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL\n When specifying more than one flag, flags should be comma-separated.\n For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset
+ \n When specifying more than one flag, flags should be comma-separated.\n For example: value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset
+
+ syn ack fin rst urg psh
+
+
+
+
diff --git a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
index 2d6adcd1d..b8fee4b7b 100644
--- a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
+++ b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
@@ -330,12 +330,42 @@
TCP flags to match
txt
- TCP flags to match
+ Multiple comma-separated flags
+
+
+ syn
+ Syncronise flag
+
+
+ ack
+ Acknowledge flag
+
+
+ fin
+ Finish flag
+
+
+ rst
+ Reset flag
+
+
+ urg
+ Urgent flag
+
+
+ psh
+ Push flag
- \n\n Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL\n When specifying more than one flag, flags should be comma-separated.\n For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset
+ \n When specifying more than one flag, flags should be comma-separated.\n For example: value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset
+
+ syn ack fin rst urg psh
+
+
+
+
diff --git a/interface-definitions/include/policy/route-common-rule.xml.i b/interface-definitions/include/policy/route-common-rule.xml.i
index c4deefd2a..17b47474d 100644
--- a/interface-definitions/include/policy/route-common-rule.xml.i
+++ b/interface-definitions/include/policy/route-common-rule.xml.i
@@ -330,12 +330,42 @@
TCP flags to match
txt
- TCP flags to match
+ Multiple comma-separated flags
+
+
+ syn
+ Syncronise flag
+
+
+ ack
+ Acknowledge flag
+
+
+ fin
+ Finish flag
+
+
+ rst
+ Reset flag
+
+
+ urg
+ Urgent flag
+
+
+ psh
+ Push flag
- \n\n Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL\n When specifying more than one flag, flags should be comma-separated.\n For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset
+ \n When specifying more than one flag, flags should be comma-separated.\n For example: value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset
+
+ syn ack fin rst urg psh
+
+
+
+
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 66dc8bc40..acde9f913 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -171,7 +171,6 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
if tcp_flags:
output.append(parse_tcp_flags(tcp_flags))
-
output.append('counter')
if 'set' in rule_conf:
@@ -190,10 +189,10 @@ def parse_tcp_flags(flags):
include = []
for flag in flags.split(","):
if flag[0] == '!':
- flag = flag[1:]
+ flag = flag[1:].lower()
else:
- include.append(flag)
- all_flags.append(flag)
+ include.append(flag.lower())
+ all_flags.append(flag.lower())
return f'tcp flags & ({"|".join(all_flags)}) == {"|".join(include)}'
def parse_time(time):
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 7b491a325..853470fd8 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -142,6 +142,9 @@ def verify_rule(firewall, rule_conf, ipv6):
if not {'count', 'time'} <= set(rule_conf['recent']):
raise ConfigError('Recent "count" and "time" values must be defined')
+ if dict_search_args(rule_conf, 'tcp', 'flags') and dict_search_args(rule_conf, 'protocol') != 'tcp':
+ raise ConfigError('Protocol must be tcp when specifying tcp flags')
+
for side in ['destination', 'source']:
if side in rule_conf:
side_conf = rule_conf[side]
diff --git a/src/conf_mode/policy-route.py b/src/conf_mode/policy-route.py
index c5904309f..30597ef4e 100755
--- a/src/conf_mode/policy-route.py
+++ b/src/conf_mode/policy-route.py
@@ -76,7 +76,7 @@ def get_config(config=None):
return policy
-def verify_rule(policy, rule_conf, ipv6):
+def verify_rule(policy, name, rule_conf, ipv6):
icmp = 'icmp' if not ipv6 else 'icmpv6'
if icmp in rule_conf:
icmp_defined = False
@@ -93,14 +93,14 @@ def verify_rule(policy, rule_conf, ipv6):
if icmp_defined and 'protocol' not in rule_conf or rule_conf['protocol'] != icmp:
raise ConfigError(f'{name} rule {rule_id}: ICMP type/code or type-name can only be defined if protocol is ICMP')
+
if 'set' in rule_conf:
if 'tcp_mss' in rule_conf['set']:
tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags')
if not tcp_flags or 'SYN' not in tcp_flags.split(","):
raise ConfigError(f'{name} rule {rule_id}: TCP SYN flag must be set to modify TCP-MSS')
- if 'tcp' in rule_conf:
- if 'flags' in rule_conf['tcp']:
- if 'protocol' not in rule_conf or rule_conf['protocol'] != 'tcp':
+
+ if dict_search_args(rule_conf, 'tcp', 'flags') and dict_search_args(rule_conf, 'protocol') != 'tcp':
raise ConfigError(f'{name} rule {rule_id}: TCP flags can only be set if protocol is set to TCP')
for side in ['destination', 'source']:
@@ -138,7 +138,7 @@ def verify(policy):
for name, pol_conf in policy[route].items():
if 'rule' in pol_conf:
for rule_id, rule_conf in pol_conf['rule'].items():
- verify_rule(policy, rule_conf, ipv6)
+ verify_rule(policy, name, rule_conf, ipv6)
for ifname, if_policy in policy['interfaces'].items():
name = dict_search_args(if_policy, 'route')
diff --git a/src/validators/tcp-flag b/src/validators/tcp-flag
new file mode 100755
index 000000000..86ebec189
--- /dev/null
+++ b/src/validators/tcp-flag
@@ -0,0 +1,19 @@
+#!/usr/bin/python3
+
+import sys
+import re
+
+if __name__ == '__main__':
+ if len(sys.argv)>1:
+ flags = sys.argv[1].split(",")
+
+ for flag in flags:
+ if flag and flag[0] == '!':
+ flag = flag[1:]
+ if flag.lower() not in ['syn', 'ack', 'rst', 'fin', 'urg', 'psh']:
+ print(f'Error: {flag} is not a valid TCP flag')
+ sys.exit(1)
+ else:
+ sys.exit(2)
+
+ sys.exit(0)
--
cgit v1.2.3
From 64668771d5f14fc4b68fff382d166238c164bdde Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Sat, 15 Jan 2022 12:48:48 +0100
Subject: firewall: policy: T4178: Migrate and refactor tcp flags
* Add support for ECN and CWR flags
---
.../include/firewall/common-rule.xml.i | 51 +--------
.../include/firewall/tcp-flags.xml.i | 119 +++++++++++++++++++++
.../include/policy/route-common-rule-ipv6.xml.i | 51 +--------
.../include/policy/route-common-rule.xml.i | 51 +--------
python/vyos/firewall.py | 10 +-
smoketest/configs/dialup-router-medium-vpn | 9 ++
smoketest/scripts/cli/test_firewall.py | 16 +--
smoketest/scripts/cli/test_policy_route.py | 6 +-
src/conf_mode/firewall.py | 12 ++-
src/conf_mode/policy-route.py | 14 ++-
src/migration-scripts/firewall/6-to-7 | 21 ++++
src/migration-scripts/policy/1-to-2 | 19 ++++
src/validators/tcp-flag | 14 ++-
13 files changed, 213 insertions(+), 180 deletions(-)
create mode 100644 interface-definitions/include/firewall/tcp-flags.xml.i
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i
index 6e8203c88..5ffbd639c 100644
--- a/interface-definitions/include/firewall/common-rule.xml.i
+++ b/interface-definitions/include/firewall/common-rule.xml.i
@@ -264,56 +264,7 @@
-
-
- TCP flags to match
-
-
-
-
- TCP flags to match
-
- txt
- Multiple comma-separated flags
-
-
- syn
- Syncronise flag
-
-
- ack
- Acknowledge flag
-
-
- fin
- Finish flag
-
-
- rst
- Reset flag
-
-
- urg
- Urgent flag
-
-
- psh
- Push flag
-
-
-
- \n When specifying more than one flag, flags should be comma-separated.\n For example: value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset
-
-
- syn ack fin rst urg psh
-
-
-
-
-
-
-
-
+#include
Time to match rule
diff --git a/interface-definitions/include/firewall/tcp-flags.xml.i b/interface-definitions/include/firewall/tcp-flags.xml.i
new file mode 100644
index 000000000..b99896687
--- /dev/null
+++ b/interface-definitions/include/firewall/tcp-flags.xml.i
@@ -0,0 +1,119 @@
+
+
+
+ TCP flags to match
+
+
+
+
+ TCP flags to match
+
+
+
+
+ Synchronise flag
+
+
+
+
+
+ Acknowledge flag
+
+
+
+
+
+ Finish flag
+
+
+
+
+
+ Reset flag
+
+
+
+
+
+ Urgent flag
+
+
+
+
+
+ Push flag
+
+
+
+
+
+ Explicit Congestion Notification flag
+
+
+
+
+
+ Congestion Window Reduced flag
+
+
+
+
+
+ Match flags not set
+
+
+
+
+ Synchronise flag
+
+
+
+
+
+ Acknowledge flag
+
+
+
+
+
+ Finish flag
+
+
+
+
+
+ Reset flag
+
+
+
+
+
+ Urgent flag
+
+
+
+
+
+ Push flag
+
+
+
+
+
+ Explicit Congestion Notification flag
+
+
+
+
+
+ Congestion Window Reduced flag
+
+
+
+
+
+
+
+
+
+
diff --git a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
index b8fee4b7b..735edbd48 100644
--- a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
+++ b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
@@ -320,56 +320,7 @@
-
-
- TCP flags to match
-
-
-
-
- TCP flags to match
-
- txt
- Multiple comma-separated flags
-
-
- syn
- Syncronise flag
-
-
- ack
- Acknowledge flag
-
-
- fin
- Finish flag
-
-
- rst
- Reset flag
-
-
- urg
- Urgent flag
-
-
- psh
- Push flag
-
-
-
- \n When specifying more than one flag, flags should be comma-separated.\n For example: value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset
-
-
- syn ack fin rst urg psh
-
-
-
-
-
-
-
-
+#include
Time to match rule
diff --git a/interface-definitions/include/policy/route-common-rule.xml.i b/interface-definitions/include/policy/route-common-rule.xml.i
index 17b47474d..4452f78fc 100644
--- a/interface-definitions/include/policy/route-common-rule.xml.i
+++ b/interface-definitions/include/policy/route-common-rule.xml.i
@@ -320,56 +320,7 @@
-
-
- TCP flags to match
-
-
-
-
- TCP flags to match
-
- txt
- Multiple comma-separated flags
-
-
- syn
- Syncronise flag
-
-
- ack
- Acknowledge flag
-
-
- fin
- Finish flag
-
-
- rst
- Reset flag
-
-
- urg
- Urgent flag
-
-
- psh
- Push flag
-
-
-
- \n When specifying more than one flag, flags should be comma-separated.\n For example: value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset
-
-
- syn ack fin rst urg psh
-
-
-
-
-
-
-
-
+#include
Time to match rule
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index acde9f913..ad84393df 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -185,14 +185,8 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
return " ".join(output)
def parse_tcp_flags(flags):
- all_flags = []
- include = []
- for flag in flags.split(","):
- if flag[0] == '!':
- flag = flag[1:].lower()
- else:
- include.append(flag.lower())
- all_flags.append(flag.lower())
+ include = [flag for flag in flags if flag != 'not']
+ all_flags = include + [flag for flag in flags['not']] if 'not' in flags else []
return f'tcp flags & ({"|".join(all_flags)}) == {"|".join(include)}'
def parse_time(time):
diff --git a/smoketest/configs/dialup-router-medium-vpn b/smoketest/configs/dialup-router-medium-vpn
index 7ca540b66..63d955738 100644
--- a/smoketest/configs/dialup-router-medium-vpn
+++ b/smoketest/configs/dialup-router-medium-vpn
@@ -6,6 +6,15 @@ firewall {
ipv6-src-route disable
ip-src-route disable
log-martians enable
+ name test_tcp_flags {
+ rule 1 {
+ action drop
+ protocol tcp
+ tcp {
+ flags SYN,ACK,!RST,!FIN
+ }
+ }
+ }
options {
interface vtun0 {
adjust-mss 1380
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 2b3b354ba..c70743a9f 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -53,7 +53,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'destination', 'address', '172.16.10.10'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'protocol', 'tcp'])
+ self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'protocol', 'tcp_udp'])
self.cli_set(['interfaces', 'ethernet', 'eth0', 'firewall', 'in', 'name', 'smoketest'])
@@ -61,7 +61,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
nftables_search = [
['iifname "eth0"', 'jump smoketest'],
- ['ip saddr { 172.16.99.0/24 }', 'ip daddr 172.16.10.10', 'tcp dport { 53, 123 }', 'return'],
+ ['ip saddr { 172.16.99.0/24 }', 'ip daddr 172.16.10.10', 'th dport { 53, 123 }', 'return'],
]
nftables_output = cmd('sudo nft list table ip filter')
@@ -72,7 +72,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
if all(item in line for item in search):
matched = True
break
- self.assertTrue(matched)
+ self.assertTrue(matched, msg=search)
def test_basic_rules(self):
self.cli_set(['firewall', 'name', 'smoketest', 'default-action', 'drop'])
@@ -80,8 +80,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'address', '172.16.20.10'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'destination', 'address', '172.16.10.10'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'action', 'reject'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'protocol', 'tcp_udp'])
+ self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'protocol', 'tcp'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'destination', 'port', '8888'])
+ self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'tcp', 'flags', 'syn'])
+ self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'tcp', 'flags', 'not', 'ack'])
self.cli_set(['interfaces', 'ethernet', 'eth0', 'firewall', 'in', 'name', 'smoketest'])
@@ -90,7 +92,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
nftables_search = [
['iifname "eth0"', 'jump smoketest'],
['saddr 172.16.20.10', 'daddr 172.16.10.10', 'return'],
- ['meta l4proto { tcp, udp }', 'th dport { 8888 }', 'reject'],
+ ['tcp flags & (syn | ack) == syn', 'tcp dport { 8888 }', 'reject'],
['smoketest default-action', 'drop']
]
@@ -102,7 +104,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
if all(item in line for item in search):
matched = True
break
- self.assertTrue(matched)
+ self.assertTrue(matched, msg=search)
def test_basic_rules_ipv6(self):
self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'default-action', 'drop'])
@@ -132,7 +134,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
if all(item in line for item in search):
matched = True
break
- self.assertTrue(matched)
+ self.assertTrue(matched, msg=search)
def test_state_policy(self):
self.cli_set(['firewall', 'state-policy', 'established', 'action', 'accept'])
diff --git a/smoketest/scripts/cli/test_policy_route.py b/smoketest/scripts/cli/test_policy_route.py
index 4463a2255..9035f0832 100755
--- a/smoketest/scripts/cli/test_policy_route.py
+++ b/smoketest/scripts/cli/test_policy_route.py
@@ -63,8 +63,10 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
self.assertTrue(matched)
def test_pbr_table(self):
- self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'protocol', 'tcp_udp'])
+ self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'protocol', 'tcp'])
self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'destination', 'port', '8888'])
+ self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'tcp', 'flags', 'syn'])
+ self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'tcp', 'flags', 'not', 'ack'])
self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'set', 'table', table_id])
self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '1', 'protocol', 'tcp_udp'])
self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '1', 'destination', 'port', '8888'])
@@ -81,7 +83,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
nftables_search = [
['iifname "eth0"', 'jump VYOS_PBR_smoketest'],
- ['meta l4proto { tcp, udp }', 'th dport { 8888 }', 'meta mark set ' + mark_hex]
+ ['tcp flags & (syn | ack) == syn', 'tcp dport { 8888 }', 'meta mark set ' + mark_hex]
]
nftables_output = cmd('sudo nft list table ip mangle')
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 853470fd8..906d477b0 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -142,8 +142,16 @@ def verify_rule(firewall, rule_conf, ipv6):
if not {'count', 'time'} <= set(rule_conf['recent']):
raise ConfigError('Recent "count" and "time" values must be defined')
- if dict_search_args(rule_conf, 'tcp', 'flags') and dict_search_args(rule_conf, 'protocol') != 'tcp':
- raise ConfigError('Protocol must be tcp when specifying tcp flags')
+ tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags')
+ if tcp_flags:
+ if dict_search_args(rule_conf, 'protocol') != 'tcp':
+ raise ConfigError('Protocol must be tcp when specifying tcp flags')
+
+ not_flags = dict_search_args(rule_conf, 'tcp', 'flags', 'not')
+ if not_flags:
+ duplicates = [flag for flag in tcp_flags if flag in not_flags]
+ if duplicates:
+ raise ConfigError(f'Cannot match a tcp flag as set and not set')
for side in ['destination', 'source']:
if side in rule_conf:
diff --git a/src/conf_mode/policy-route.py b/src/conf_mode/policy-route.py
index 30597ef4e..eb13788dd 100755
--- a/src/conf_mode/policy-route.py
+++ b/src/conf_mode/policy-route.py
@@ -97,11 +97,19 @@ def verify_rule(policy, name, rule_conf, ipv6):
if 'set' in rule_conf:
if 'tcp_mss' in rule_conf['set']:
tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags')
- if not tcp_flags or 'SYN' not in tcp_flags.split(","):
+ if not tcp_flags or 'syn' not in tcp_flags:
raise ConfigError(f'{name} rule {rule_id}: TCP SYN flag must be set to modify TCP-MSS')
- if dict_search_args(rule_conf, 'tcp', 'flags') and dict_search_args(rule_conf, 'protocol') != 'tcp':
- raise ConfigError(f'{name} rule {rule_id}: TCP flags can only be set if protocol is set to TCP')
+ tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags')
+ if tcp_flags:
+ if dict_search_args(rule_conf, 'protocol') != 'tcp':
+ raise ConfigError('Protocol must be tcp when specifying tcp flags')
+
+ not_flags = dict_search_args(rule_conf, 'tcp', 'flags', 'not')
+ if not_flags:
+ duplicates = [flag for flag in tcp_flags if flag in not_flags]
+ if duplicates:
+ raise ConfigError(f'Cannot match a tcp flag as set and not set')
for side in ['destination', 'source']:
if side in rule_conf:
diff --git a/src/migration-scripts/firewall/6-to-7 b/src/migration-scripts/firewall/6-to-7
index 4a4097d56..bc0b19325 100755
--- a/src/migration-scripts/firewall/6-to-7
+++ b/src/migration-scripts/firewall/6-to-7
@@ -17,6 +17,7 @@
# T2199: Remove unavailable nodes due to XML/Python implementation using nftables
# monthdays: nftables does not have a monthdays equivalent
# utc: nftables userspace uses localtime and calculates the UTC offset automatically
+# T4178: Update tcp flags to use multi value node
from sys import argv
from sys import exit
@@ -45,6 +46,7 @@ if config.exists(base + ['name']):
if config.exists(base + ['name', name, 'rule']):
for rule in config.list_nodes(base + ['name', name, 'rule']):
rule_time = base + ['name', name, 'rule', rule, 'time']
+ rule_tcp_flags = base + ['name', name, 'rule', rule, 'tcp', 'flags']
if config.exists(rule_time + ['monthdays']):
config.delete(rule_time + ['monthdays'])
@@ -52,11 +54,21 @@ if config.exists(base + ['name']):
if config.exists(rule_time + ['utc']):
config.delete(rule_time + ['utc'])
+ if config.exists(rule_tcp_flags):
+ tmp = config.return_value(rule_tcp_flags)
+ config.delete(rule_tcp_flags)
+ for flag in tmp.split(","):
+ if flag[0] == '!':
+ config.set(rule_tcp_flags + ['not', flag[1:].lower()])
+ else:
+ config.set(rule_tcp_flags + [flag.lower()])
+
if config.exists(base + ['ipv6-name']):
for name in config.list_nodes(base + ['ipv6-name']):
if config.exists(base + ['ipv6-name', name, 'rule']):
for rule in config.list_nodes(base + ['ipv6-name', name, 'rule']):
rule_time = base + ['ipv6-name', name, 'rule', rule, 'time']
+ rule_tcp_flags = base + ['ipv6-name', name, 'rule', rule, 'tcp', 'flags']
if config.exists(rule_time + ['monthdays']):
config.delete(rule_time + ['monthdays'])
@@ -64,6 +76,15 @@ if config.exists(base + ['ipv6-name']):
if config.exists(rule_time + ['utc']):
config.delete(rule_time + ['utc'])
+ if config.exists(rule_tcp_flags):
+ tmp = config.return_value(rule_tcp_flags)
+ config.delete(rule_tcp_flags)
+ for flag in tmp.split(","):
+ if flag[0] == '!':
+ config.set(rule_tcp_flags + ['not', flag[1:].lower()])
+ else:
+ config.set(rule_tcp_flags + [flag.lower()])
+
try:
with open(file_name, 'w') as f:
f.write(config.to_string())
diff --git a/src/migration-scripts/policy/1-to-2 b/src/migration-scripts/policy/1-to-2
index 7ffceef22..eebbf9d41 100755
--- a/src/migration-scripts/policy/1-to-2
+++ b/src/migration-scripts/policy/1-to-2
@@ -16,6 +16,7 @@
# T4170: rename "policy ipv6-route" to "policy route6" to match common
# IPv4/IPv6 schema
+# T4178: Update tcp flags to use multi value node
from sys import argv
from sys import exit
@@ -41,6 +42,24 @@ if not config.exists(base):
config.rename(base, 'route6')
config.set_tag(['policy', 'route6'])
+for route in ['route', 'route6']:
+ route_path = ['policy', route]
+ if config.exists(route_path):
+ for name in config.list_nodes(route_path):
+ if config.exists(route_path + [name, 'rule']):
+ for rule in config.list_nodes(route_path + [name, 'rule']):
+ rule_tcp_flags = route_path + [name, 'rule', rule, 'tcp', 'flags']
+
+ if config.exists(rule_tcp_flags):
+ tmp = config.return_value(rule_tcp_flags)
+ config.delete(rule_tcp_flags)
+ for flag in tmp.split(","):
+ for flag in tmp.split(","):
+ if flag[0] == '!':
+ config.set(rule_tcp_flags + ['not', flag[1:].lower()])
+ else:
+ config.set(rule_tcp_flags + [flag.lower()])
+
if config.exists(['interfaces']):
def if_policy_rename(config, path):
if config.exists(path + ['policy', 'ipv6-route']):
diff --git a/src/validators/tcp-flag b/src/validators/tcp-flag
index 86ebec189..1496b904a 100755
--- a/src/validators/tcp-flag
+++ b/src/validators/tcp-flag
@@ -5,14 +5,12 @@ import re
if __name__ == '__main__':
if len(sys.argv)>1:
- flags = sys.argv[1].split(",")
-
- for flag in flags:
- if flag and flag[0] == '!':
- flag = flag[1:]
- if flag.lower() not in ['syn', 'ack', 'rst', 'fin', 'urg', 'psh']:
- print(f'Error: {flag} is not a valid TCP flag')
- sys.exit(1)
+ flag = sys.argv[1]
+ if flag and flag[0] == '!':
+ flag = flag[1:]
+ if flag not in ['syn', 'ack', 'rst', 'fin', 'urg', 'psh', 'ecn', 'cwr']:
+ print(f'Error: {flag} is not a valid TCP flag')
+ sys.exit(1)
else:
sys.exit(2)
--
cgit v1.2.3
From 0a5a78621b2b28f06af1f40c10ee8bb880f860a0 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Tue, 18 Jan 2022 15:29:03 +0100
Subject: firewall: T3560: Add support for MAC address groups
---
data/templates/firewall/nftables-defines.tmpl | 5 ++++
interface-definitions/firewall.xml.in | 21 +++++++++++++++++
.../include/firewall/common-rule.xml.i | 3 +++
.../include/firewall/mac-group.xml.i | 10 ++++++++
.../firewall/source-destination-group-ipv6.xml.i | 1 +
.../firewall/source-destination-group.xml.i | 1 +
.../include/policy/route-common-rule-ipv6.xml.i | 3 +++
.../include/policy/route-common-rule.xml.i | 3 +++
python/vyos/firewall.py | 3 +++
smoketest/scripts/cli/test_firewall.py | 4 ++++
src/op_mode/firewall.py | 2 ++
src/validators/mac-address-firewall | 27 ++++++++++++++++++++++
12 files changed, 83 insertions(+)
create mode 100644 interface-definitions/include/firewall/mac-group.xml.i
create mode 100755 src/validators/mac-address-firewall
(limited to 'interface-definitions/include')
diff --git a/data/templates/firewall/nftables-defines.tmpl b/data/templates/firewall/nftables-defines.tmpl
index 3578a9dc5..d9eb7c199 100644
--- a/data/templates/firewall/nftables-defines.tmpl
+++ b/data/templates/firewall/nftables-defines.tmpl
@@ -9,6 +9,11 @@ define A_{{ group_name }} = { {{ group_conf.address | join(",") }} }
define A6_{{ group_name }} = { {{ group_conf.address | join(",") }} }
{% endfor %}
{% endif %}
+{% if group.mac_group is defined %}
+{% for group_name, group_conf in group.mac_group.items() %}
+define M_{{ group_name }} = { {{ group_conf.mac_address | join(",") }} }
+{% endfor %}
+{% endif %}
{% if group.network_group is defined %}
{% for group_name, group_conf in group.network_group.items() %}
define N_{{ group_name }} = { {{ group_conf.network | join(",") }} }
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index fd98ae138..987ccaca6 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -144,6 +144,27 @@
+
+
+ Firewall mac-group
+
+
+ #include
+
+
+ Mac-group member
+
+ <MAC address>
+ MAC address to match
+
+
+
+
+
+
+
+
+
Firewall network-group
diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i
index 5ffbd639c..521fe54f2 100644
--- a/interface-definitions/include/firewall/common-rule.xml.i
+++ b/interface-definitions/include/firewall/common-rule.xml.i
@@ -176,6 +176,9 @@
!<MAC address>
Match everything except the specified MAC address
+
+
+
#include
diff --git a/interface-definitions/include/firewall/mac-group.xml.i b/interface-definitions/include/firewall/mac-group.xml.i
new file mode 100644
index 000000000..dbce3fc88
--- /dev/null
+++ b/interface-definitions/include/firewall/mac-group.xml.i
@@ -0,0 +1,10 @@
+
+
+
+ Group of MAC addresses
+
+ firewall group mac-group
+
+
+
+
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i b/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i
index 7815b78d4..c2cc7edb3 100644
--- a/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i
+++ b/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i
@@ -12,6 +12,7 @@
+ #include
Group of networks
diff --git a/interface-definitions/include/firewall/source-destination-group.xml.i b/interface-definitions/include/firewall/source-destination-group.xml.i
index 9a9bed0fe..ab11e89e9 100644
--- a/interface-definitions/include/firewall/source-destination-group.xml.i
+++ b/interface-definitions/include/firewall/source-destination-group.xml.i
@@ -12,6 +12,7 @@
+ #include
Group of networks
diff --git a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
index 735edbd48..406125e55 100644
--- a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
+++ b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
@@ -232,6 +232,9 @@
!<MAC address>
Match everything except the specified MAC address
+
+
+
#include
diff --git a/interface-definitions/include/policy/route-common-rule.xml.i b/interface-definitions/include/policy/route-common-rule.xml.i
index 4452f78fc..33c4ba77c 100644
--- a/interface-definitions/include/policy/route-common-rule.xml.i
+++ b/interface-definitions/include/policy/route-common-rule.xml.i
@@ -232,6 +232,9 @@
!<MAC address>
Match everything except the specified MAC address
+
+
+
#include
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index ad84393df..2ab78ff18 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -108,6 +108,9 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
elif 'network_group' in group:
group_name = group['network_group']
output.append(f'{ip_name} {prefix}addr $N{def_suffix}_{group_name}')
+ if 'mac_group' in group:
+ group_name = group['mac_group']
+ output.append(f'ether {prefix}addr $M_{group_name}')
if 'port_group' in group:
proto = rule_conf['protocol']
group_name = group['port_group']
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index c70743a9f..6b74e6c92 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -46,6 +46,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
def test_groups(self):
+ self.cli_set(['firewall', 'group', 'mac-group', 'smoketest_mac', 'mac-address', '00:01:02:03:04:05'])
self.cli_set(['firewall', 'group', 'network-group', 'smoketest_network', 'network', '172.16.99.0/24'])
self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port', 'port', '53'])
self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port', 'port', '123'])
@@ -54,6 +55,8 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'destination', 'address', '172.16.10.10'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'protocol', 'tcp_udp'])
+ self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'action', 'accept'])
+ self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'source', 'group', 'mac-group', 'smoketest_mac'])
self.cli_set(['interfaces', 'ethernet', 'eth0', 'firewall', 'in', 'name', 'smoketest'])
@@ -62,6 +65,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
nftables_search = [
['iifname "eth0"', 'jump smoketest'],
['ip saddr { 172.16.99.0/24 }', 'ip daddr 172.16.10.10', 'th dport { 53, 123 }', 'return'],
+ ['ether saddr { 00:01:02:03:04:05 }', 'return']
]
nftables_output = cmd('sudo nft list table ip filter')
diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py
index 030a9b19a..b6bb5b802 100755
--- a/src/op_mode/firewall.py
+++ b/src/op_mode/firewall.py
@@ -272,6 +272,8 @@ def show_firewall_group(name=None):
row.append("\n".join(sorted(group_conf['address'], key=ipaddress.ip_address)))
elif 'network' in group_conf:
row.append("\n".join(sorted(group_conf['network'], key=ipaddress.ip_network)))
+ elif 'mac_address' in group_conf:
+ row.append("\n".join(sorted(group_conf['mac_address'])))
elif 'port' in group_conf:
row.append("\n".join(sorted(group_conf['port'])))
else:
diff --git a/src/validators/mac-address-firewall b/src/validators/mac-address-firewall
new file mode 100755
index 000000000..70551f86d
--- /dev/null
+++ b/src/validators/mac-address-firewall
@@ -0,0 +1,27 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2018-2022 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+import re
+import sys
+
+pattern = "^!?([0-9A-Fa-f]{2}:){5}([0-9A-Fa-f]{2})$"
+
+if __name__ == '__main__':
+ if len(sys.argv) != 2:
+ sys.exit(1)
+ if not re.match(pattern, sys.argv[1]):
+ sys.exit(1)
+ sys.exit(0)
--
cgit v1.2.3
From c31f085b5d87847320a239580f1fe3f1478541c0 Mon Sep 17 00:00:00 2001
From: fett0
Date: Wed, 19 Jan 2022 16:02:15 +0000
Subject: OSPF : T4195: ability to set maximum paths for OSPF
---
data/templates/frr/ospfd.frr.tmpl | 3 +++
.../include/ospf/protocol-common-config.xml.i | 12 ++++++++++++
2 files changed, 15 insertions(+)
(limited to 'interface-definitions/include')
diff --git a/data/templates/frr/ospfd.frr.tmpl b/data/templates/frr/ospfd.frr.tmpl
index af66baf53..a6618b6af 100644
--- a/data/templates/frr/ospfd.frr.tmpl
+++ b/data/templates/frr/ospfd.frr.tmpl
@@ -126,6 +126,9 @@ router ospf {{ 'vrf ' + vrf if vrf is defined and vrf is not none }}
{% if default_metric is defined and default_metric is not none %}
default-metric {{ default_metric }}
{% endif %}
+{% if maximum_paths is defined and maximum_paths is not none %}
+ maximum-paths {{ maximum_paths }}
+{% endif %}
{% if distance is defined and distance is not none %}
{% if distance.global is defined and distance.global is not none %}
distance {{ distance.global }}
diff --git a/interface-definitions/include/ospf/protocol-common-config.xml.i b/interface-definitions/include/ospf/protocol-common-config.xml.i
index 688e78034..e783f4bec 100644
--- a/interface-definitions/include/ospf/protocol-common-config.xml.i
+++ b/interface-definitions/include/ospf/protocol-common-config.xml.i
@@ -289,6 +289,18 @@
+
+
+ Maximum multiple paths (ECMP)
+
+ u32:1-64
+ Maximum multiple paths (ECMP)
+
+
+
+
+
+
Administrative distance
--
cgit v1.2.3
From 3e4f2f577746608de6944d18d2b827811c81f70c Mon Sep 17 00:00:00 2001
From: Nicolas Fort
Date: Sun, 16 Jan 2022 15:13:22 +0000
Subject: Firewall: T4186: Correct icmp type-name options for firewall rules
---
.../include/firewall/icmp-type-name.xml.i | 142 +++------------------
1 file changed, 21 insertions(+), 121 deletions(-)
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/firewall/icmp-type-name.xml.i b/interface-definitions/include/firewall/icmp-type-name.xml.i
index b45fb619b..585b387e2 100644
--- a/interface-definitions/include/firewall/icmp-type-name.xml.i
+++ b/interface-definitions/include/firewall/icmp-type-name.xml.i
@@ -3,170 +3,70 @@
ICMP type-name
- any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply
+ echo-reply destination-unreachable source-quench redirect echo-request router-advertisement router-solicitation time-exceeded parameter-problem timestamp-request timestamp-reply info-request info-reply address-mask-request address-mask-reply
-
- any
- Any ICMP type/code
-
echo-reply
- ICMP type/code name
-
-
- pong
- ICMP type/code name
+ ICMP type 0: echo-reply
destination-unreachable
- ICMP type/code name
-
-
- network-unreachable
- ICMP type/code name
-
-
- host-unreachable
- ICMP type/code name
-
-
- protocol-unreachable
- ICMP type/code name
-
-
- port-unreachable
- ICMP type/code name
-
-
- fragmentation-needed
- ICMP type/code name
-
-
- source-route-failed
- ICMP type/code name
-
-
- network-unknown
- ICMP type/code name
-
-
- host-unknown
- ICMP type/code name
-
-
- network-prohibited
- ICMP type/code name
-
-
- host-prohibited
- ICMP type/code name
-
-
- TOS-network-unreachable
- ICMP type/code name
-
-
- TOS-host-unreachable
- ICMP type/code name
-
-
- communication-prohibited
- ICMP type/code name
-
-
- host-precedence-violation
- ICMP type/code name
-
-
- precedence-cutoff
- ICMP type/code name
+ ICMP type 3: destination-unreachable
source-quench
- ICMP type/code name
+ ICMP type 4: source-quench
redirect
- ICMP type/code name
-
-
- network-redirect
- ICMP type/code name
-
-
- host-redirect
- ICMP type/code name
-
-
- TOS-network-redirect
- ICMP type/code name
-
-
- TOS host-redirect
- ICMP type/code name
+ ICMP type 5: redirect
echo-request
- ICMP type/code name
-
-
- ping
- ICMP type/code name
+ ICMP type 8: echo-request
router-advertisement
- ICMP type/code name
+ ICMP type 9: router-advertisement
router-solicitation
- ICMP type/code name
+ ICMP type 10: router-solicitation
time-exceeded
- ICMP type/code name
-
-
- ttl-exceeded
- ICMP type/code name
-
-
- ttl-zero-during-transit
- ICMP type/code name
-
-
- ttl-zero-during-reassembly
- ICMP type/code name
+ ICMP type 11: time-exceeded
parameter-problem
- ICMP type/code name
+ ICMP type 12: parameter-problem
- ip-header-bad
- ICMP type/code name
+ timestamp-request
+ ICMP type 13: timestamp-request
- required-option-missing
- ICMP type/code name
+ timestamp-reply
+ ICMP type 14: timestamp-reply
- timestamp-request
- ICMP type/code name
+ info-request
+ ICMP type 15: info-request
- timestamp-reply
- ICMP type/code name
+ info-reply
+ ICMP type 16: info-reply
address-mask-request
- ICMP type/code name
+ ICMP type 17: address-mask-request
address-mask-reply
- ICMP type/code name
+ ICMP type 18: address-mask-replye
- ^(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply)$
+ ^(echo-reply|destination-unreachable|source-quench|redirect|echo-request|router-advertisement|router-solicitation|time-exceeded|parameter-problem|timestamp-request|timestamp-reply|info-request|info-reply|address-mask-request|address-mask-reply)$
--
cgit v1.2.3
From d0cfd9758bab25c14a4389488f1f8dcef01ecd45 Mon Sep 17 00:00:00 2001
From: Nicolas Fort
Date: Sun, 16 Jan 2022 15:35:23 +0000
Subject: Firewall: T4186: typo correction on address-mask-reply description
---
interface-definitions/include/firewall/icmp-type-name.xml.i | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/firewall/icmp-type-name.xml.i b/interface-definitions/include/firewall/icmp-type-name.xml.i
index 585b387e2..f57def3e1 100644
--- a/interface-definitions/include/firewall/icmp-type-name.xml.i
+++ b/interface-definitions/include/firewall/icmp-type-name.xml.i
@@ -63,7 +63,7 @@
address-mask-reply
- ICMP type 18: address-mask-replye
+ ICMP type 18: address-mask-reply
^(echo-reply|destination-unreachable|source-quench|redirect|echo-request|router-advertisement|router-solicitation|time-exceeded|parameter-problem|timestamp-request|timestamp-reply|info-request|info-reply|address-mask-request|address-mask-reply)$
--
cgit v1.2.3
From 3e55af0ccdf01a7707bd81d7b329f57848e6cd2f Mon Sep 17 00:00:00 2001
From: Nicolas Fort
Date: Fri, 21 Jan 2022 16:58:50 +0000
Subject: Firewall: T4186: Adding icmpv6 corrections, in corcondancy of what
was done for icmp
---
interface-definitions/firewall.xml.in | 181 ++-------------------
.../include/firewall/icmpv6-type-name.xml.i | 73 +++++++++
2 files changed, 88 insertions(+), 166 deletions(-)
create mode 100644 interface-definitions/include/firewall/icmpv6-type-name.xml.i
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 987ccaca6..f38bcfd9c 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -329,182 +329,31 @@
ICMPv6 type and code information
-
+
- ICMP type-name
-
- any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply packet-too-big
-
-
- any
- Any ICMP type/code
-
-
- echo-reply
- ICMP type/code name
-
-
- pong
- ICMP type/code name
-
-
- destination-unreachable
- ICMP type/code name
-
-
- network-unreachable
- ICMP type/code name
-
+ ICMPv6 code (0-255)
- host-unreachable
- ICMP type/code name
-
-
- protocol-unreachable
- ICMP type/code name
-
-
- port-unreachable
- ICMP type/code name
-
-
- fragmentation-needed
- ICMP type/code name
-
-
- source-route-failed
- ICMP type/code name
-
-
- network-unknown
- ICMP type/code name
-
-
- host-unknown
- ICMP type/code name
-
-
- network-prohibited
- ICMP type/code name
-
-
- host-prohibited
- ICMP type/code name
-
-
- TOS-network-unreachable
- ICMP type/code name
-
-
- TOS-host-unreachable
- ICMP type/code name
-
-
- communication-prohibited
- ICMP type/code name
-
-
- host-precedence-violation
- ICMP type/code name
-
-
- precedence-cutoff
- ICMP type/code name
-
-
- source-quench
- ICMP type/code name
-
-
- redirect
- ICMP type/code name
-
-
- network-redirect
- ICMP type/code name
-
-
- host-redirect
- ICMP type/code name
-
-
- TOS-network-redirect
- ICMP type/code name
-
-
- TOS host-redirect
- ICMP type/code name
-
-
- echo-request
- ICMP type/code name
-
-
- ping
- ICMP type/code name
-
-
- router-advertisement
- ICMP type/code name
-
-
- router-solicitation
- ICMP type/code name
-
-
- time-exceeded
- ICMP type/code name
-
-
- ttl-exceeded
- ICMP type/code name
-
-
- ttl-zero-during-transit
- ICMP type/code name
-
-
- ttl-zero-during-reassembly
- ICMP type/code name
-
-
- parameter-problem
- ICMP type/code name
-
-
- ip-header-bad
- ICMP type/code name
-
-
- required-option-missing
- ICMP type/code name
-
-
- timestamp-request
- ICMP type/code name
-
-
- timestamp-reply
- ICMP type/code name
-
-
- address-mask-request
- ICMP type/code name
-
-
- address-mask-reply
- ICMP type/code name
+ u32:0-255
+ ICMPv6 code (0-255)
+
+
+
+
+
+
+
+ ICMPv6 type (0-255)
- packet-too-big
- ICMP type/code name
+ u32:0-255
+ ICMPv6 type (0-255)
- ^(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply|packet-too-big)$
+ #include
diff --git a/interface-definitions/include/firewall/icmpv6-type-name.xml.i b/interface-definitions/include/firewall/icmpv6-type-name.xml.i
new file mode 100644
index 000000000..b13cf02c4
--- /dev/null
+++ b/interface-definitions/include/firewall/icmpv6-type-name.xml.i
@@ -0,0 +1,73 @@
+
+
+
+ ICMPv6 type-name
+
+ destination-unreachable packet-too-big time-exceeded echo-request echo-reply mld-listener-query mld-listener-report mld-listener-reduction nd-router-solicit nd-router-advert nd-neighbor-solicit nd-neighbor-advert nd-redirect parameter-problem router-renumbering
+
+
+ destination-unreachable
+ ICMPv6 type 1: destination-unreachable
+
+
+ packet-too-big
+ ICMPv6 type 2: packet-too-big
+
+
+ time-exceeded
+ ICMPv6 type 3: time-exceeded
+
+
+ echo-request
+ ICMPv6 type 128: echo-request
+
+
+ echo-reply
+ ICMPv6 type 129: echo-reply
+
+
+ mld-listener-query
+ ICMPv6 type 130: mld-listener-query
+
+
+ mld-listener-report
+ ICMPv6 type 131: mld-listener-report
+
+
+ mld-listener-reduction
+ ICMPv6 type 132: mld-listener-reduction
+
+
+ nd-router-solicit
+ ICMPv6 type 133: nd-router-solicit
+
+
+ nd-router-advert
+ ICMPv6 type 134: nd-router-advert
+
+
+ nd-neighbor-solicit
+ ICMPv6 type 135: nd-neighbor-solicit
+
+
+ nd-neighbor-advert
+ ICMPv6 type 136: nd-neighbor-advert
+
+
+ nd-redirect
+ ICMPv6 type 137: nd-redirect
+
+
+ parameter-problem
+ ICMPv6 type 4: parameter-problem
+
+
+ router-renumbering
+ ICMPv6 type 138: router-renumbering
+
+
+ ^(destination-unreachable|packet-too-big|time-exceeded|echo-request|echo-reply|mld-listener-query|mld-listener-report|mld-listener-reduction|nd-router-solicit|nd-router-advert|nd-neighbor-solicit|nd-neighbor-advert|nd-redirect|parameter-problem|router-renumbering)$
+
+
+
+
--
cgit v1.2.3
From 1d65ce9558b7c814295474a7cdf648866b612ff6 Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko
Date: Tue, 25 Jan 2022 19:09:08 +0000
Subject: nat: T4138: Add port-range validation for NAT
Add port-validators for NAT rules that prevent to set incorrect
port-ranges (21-5) and incorrect ports (70000)
---
interface-definitions/include/nat-port.xml.i | 7 +++++++
interface-definitions/include/nat-translation-port.xml.i | 3 +++
2 files changed, 10 insertions(+)
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/nat-port.xml.i b/interface-definitions/include/nat-port.xml.i
index 7aabc33c3..5f762cfb3 100644
--- a/interface-definitions/include/nat-port.xml.i
+++ b/interface-definitions/include/nat-port.xml.i
@@ -2,6 +2,10 @@
Port number
+
+ txt
+ Named port (any name in /etc/services, e.g., http)
+
u32:1-65535
Numeric IP port
@@ -14,6 +18,9 @@
\n\nMultiple destination ports can be specified as a comma-separated list.\nThe whole list can also be negated using '!'.\nFor example: '!22,telnet,http,123,1001-1005'
+
+
+
diff --git a/interface-definitions/include/nat-translation-port.xml.i b/interface-definitions/include/nat-translation-port.xml.i
index 6e507353c..6f17df3d9 100644
--- a/interface-definitions/include/nat-translation-port.xml.i
+++ b/interface-definitions/include/nat-translation-port.xml.i
@@ -10,6 +10,9 @@
range
Numbered port range (e.g., 1001-1005)
+
+
+
--
cgit v1.2.3
From c6c562eca6ff469f603697f7f1d9319b2a5504a3 Mon Sep 17 00:00:00 2001
From: Henning Surmeier
Date: Fri, 28 Jan 2022 23:55:06 +0100
Subject: policy: T4219: add local-route(6) incoming-interface
---
.../include/interface/inbound-interface.xml.i | 10 ++++
interface-definitions/policy-local-route.xml.in | 2 +
smoketest/scripts/cli/test_policy.py | 53 +++++++++++++++++++++-
src/conf_mode/policy-local-route.py | 34 ++++++++++++--
4 files changed, 94 insertions(+), 5 deletions(-)
create mode 100644 interface-definitions/include/interface/inbound-interface.xml.i
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/interface/inbound-interface.xml.i b/interface-definitions/include/interface/inbound-interface.xml.i
new file mode 100644
index 000000000..5a8d47280
--- /dev/null
+++ b/interface-definitions/include/interface/inbound-interface.xml.i
@@ -0,0 +1,10 @@
+
+
+
+ Inbound Interface
+
+
+
+
+
+
diff --git a/interface-definitions/policy-local-route.xml.in b/interface-definitions/policy-local-route.xml.in
index 11b1e04d9..573a7963f 100644
--- a/interface-definitions/policy-local-route.xml.in
+++ b/interface-definitions/policy-local-route.xml.in
@@ -88,6 +88,7 @@
+ #include
@@ -177,6 +178,7 @@
+ #include
diff --git a/smoketest/scripts/cli/test_policy.py b/smoketest/scripts/cli/test_policy.py
index 73d93c986..491f1766d 100755
--- a/smoketest/scripts/cli/test_policy.py
+++ b/smoketest/scripts/cli/test_policy.py
@@ -1206,6 +1206,32 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
self.assertEqual(sort_ip(tmp), sort_ip(original))
+ # Test set table for sources with iif
+ def test_iif_sources_table_id(self):
+ path = base_path + ['local-route']
+
+ sources = ['203.0.113.11', '203.0.113.12']
+ iif = 'lo'
+ rule = '100'
+ table = '150'
+
+ self.cli_set(path + ['rule', rule, 'set', 'table', table])
+ self.cli_set(path + ['rule', rule, 'inbound-interface', iif])
+ for src in sources:
+ self.cli_set(path + ['rule', rule, 'source', src])
+
+ self.cli_commit()
+
+ # Check generated configuration
+ # Expected values
+ original = """
+ 100: from 203.0.113.11 iif lo lookup 150
+ 100: from 203.0.113.12 iif lo lookup 150
+ """
+ tmp = cmd('ip rule show prio 100')
+
+ self.assertEqual(sort_ip(tmp), sort_ip(original))
+
# Test set table for sources and destinations with fwmark
def test_fwmark_sources_destination_table_id(self):
path = base_path + ['local-route']
@@ -1318,6 +1344,31 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
self.assertEqual(sort_ip(tmp), sort_ip(original))
+ # Test set table for sources with iif ipv6
+ def test_iif_sources_ipv6_table_id(self):
+ path = base_path + ['local-route6']
+
+ sources = ['2001:db8:1338::/126', '2001:db8:1339::/126']
+ iif = 'lo'
+ rule = '102'
+ table = '150'
+ for src in sources:
+ self.cli_set(path + ['rule', rule, 'set', 'table', table])
+ self.cli_set(path + ['rule', rule, 'source', src])
+ self.cli_set(path + ['rule', rule, 'inbound-interface', iif])
+
+ self.cli_commit()
+
+ # Check generated configuration
+ # Expected values
+ original = """
+ 102: from 2001:db8:1338::/126 iif lo lookup 150
+ 102: from 2001:db8:1339::/126 iif lo lookup 150
+ """
+ tmp = cmd('ip -6 rule show prio 102')
+
+ self.assertEqual(sort_ip(tmp), sort_ip(original))
+
# Test set table for sources and destinations with fwmark ipv6
def test_fwmark_sources_destination_ipv6_table_id(self):
path = base_path + ['local-route6']
@@ -1384,7 +1435,7 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
103: from 2001:db8:1338::/126 to 2001:db8:16::/48 fwmark 0x17 lookup 150
103: from 2001:db8:1339::/56 to 2001:db8:13::/48 fwmark 0x17 lookup 150
103: from 2001:db8:1339::/56 to 2001:db8:16::/48 fwmark 0x17 lookup 150
- 103: from 2001:db8:1338::/126 to 2001:db8:13::/48 fwmark 0x17 lookup 150
+ 103: from 2001:db8:1338::/126 to 2001:db8:13::/48 fwmark 0x17 lookup 150
"""
tmp = cmd('ip rule show prio 103')
tmp_v6 = cmd('ip -6 rule show prio 103')
diff --git a/src/conf_mode/policy-local-route.py b/src/conf_mode/policy-local-route.py
index 71183c6ba..0990039c1 100755
--- a/src/conf_mode/policy-local-route.py
+++ b/src/conf_mode/policy-local-route.py
@@ -18,6 +18,7 @@ import os
from sys import exit
+from netifaces import interfaces
from vyos.config import Config
from vyos.configdict import dict_merge
from vyos.configdict import node_changed
@@ -51,12 +52,15 @@ def get_config(config=None):
for rule in (tmp or []):
src = leaf_node_changed(conf, base_rule + [rule, 'source'])
fwmk = leaf_node_changed(conf, base_rule + [rule, 'fwmark'])
+ iif = leaf_node_changed(conf, base_rule + [rule, 'inbound-interface'])
dst = leaf_node_changed(conf, base_rule + [rule, 'destination'])
rule_def = {}
if src:
rule_def = dict_merge({'source' : src}, rule_def)
if fwmk:
rule_def = dict_merge({'fwmark' : fwmk}, rule_def)
+ if iif:
+ rule_def = dict_merge({'inbound_interface' : iif}, rule_def)
if dst:
rule_def = dict_merge({'destination' : dst}, rule_def)
dict = dict_merge({dict_id : {rule : rule_def}}, dict)
@@ -72,6 +76,7 @@ def get_config(config=None):
for rule, rule_config in pbr[route]['rule'].items():
src = leaf_node_changed(conf, base_rule + [rule, 'source'])
fwmk = leaf_node_changed(conf, base_rule + [rule, 'fwmark'])
+ iif = leaf_node_changed(conf, base_rule + [rule, 'inbound-interface'])
dst = leaf_node_changed(conf, base_rule + [rule, 'destination'])
# keep track of changes in configuration
# otherwise we might remove an existing node although nothing else has changed
@@ -100,6 +105,13 @@ def get_config(config=None):
changed = True
if len(fwmk) > 0:
rule_def = dict_merge({'fwmark' : fwmk}, rule_def)
+ if iif is None:
+ if 'inbound_interface' in rule_config:
+ rule_def = dict_merge({'inbound_interface': rule_config['inbound_interface']}, rule_def)
+ else:
+ changed = True
+ if len(iif) > 0:
+ rule_def = dict_merge({'inbound_interface' : iif}, rule_def)
if dst is None:
if 'destination' in rule_config:
rule_def = dict_merge({'destination': rule_config['destination']}, rule_def)
@@ -125,11 +137,18 @@ def verify(pbr):
pbr_route = pbr[route]
if 'rule' in pbr_route:
for rule in pbr_route['rule']:
- if 'source' not in pbr_route['rule'][rule] and 'destination' not in pbr_route['rule'][rule] and 'fwmark' not in pbr_route['rule'][rule]:
- raise ConfigError('Source or destination address or fwmark is required!')
+ if 'source' not in pbr_route['rule'][rule] \
+ and 'destination' not in pbr_route['rule'][rule] \
+ and 'fwmark' not in pbr_route['rule'][rule] \
+ and 'inbound_interface' not in pbr_route['rule'][rule]:
+ raise ConfigError('Source or destination address or fwmark or inbound-interface is required!')
else:
if 'set' not in pbr_route['rule'][rule] or 'table' not in pbr_route['rule'][rule]['set']:
raise ConfigError('Table set is required!')
+ if 'inbound_interface' in pbr_route['rule'][rule]:
+ interface = pbr_route['rule'][rule]['inbound_interface']
+ if interface not in interfaces():
+ raise ConfigError(f'Interface "{interface}" does not exist')
return None
@@ -159,7 +178,10 @@ def apply(pbr):
rule_config['fwmark'] = rule_config['fwmark'] if 'fwmark' in rule_config else ['']
for fwmk in rule_config['fwmark']:
f_fwmk = '' if fwmk == '' else f' fwmark {fwmk} '
- call(f'ip{v6} rule del prio {rule} {f_src}{f_dst}{f_fwmk}')
+ rule_config['inbound_interface'] = rule_config['inbound_interface'] if 'inbound_interface' in rule_config else ['']
+ for iif in rule_config['inbound_interface']:
+ f_iif = '' if iif == '' else f' iif {iif} '
+ call(f'ip{v6} rule del prio {rule} {f_src}{f_dst}{f_fwmk}{f_iif}')
# Generate new config
for route in ['local_route', 'local_route6']:
@@ -183,7 +205,11 @@ def apply(pbr):
if 'fwmark' in rule_config:
fwmk = rule_config['fwmark']
f_fwmk = f' fwmark {fwmk} '
- call(f'ip{v6} rule add prio {rule} {f_src}{f_dst}{f_fwmk} lookup {table}')
+ f_iif = ''
+ if 'inbound_interface' in rule_config:
+ iif = rule_config['inbound_interface']
+ f_iif = f' iif {iif} '
+ call(f'ip{v6} rule add prio {rule} {f_src}{f_dst}{f_fwmk}{f_iif} lookup {table}')
return None
--
cgit v1.2.3
From 22f0794a9f195e69e277d48f031fe934febe9408 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Thu, 27 Jan 2022 16:58:36 +0100
Subject: firewall: T4209: Fix support for rule `recent` matches
---
data/templates/firewall/nftables.tmpl | 22 ++++++++++++++++++++++
.../include/firewall/common-rule.xml.i | 19 +++++++++++++++----
python/vyos/firewall.py | 4 +---
src/conf_mode/firewall.py | 6 +++++-
src/migration-scripts/firewall/6-to-7 | 20 ++++++++++++++++++++
5 files changed, 63 insertions(+), 8 deletions(-)
(limited to 'interface-definitions/include')
diff --git a/data/templates/firewall/nftables.tmpl b/data/templates/firewall/nftables.tmpl
index 468a5a32f..0cc977cf9 100644
--- a/data/templates/firewall/nftables.tmpl
+++ b/data/templates/firewall/nftables.tmpl
@@ -31,16 +31,27 @@ table ip filter {
}
{% endif %}
{% if name is defined %}
+{% set ns = namespace(sets=[]) %}
{% for name_text, conf in name.items() %}
chain NAME_{{ name_text }} {
{% if conf.rule is defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %}
{{ rule_conf | nft_rule(name_text, rule_id) }}
+{% if rule_conf.recent is defined %}
+{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %}
+{% endif %}
{% endfor %}
{% endif %}
{{ conf | nft_default_rule(name_text) }}
}
{% endfor %}
+{% for set_name in ns.sets %}
+ set RECENT_{{ set_name }} {
+ type ipv4_addr
+ size 65535
+ flags dynamic
+ }
+{% endfor %}
{% endif %}
{% if state_policy is defined %}
chain VYOS_STATE_POLICY {
@@ -81,16 +92,27 @@ table ip6 filter {
}
{% endif %}
{% if ipv6_name is defined %}
+{% set ns = namespace(sets=[]) %}
{% for name_text, conf in ipv6_name.items() %}
chain NAME6_{{ name_text }} {
{% if conf.rule is defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %}
{{ rule_conf | nft_rule(name_text, rule_id, 'ip6') }}
+{% if rule_conf.recent is defined %}
+{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %}
+{% endif %}
{% endfor %}
{% endif %}
{{ conf | nft_default_rule(name_text) }}
}
{% endfor %}
+{% for set_name in ns.sets %}
+ set RECENT6_{{ set_name }} {
+ type ipv6_addr
+ size 65535
+ flags dynamic
+ }
+{% endfor %}
{% endif %}
{% if state_policy is defined %}
chain VYOS_STATE_POLICY6 {
diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i
index 521fe54f2..353804990 100644
--- a/interface-definitions/include/firewall/common-rule.xml.i
+++ b/interface-definitions/include/firewall/common-rule.xml.i
@@ -146,13 +146,24 @@
- Source addresses seen in the last N seconds
+ Source addresses seen in the last second/minute/hour
+
+ second minute hour
+
- u32:0-4294967295
- Source addresses seen in the last N seconds
+ second
+ Source addresses seen COUNT times in the last second
+
+
+ minute
+ Source addresses seen COUNT times in the last minute
+
+
+ hour
+ Source addresses seen COUNT times in the last hour
-
+ ^(second|minute|hour)$
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index c1217b420..55ce318e7 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -181,9 +181,7 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
if 'recent' in rule_conf:
count = rule_conf['recent']['count']
time = rule_conf['recent']['time']
- # output.append(f'meter {fw_name}_{rule_id} {{ ip saddr and 255.255.255.255 limit rate over {count}/{time} burst {count} packets }}')
- # Waiting on input from nftables developers due to
- # bug with above line and atomic chain flushing.
+ output.append(f'add @RECENT{def_suffix}_{fw_name}_{rule_id} {{ {ip_name} saddr limit rate over {count}/{time} burst {count} packets }}')
if 'time' in rule_conf:
output.append(parse_time(rule_conf['time']))
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 9dec2143e..41df1b84a 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -278,6 +278,7 @@ def cleanup_rule(table, jump_chain):
def cleanup_commands(firewall):
commands = []
+ commands_end = []
for table in ['ip filter', 'ip6 filter']:
state_chain = 'VYOS_STATE_POLICY' if table == 'ip filter' else 'VYOS_STATE_POLICY6'
json_str = cmd(f'nft -j list table {table}')
@@ -308,7 +309,10 @@ def cleanup_commands(firewall):
chain = rule['chain']
handle = rule['handle']
commands.append(f'delete rule {table} {chain} handle {handle}')
- return commands
+ elif 'set' in item:
+ set_name = item['set']['name']
+ commands_end.append(f'delete set {table} {set_name}')
+ return commands + commands_end
def generate(firewall):
if not os.path.exists(nftables_conf):
diff --git a/src/migration-scripts/firewall/6-to-7 b/src/migration-scripts/firewall/6-to-7
index efc901530..5f4cff90d 100755
--- a/src/migration-scripts/firewall/6-to-7
+++ b/src/migration-scripts/firewall/6-to-7
@@ -104,6 +104,7 @@ if config.exists(base + ['name']):
continue
for rule in config.list_nodes(base + ['name', name, 'rule']):
+ rule_recent = base + ['name', name, 'rule', rule, 'recent']
rule_time = base + ['name', name, 'rule', rule, 'time']
rule_tcp_flags = base + ['name', name, 'rule', rule, 'tcp', 'flags']
rule_icmp = base + ['name', name, 'rule', rule, 'icmp']
@@ -114,6 +115,15 @@ if config.exists(base + ['name']):
if config.exists(rule_time + ['utc']):
config.delete(rule_time + ['utc'])
+ if config.exists(rule_recent + ['time']):
+ tmp = int(config.return_value(rule_recent + ['time']))
+ unit = 'minute'
+ if tmp > 600:
+ unit = 'hour'
+ elif tmp < 10:
+ unit = 'second'
+ config.set(rule_recent + ['time'], value=unit)
+
if config.exists(rule_tcp_flags):
tmp = config.return_value(rule_tcp_flags)
config.delete(rule_tcp_flags)
@@ -148,6 +158,7 @@ if config.exists(base + ['ipv6-name']):
continue
for rule in config.list_nodes(base + ['ipv6-name', name, 'rule']):
+ rule_recent = base + ['ipv6-name', name, 'rule', rule, 'recent']
rule_time = base + ['ipv6-name', name, 'rule', rule, 'time']
rule_tcp_flags = base + ['ipv6-name', name, 'rule', rule, 'tcp', 'flags']
rule_icmp = base + ['ipv6-name', name, 'rule', rule, 'icmpv6']
@@ -158,6 +169,15 @@ if config.exists(base + ['ipv6-name']):
if config.exists(rule_time + ['utc']):
config.delete(rule_time + ['utc'])
+ if config.exists(rule_recent + ['time']):
+ tmp = int(config.return_value(rule_recent + ['time']))
+ unit = 'minute'
+ if tmp > 600:
+ unit = 'hour'
+ elif tmp < 10:
+ unit = 'second'
+ config.set(rule_recent + ['time'], value=unit)
+
if config.exists(rule_tcp_flags):
tmp = config.return_value(rule_tcp_flags)
config.delete(rule_tcp_flags)
--
cgit v1.2.3
From d96bab4e6da517f07133667834cd6f8bcfb5160f Mon Sep 17 00:00:00 2001
From: Christian Poessinger
Date: Mon, 7 Feb 2022 22:27:51 +0100
Subject: xml: ssh: T4233: sync regex for allow/deny usernames to "system
login"
---
interface-definitions/include/ssh-user.xml.i | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/ssh-user.xml.i b/interface-definitions/include/ssh-user.xml.i
index 677602dd8..17ba05a90 100644
--- a/interface-definitions/include/ssh-user.xml.i
+++ b/interface-definitions/include/ssh-user.xml.i
@@ -3,9 +3,9 @@
Allow specific users to login
- [a-z_][a-z0-9_-]{1,31}[$]?
+ ^[-_a-zA-Z0-9.]{1,100}
- illegal characters or more than 32 characters
+ Illegal characters or more than 100 characters
--
cgit v1.2.3
From 3795fdba8edf8e81298370d6cd8d81a779ae2997 Mon Sep 17 00:00:00 2001
From: John Estabrook
Date: Wed, 16 Feb 2022 11:31:23 -0600
Subject: xml: T3474: add component version include files
Add the include files containing the syntaxVersion element defining the
version of the respective component; these files are included by the top
level file 'xml-component-versions.xml.in'. Processing of these elements
was previously added to the python xml lib in commit 40f5359d. This will
replace the use of 'curver_DATA' in vyatta-cfg-system and other legacy
packages.
---
.../include/version/bgp-version.xml.i | 3 ++
.../include/version/broadcast-relay-version.xml.i | 3 ++
.../include/version/cluster-version.xml.i | 3 ++
.../version/config-management-version.xml.i | 3 ++
.../include/version/conntrack-sync-version.xml.i | 3 ++
.../include/version/conntrack-version.xml.i | 3 ++
.../include/version/dhcp-relay-version.xml.i | 3 ++
.../include/version/dhcp-server-version.xml.i | 3 ++
.../include/version/dhcpv6-server-version.xml.i | 3 ++
.../include/version/dns-forwarding-version.xml.i | 3 ++
.../include/version/firewall-version.xml.i | 3 ++
.../include/version/flow-accounting-version.xml.i | 3 ++
.../include/version/https-version.xml.i | 3 ++
.../include/version/interfaces-version.xml.i | 3 ++
.../include/version/ipoe-server-version.xml.i | 3 ++
.../include/version/ipsec-version.xml.i | 3 ++
.../include/version/isis-version.xml.i | 3 ++
.../include/version/l2tp-version.xml.i | 3 ++
.../include/version/lldp-version.xml.i | 3 ++
.../include/version/mdns-version.xml.i | 3 ++
.../include/version/nat-version.xml.i | 3 ++
.../include/version/nat66-version.xml.i | 3 ++
.../include/version/ntp-version.xml.i | 3 ++
.../include/version/openconnect-version.xml.i | 3 ++
.../include/version/ospf-version.xml.i | 3 ++
.../include/version/policy-version.xml.i | 3 ++
.../include/version/pppoe-server-version.xml.i | 3 ++
.../include/version/pptp-version.xml.i | 3 ++
.../include/version/qos-version.xml.i | 3 ++
.../include/version/quagga-version.xml.i | 3 ++
.../include/version/rpki-version.xml.i | 3 ++
.../include/version/salt-version.xml.i | 3 ++
.../include/version/snmp-version.xml.i | 3 ++
.../include/version/ssh-version.xml.i | 3 ++
.../include/version/sstp-version.xml.i | 3 ++
.../include/version/system-version.xml.i | 3 ++
.../include/version/vrf-version.xml.i | 3 ++
.../include/version/vrrp-version.xml.i | 3 ++
.../include/version/vyos-accel-ppp-version.xml.i | 3 ++
.../include/version/wanloadbalance-version.xml.i | 3 ++
.../include/version/webproxy-version.xml.i | 3 ++
interface-definitions/xml-component-version.xml.in | 44 ++++++++++++++++++++++
python/vyos/xml/__init__.py | 4 +-
python/vyos/xml/definition.py | 9 +++--
44 files changed, 174 insertions(+), 6 deletions(-)
create mode 100644 interface-definitions/include/version/bgp-version.xml.i
create mode 100644 interface-definitions/include/version/broadcast-relay-version.xml.i
create mode 100644 interface-definitions/include/version/cluster-version.xml.i
create mode 100644 interface-definitions/include/version/config-management-version.xml.i
create mode 100644 interface-definitions/include/version/conntrack-sync-version.xml.i
create mode 100644 interface-definitions/include/version/conntrack-version.xml.i
create mode 100644 interface-definitions/include/version/dhcp-relay-version.xml.i
create mode 100644 interface-definitions/include/version/dhcp-server-version.xml.i
create mode 100644 interface-definitions/include/version/dhcpv6-server-version.xml.i
create mode 100644 interface-definitions/include/version/dns-forwarding-version.xml.i
create mode 100644 interface-definitions/include/version/firewall-version.xml.i
create mode 100644 interface-definitions/include/version/flow-accounting-version.xml.i
create mode 100644 interface-definitions/include/version/https-version.xml.i
create mode 100644 interface-definitions/include/version/interfaces-version.xml.i
create mode 100644 interface-definitions/include/version/ipoe-server-version.xml.i
create mode 100644 interface-definitions/include/version/ipsec-version.xml.i
create mode 100644 interface-definitions/include/version/isis-version.xml.i
create mode 100644 interface-definitions/include/version/l2tp-version.xml.i
create mode 100644 interface-definitions/include/version/lldp-version.xml.i
create mode 100644 interface-definitions/include/version/mdns-version.xml.i
create mode 100644 interface-definitions/include/version/nat-version.xml.i
create mode 100644 interface-definitions/include/version/nat66-version.xml.i
create mode 100644 interface-definitions/include/version/ntp-version.xml.i
create mode 100644 interface-definitions/include/version/openconnect-version.xml.i
create mode 100644 interface-definitions/include/version/ospf-version.xml.i
create mode 100644 interface-definitions/include/version/policy-version.xml.i
create mode 100644 interface-definitions/include/version/pppoe-server-version.xml.i
create mode 100644 interface-definitions/include/version/pptp-version.xml.i
create mode 100644 interface-definitions/include/version/qos-version.xml.i
create mode 100644 interface-definitions/include/version/quagga-version.xml.i
create mode 100644 interface-definitions/include/version/rpki-version.xml.i
create mode 100644 interface-definitions/include/version/salt-version.xml.i
create mode 100644 interface-definitions/include/version/snmp-version.xml.i
create mode 100644 interface-definitions/include/version/ssh-version.xml.i
create mode 100644 interface-definitions/include/version/sstp-version.xml.i
create mode 100644 interface-definitions/include/version/system-version.xml.i
create mode 100644 interface-definitions/include/version/vrf-version.xml.i
create mode 100644 interface-definitions/include/version/vrrp-version.xml.i
create mode 100644 interface-definitions/include/version/vyos-accel-ppp-version.xml.i
create mode 100644 interface-definitions/include/version/wanloadbalance-version.xml.i
create mode 100644 interface-definitions/include/version/webproxy-version.xml.i
create mode 100644 interface-definitions/xml-component-version.xml.in
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/version/bgp-version.xml.i b/interface-definitions/include/version/bgp-version.xml.i
new file mode 100644
index 000000000..15bc5abd4
--- /dev/null
+++ b/interface-definitions/include/version/bgp-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/broadcast-relay-version.xml.i b/interface-definitions/include/version/broadcast-relay-version.xml.i
new file mode 100644
index 000000000..98481f446
--- /dev/null
+++ b/interface-definitions/include/version/broadcast-relay-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/cluster-version.xml.i b/interface-definitions/include/version/cluster-version.xml.i
new file mode 100644
index 000000000..621996df4
--- /dev/null
+++ b/interface-definitions/include/version/cluster-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/config-management-version.xml.i b/interface-definitions/include/version/config-management-version.xml.i
new file mode 100644
index 000000000..695ba09ab
--- /dev/null
+++ b/interface-definitions/include/version/config-management-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/conntrack-sync-version.xml.i b/interface-definitions/include/version/conntrack-sync-version.xml.i
new file mode 100644
index 000000000..f040c29f6
--- /dev/null
+++ b/interface-definitions/include/version/conntrack-sync-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/conntrack-version.xml.i b/interface-definitions/include/version/conntrack-version.xml.i
new file mode 100644
index 000000000..696f76362
--- /dev/null
+++ b/interface-definitions/include/version/conntrack-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/dhcp-relay-version.xml.i b/interface-definitions/include/version/dhcp-relay-version.xml.i
new file mode 100644
index 000000000..75f5d5486
--- /dev/null
+++ b/interface-definitions/include/version/dhcp-relay-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/dhcp-server-version.xml.i b/interface-definitions/include/version/dhcp-server-version.xml.i
new file mode 100644
index 000000000..330cb7d1b
--- /dev/null
+++ b/interface-definitions/include/version/dhcp-server-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/dhcpv6-server-version.xml.i b/interface-definitions/include/version/dhcpv6-server-version.xml.i
new file mode 100644
index 000000000..4b2cf40aa
--- /dev/null
+++ b/interface-definitions/include/version/dhcpv6-server-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/dns-forwarding-version.xml.i b/interface-definitions/include/version/dns-forwarding-version.xml.i
new file mode 100644
index 000000000..fe817940a
--- /dev/null
+++ b/interface-definitions/include/version/dns-forwarding-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/firewall-version.xml.i b/interface-definitions/include/version/firewall-version.xml.i
new file mode 100644
index 000000000..059a89f24
--- /dev/null
+++ b/interface-definitions/include/version/firewall-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/flow-accounting-version.xml.i b/interface-definitions/include/version/flow-accounting-version.xml.i
new file mode 100644
index 000000000..5b01fe4b5
--- /dev/null
+++ b/interface-definitions/include/version/flow-accounting-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/https-version.xml.i b/interface-definitions/include/version/https-version.xml.i
new file mode 100644
index 000000000..586083649
--- /dev/null
+++ b/interface-definitions/include/version/https-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/interfaces-version.xml.i b/interface-definitions/include/version/interfaces-version.xml.i
new file mode 100644
index 000000000..b97971531
--- /dev/null
+++ b/interface-definitions/include/version/interfaces-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/ipoe-server-version.xml.i b/interface-definitions/include/version/ipoe-server-version.xml.i
new file mode 100644
index 000000000..00d2544e6
--- /dev/null
+++ b/interface-definitions/include/version/ipoe-server-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/ipsec-version.xml.i b/interface-definitions/include/version/ipsec-version.xml.i
new file mode 100644
index 000000000..fcdd6c702
--- /dev/null
+++ b/interface-definitions/include/version/ipsec-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/isis-version.xml.i b/interface-definitions/include/version/isis-version.xml.i
new file mode 100644
index 000000000..4a8fef39c
--- /dev/null
+++ b/interface-definitions/include/version/isis-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/l2tp-version.xml.i b/interface-definitions/include/version/l2tp-version.xml.i
new file mode 100644
index 000000000..86114d676
--- /dev/null
+++ b/interface-definitions/include/version/l2tp-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/lldp-version.xml.i b/interface-definitions/include/version/lldp-version.xml.i
new file mode 100644
index 000000000..0deb73279
--- /dev/null
+++ b/interface-definitions/include/version/lldp-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/mdns-version.xml.i b/interface-definitions/include/version/mdns-version.xml.i
new file mode 100644
index 000000000..b200a68b4
--- /dev/null
+++ b/interface-definitions/include/version/mdns-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/nat-version.xml.i b/interface-definitions/include/version/nat-version.xml.i
new file mode 100644
index 000000000..027216a07
--- /dev/null
+++ b/interface-definitions/include/version/nat-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/nat66-version.xml.i b/interface-definitions/include/version/nat66-version.xml.i
new file mode 100644
index 000000000..7b7123dcc
--- /dev/null
+++ b/interface-definitions/include/version/nat66-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/ntp-version.xml.i b/interface-definitions/include/version/ntp-version.xml.i
new file mode 100644
index 000000000..cc4ff9a1c
--- /dev/null
+++ b/interface-definitions/include/version/ntp-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/openconnect-version.xml.i b/interface-definitions/include/version/openconnect-version.xml.i
new file mode 100644
index 000000000..d7d35b321
--- /dev/null
+++ b/interface-definitions/include/version/openconnect-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/ospf-version.xml.i b/interface-definitions/include/version/ospf-version.xml.i
new file mode 100644
index 000000000..755965daa
--- /dev/null
+++ b/interface-definitions/include/version/ospf-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/policy-version.xml.i b/interface-definitions/include/version/policy-version.xml.i
new file mode 100644
index 000000000..6d0c80518
--- /dev/null
+++ b/interface-definitions/include/version/policy-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/pppoe-server-version.xml.i b/interface-definitions/include/version/pppoe-server-version.xml.i
new file mode 100644
index 000000000..ec81487f8
--- /dev/null
+++ b/interface-definitions/include/version/pppoe-server-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/pptp-version.xml.i b/interface-definitions/include/version/pptp-version.xml.i
new file mode 100644
index 000000000..0296c44e9
--- /dev/null
+++ b/interface-definitions/include/version/pptp-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/qos-version.xml.i b/interface-definitions/include/version/qos-version.xml.i
new file mode 100644
index 000000000..e4d139349
--- /dev/null
+++ b/interface-definitions/include/version/qos-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/quagga-version.xml.i b/interface-definitions/include/version/quagga-version.xml.i
new file mode 100644
index 000000000..bb8ad7f82
--- /dev/null
+++ b/interface-definitions/include/version/quagga-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/rpki-version.xml.i b/interface-definitions/include/version/rpki-version.xml.i
new file mode 100644
index 000000000..2fff259a8
--- /dev/null
+++ b/interface-definitions/include/version/rpki-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/salt-version.xml.i b/interface-definitions/include/version/salt-version.xml.i
new file mode 100644
index 000000000..fe4684050
--- /dev/null
+++ b/interface-definitions/include/version/salt-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/snmp-version.xml.i b/interface-definitions/include/version/snmp-version.xml.i
new file mode 100644
index 000000000..0416288f0
--- /dev/null
+++ b/interface-definitions/include/version/snmp-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/ssh-version.xml.i b/interface-definitions/include/version/ssh-version.xml.i
new file mode 100644
index 000000000..0f25caf98
--- /dev/null
+++ b/interface-definitions/include/version/ssh-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/sstp-version.xml.i b/interface-definitions/include/version/sstp-version.xml.i
new file mode 100644
index 000000000..79b43a3e7
--- /dev/null
+++ b/interface-definitions/include/version/sstp-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/system-version.xml.i b/interface-definitions/include/version/system-version.xml.i
new file mode 100644
index 000000000..fb4629bf1
--- /dev/null
+++ b/interface-definitions/include/version/system-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/vrf-version.xml.i b/interface-definitions/include/version/vrf-version.xml.i
new file mode 100644
index 000000000..9d7ff35fe
--- /dev/null
+++ b/interface-definitions/include/version/vrf-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/vrrp-version.xml.i b/interface-definitions/include/version/vrrp-version.xml.i
new file mode 100644
index 000000000..626dd6cbc
--- /dev/null
+++ b/interface-definitions/include/version/vrrp-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/vyos-accel-ppp-version.xml.i b/interface-definitions/include/version/vyos-accel-ppp-version.xml.i
new file mode 100644
index 000000000..e5a4e1613
--- /dev/null
+++ b/interface-definitions/include/version/vyos-accel-ppp-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/wanloadbalance-version.xml.i b/interface-definitions/include/version/wanloadbalance-version.xml.i
new file mode 100644
index 000000000..59f8729cc
--- /dev/null
+++ b/interface-definitions/include/version/wanloadbalance-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/include/version/webproxy-version.xml.i b/interface-definitions/include/version/webproxy-version.xml.i
new file mode 100644
index 000000000..42dbf3f8b
--- /dev/null
+++ b/interface-definitions/include/version/webproxy-version.xml.i
@@ -0,0 +1,3 @@
+
+
+
diff --git a/interface-definitions/xml-component-version.xml.in b/interface-definitions/xml-component-version.xml.in
new file mode 100644
index 000000000..b7f063a6c
--- /dev/null
+++ b/interface-definitions/xml-component-version.xml.in
@@ -0,0 +1,44 @@
+
+
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+
diff --git a/python/vyos/xml/__init__.py b/python/vyos/xml/__init__.py
index e0eacb2d1..6db446a40 100644
--- a/python/vyos/xml/__init__.py
+++ b/python/vyos/xml/__init__.py
@@ -46,8 +46,8 @@ def is_tag(lpath):
def is_leaf(lpath, flat=True):
return load_configuration().is_leaf(lpath, flat)
-def component_versions():
- return load_configuration().component_versions()
+def component_version():
+ return load_configuration().component_version()
def defaults(lpath, flat=False):
return load_configuration().defaults(lpath, flat)
diff --git a/python/vyos/xml/definition.py b/python/vyos/xml/definition.py
index 5e0d5282c..bc3892b42 100644
--- a/python/vyos/xml/definition.py
+++ b/python/vyos/xml/definition.py
@@ -249,10 +249,11 @@ class XML(dict):
# @lru_cache(maxsize=100)
# XXX: need to use cachetool instead - for later
- def component_versions(self) -> dict:
- sort_component = sorted(self[kw.component_version].items(),
- key = lambda kv: kv[0])
- return dict(sort_component)
+ def component_version(self) -> dict:
+ d = {}
+ for k in sorted(self[kw.component_version]):
+ d[k] = int(self[kw.component_version][k])
+ return d
def defaults(self, lpath, flat):
d = self[kw.default]
--
cgit v1.2.3
From b693f929b63c0c847d9a3c6ee9160845ef501be1 Mon Sep 17 00:00:00 2001
From: Christian Poessinger
Date: Sun, 20 Feb 2022 10:40:38 +0100
Subject: static: T4203: obey interface dhcp default route distance
Commit 05aa22dc ("protocols: static: T3680: do not delete DHCP received routes")
added a bug whenever a static route is modified - the DHCP interface will
always end up with metric 210 - if there was a default route over a DHCP
interface.
---
data/templates/frr/staticd.frr.tmpl | 4 +-
.../include/interface/dhcp-options.xml.i | 3 +-
python/vyos/configdict.py | 54 ++++++++++++++++++----
3 files changed, 48 insertions(+), 13 deletions(-)
(limited to 'interface-definitions/include')
diff --git a/data/templates/frr/staticd.frr.tmpl b/data/templates/frr/staticd.frr.tmpl
index bfe959c1d..5d833228a 100644
--- a/data/templates/frr/staticd.frr.tmpl
+++ b/data/templates/frr/staticd.frr.tmpl
@@ -17,10 +17,10 @@ vrf {{ vrf }}
{% endif %}
{# IPv4 default routes from DHCP interfaces #}
{% if dhcp is defined and dhcp is not none %}
-{% for interface in dhcp %}
+{% for interface, interface_config in dhcp.items() %}
{% set next_hop = interface | get_dhcp_router %}
{% if next_hop is defined and next_hop is not none %}
-{{ ip_prefix }} route 0.0.0.0/0 {{ next_hop }} {{ interface }} tag 210 210
+{{ ip_prefix }} route 0.0.0.0/0 {{ next_hop }} {{ interface }} tag 210 {{ interface_config.distance }}
{% endif %}
{% endfor %}
{% endif %}
diff --git a/interface-definitions/include/interface/dhcp-options.xml.i b/interface-definitions/include/interface/dhcp-options.xml.i
index b65b0802a..f62b06640 100644
--- a/interface-definitions/include/interface/dhcp-options.xml.i
+++ b/interface-definitions/include/interface/dhcp-options.xml.i
@@ -30,12 +30,13 @@
Distance for the default route from DHCP server
u32:1-255
- Distance for the default route from DHCP server (default 210)
+ Distance for the default route from DHCP server (default: 210)
+ 210
diff --git a/python/vyos/configdict.py b/python/vyos/configdict.py
index efeb6dc1f..f2ec93520 100644
--- a/python/vyos/configdict.py
+++ b/python/vyos/configdict.py
@@ -319,34 +319,42 @@ def is_source_interface(conf, interface, intftype=None):
def get_dhcp_interfaces(conf, vrf=None):
""" Common helper functions to retrieve all interfaces from current CLI
sessions that have DHCP configured. """
- dhcp_interfaces = []
+ dhcp_interfaces = {}
dict = conf.get_config_dict(['interfaces'], get_first_key=True)
if not dict:
return dhcp_interfaces
def check_dhcp(config, ifname):
- out = []
+ tmp = {}
if 'address' in config and 'dhcp' in config['address']:
+ options = {}
+ if 'dhcp_options' in config and 'default_route_distance' in config['dhcp_options']:
+ options.update({'distance' : config['dhcp_options']['default_route_distance']})
if 'vrf' in config:
- if vrf is config['vrf']: out.append(ifname)
- else: out.append(ifname)
- return out
+ if vrf is config['vrf']: tmp.update({ifname : options})
+ else: tmp.update({ifname : options})
+ return tmp
for section, interface in dict.items():
- for ifname, ifconfig in interface.items():
+ for ifname in interface:
+ # we already have a dict representation of the config from get_config_dict(),
+ # but with the extended information from get_interface_dict() we also
+ # get the DHCP client default-route-distance default option if not specified.
+ ifconfig = get_interface_dict(conf, ['interfaces', section], ifname)
+
tmp = check_dhcp(ifconfig, ifname)
- dhcp_interfaces.extend(tmp)
+ dhcp_interfaces.update(tmp)
# check per VLAN interfaces
for vif, vif_config in ifconfig.get('vif', {}).items():
tmp = check_dhcp(vif_config, f'{ifname}.{vif}')
- dhcp_interfaces.extend(tmp)
+ dhcp_interfaces.update(tmp)
# check QinQ VLAN interfaces
for vif_s, vif_s_config in ifconfig.get('vif-s', {}).items():
tmp = check_dhcp(vif_s_config, f'{ifname}.{vif_s}')
- dhcp_interfaces.extend(tmp)
+ dhcp_interfaces.update(tmp)
for vif_c, vif_c_config in vif_s_config.get('vif-c', {}).items():
tmp = check_dhcp(vif_c_config, f'{ifname}.{vif_s}.{vif_c}')
- dhcp_interfaces.extend(tmp)
+ dhcp_interfaces.update(tmp)
return dhcp_interfaces
@@ -405,6 +413,12 @@ def get_interface_dict(config, base, ifname=''):
if 'deleted' not in dict:
dict = dict_merge(default_values, dict)
+ # If interface does not request an IPv4 DHCP address there is no need
+ # to keep the dhcp-options key
+ if 'address' not in dict or 'dhcp' not in dict['address']:
+ if 'dhcp_options' in dict:
+ del dict['dhcp_options']
+
# XXX: T2665: blend in proper DHCPv6-PD default values
dict = T2665_set_dhcpv6pd_defaults(dict)
@@ -475,6 +489,12 @@ def get_interface_dict(config, base, ifname=''):
# XXX: T2665: blend in proper DHCPv6-PD default values
dict['vif'][vif] = T2665_set_dhcpv6pd_defaults(dict['vif'][vif])
+ # If interface does not request an IPv4 DHCP address there is no need
+ # to keep the dhcp-options key
+ if 'address' not in dict['vif'][vif] or 'dhcp' not in dict['vif'][vif]['address']:
+ if 'dhcp_options' in dict['vif'][vif]:
+ del dict['vif'][vif]['dhcp_options']
+
# Check if we are a member of a bridge device
bridge = is_member(config, f'{ifname}.{vif}', 'bridge')
if bridge: dict['vif'][vif].update({'is_bridge_member' : bridge})
@@ -509,6 +529,13 @@ def get_interface_dict(config, base, ifname=''):
# XXX: T2665: blend in proper DHCPv6-PD default values
dict['vif_s'][vif_s] = T2665_set_dhcpv6pd_defaults(dict['vif_s'][vif_s])
+ # If interface does not request an IPv4 DHCP address there is no need
+ # to keep the dhcp-options key
+ if 'address' not in dict['vif_s'][vif_s] or 'dhcp' not in \
+ dict['vif_s'][vif_s]['address']:
+ if 'dhcp_options' in dict['vif_s'][vif_s]:
+ del dict['vif_s'][vif_s]['dhcp_options']
+
# Check if we are a member of a bridge device
bridge = is_member(config, f'{ifname}.{vif_s}', 'bridge')
if bridge: dict['vif_s'][vif_s].update({'is_bridge_member' : bridge})
@@ -543,6 +570,13 @@ def get_interface_dict(config, base, ifname=''):
dict['vif_s'][vif_s]['vif_c'][vif_c] = T2665_set_dhcpv6pd_defaults(
dict['vif_s'][vif_s]['vif_c'][vif_c])
+ # If interface does not request an IPv4 DHCP address there is no need
+ # to keep the dhcp-options key
+ if 'address' not in dict['vif_s'][vif_s]['vif_c'][vif_c] or 'dhcp' \
+ not in dict['vif_s'][vif_s]['vif_c'][vif_c]['address']:
+ if 'dhcp_options' in dict['vif_s'][vif_s]['vif_c'][vif_c]:
+ del dict['vif_s'][vif_s]['vif_c'][vif_c]['dhcp_options']
+
# Check if we are a member of a bridge device
bridge = is_member(config, f'{ifname}.{vif_s}.{vif_c}', 'bridge')
if bridge: dict['vif_s'][vif_s]['vif_c'][vif_c].update(
--
cgit v1.2.3
From 0ecddff7cffa8900d351d5c15e32420f9d780c0b Mon Sep 17 00:00:00 2001
From: Andreas
Date: Wed, 29 Dec 2021 18:02:06 +0100
Subject: vxlan: T4120: add ability to set multiple remotes (PR #1127)
VXLAN does support using multiple remotes but VyOS does not. Add the ability
to set multiple remotes and add their flood lists using "bridge" command.
---
.../include/interface/tunnel-remote.xml.i | 2 +-
.../include/interface/tunnel-remotes.xml.i | 19 ++++++++++++
interface-definitions/interfaces-vxlan.xml.in | 2 +-
python/vyos/ifconfig/vxlan.py | 7 +++++
smoketest/scripts/cli/test_interfaces_vxlan.py | 2 ++
src/conf_mode/interfaces-vxlan.py | 34 ++++++++++++++++++++++
6 files changed, 64 insertions(+), 2 deletions(-)
create mode 100644 interface-definitions/include/interface/tunnel-remotes.xml.i
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/interface/tunnel-remote.xml.i b/interface-definitions/include/interface/tunnel-remote.xml.i
index 1ba9b0382..2a8891b85 100644
--- a/interface-definitions/include/interface/tunnel-remote.xml.i
+++ b/interface-definitions/include/interface/tunnel-remote.xml.i
@@ -1,4 +1,4 @@
-
+
Tunnel remote address
diff --git a/interface-definitions/include/interface/tunnel-remotes.xml.i b/interface-definitions/include/interface/tunnel-remotes.xml.i
new file mode 100644
index 000000000..ae8481898
--- /dev/null
+++ b/interface-definitions/include/interface/tunnel-remotes.xml.i
@@ -0,0 +1,19 @@
+
+
+
+ Tunnel remote address
+
+ ipv4
+ Tunnel remote IPv4 address
+
+
+ ipv6
+ Tunnel remote IPv6 address
+
+
+
+
+
+
+
+
diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in
index 4c3c3ac71..559067ea5 100644
--- a/interface-definitions/interfaces-vxlan.xml.in
+++ b/interface-definitions/interfaces-vxlan.xml.in
@@ -98,7 +98,7 @@
#include
#include
- #include
+ #include
#include
#include
diff --git a/python/vyos/ifconfig/vxlan.py b/python/vyos/ifconfig/vxlan.py
index 0c5282db4..87b5e40b8 100644
--- a/python/vyos/ifconfig/vxlan.py
+++ b/python/vyos/ifconfig/vxlan.py
@@ -82,3 +82,10 @@ class VXLANIf(Interface):
self._cmd(cmd.format(**self.config))
# interface is always A/D down. It needs to be enabled explicitly
self.set_admin_state('down')
+
+ other_remotes = self.config.get('other_remotes')
+ if other_remotes:
+ for rem in other_remotes:
+ self.config['rem'] = rem
+ cmd2 = 'bridge fdb append to 00:00:00:00:00:00 dst {rem} port {port} dev {ifname}'
+ self._cmd(cmd2.format(**self.config))
diff --git a/smoketest/scripts/cli/test_interfaces_vxlan.py b/smoketest/scripts/cli/test_interfaces_vxlan.py
index 9278adadd..12fc463ba 100755
--- a/smoketest/scripts/cli/test_interfaces_vxlan.py
+++ b/smoketest/scripts/cli/test_interfaces_vxlan.py
@@ -33,6 +33,8 @@ class VXLANInterfaceTest(BasicInterfaceTest.TestCase):
'vxlan10': ['vni 10', 'remote 127.0.0.2'],
'vxlan20': ['vni 20', 'group 239.1.1.1', 'source-interface eth0'],
'vxlan30': ['vni 30', 'remote 2001:db8:2000::1', 'source-address 2001:db8:1000::1', 'parameters ipv6 flowlabel 0x1000'],
+ 'vxlan40': ['vni 40', 'remote 127.0.0.2', 'remote 127.0.0.3'],
+ 'vxlan50': ['vni 50', 'remote 2001:db8:2000::1', 'remote 2001:db8:2000::2', 'parameters ipv6 flowlabel 0x1000'],
}
cls._interfaces = list(cls._options)
# call base-classes classmethod
diff --git a/src/conf_mode/interfaces-vxlan.py b/src/conf_mode/interfaces-vxlan.py
index 1f097c4e3..092f249df 100755
--- a/src/conf_mode/interfaces-vxlan.py
+++ b/src/conf_mode/interfaces-vxlan.py
@@ -58,6 +58,13 @@ def get_config(config=None):
if len(vxlan['other_tunnels']) == 0:
del vxlan['other_tunnels']
+ # leave first remote in dict and put the other ones (if they exists) to "other_remotes"
+ remotes = vxlan.get('remote')
+ if remotes:
+ vxlan['remote'] = remotes[0]
+ if len(remotes) > 1:
+ del remotes[0]
+ vxlan['other_remotes'] = remotes
return vxlan
def verify(vxlan):
@@ -108,6 +115,33 @@ def verify(vxlan):
raise ConfigError(f'Underlaying device MTU is to small ({lower_mtu} '\
f'bytes) for VXLAN overhead ({vxlan_overhead} bytes!)')
+ # Check for mixed IPv4 and IPv6 addresses
+ protocol = None
+ if 'source_address' in vxlan:
+ if is_ipv6(vxlan['source_address']):
+ protocol = 'ipv6'
+ else:
+ protocol = 'ipv4'
+ if 'remote' in vxlan:
+ if is_ipv6(vxlan['remote']):
+ if protocol == 'ipv4':
+ raise ConfigError('IPv4 and IPV6 cannot be mixed')
+ protocol = 'ipv6'
+ else:
+ if protocol == 'ipv6':
+ raise ConfigError('IPv4 and IPV6 cannot be mixed')
+ protocol = 'ipv4'
+ if 'other_remotes' in vxlan:
+ for rem in vxlan['other_remotes']:
+ if is_ipv6(rem):
+ if protocol == 'ipv4':
+ raise ConfigError('IPv4 and IPV6 cannot be mixed')
+ protocol = 'ipv6'
+ else:
+ if protocol == 'ipv6':
+ raise ConfigError('IPv4 and IPV6 cannot be mixed')
+ protocol = 'ipv4'
+
verify_mtu_ipv6(vxlan)
verify_address(vxlan)
return None
--
cgit v1.2.3
From d418cd36027aef5993122ec62419e8c66fe7a1ed Mon Sep 17 00:00:00 2001
From: Christian Poessinger
Date: Sun, 20 Feb 2022 22:06:49 +0100
Subject: vxlan: T4120: rename tunnel-remotes.xml.i ->
tunnel-remote-multi.xml.i
---
.../include/interface/tunnel-remote-multi.xml.i | 19 +++++++++++++++++++
.../include/interface/tunnel-remotes.xml.i | 19 -------------------
interface-definitions/interfaces-vxlan.xml.in | 2 +-
3 files changed, 20 insertions(+), 20 deletions(-)
create mode 100644 interface-definitions/include/interface/tunnel-remote-multi.xml.i
delete mode 100644 interface-definitions/include/interface/tunnel-remotes.xml.i
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/interface/tunnel-remote-multi.xml.i b/interface-definitions/include/interface/tunnel-remote-multi.xml.i
new file mode 100644
index 000000000..f672087a4
--- /dev/null
+++ b/interface-definitions/include/interface/tunnel-remote-multi.xml.i
@@ -0,0 +1,19 @@
+
+
+
+ Tunnel remote address
+
+ ipv4
+ Tunnel remote IPv4 address
+
+
+ ipv6
+ Tunnel remote IPv6 address
+
+
+
+
+
+
+
+
diff --git a/interface-definitions/include/interface/tunnel-remotes.xml.i b/interface-definitions/include/interface/tunnel-remotes.xml.i
deleted file mode 100644
index ae8481898..000000000
--- a/interface-definitions/include/interface/tunnel-remotes.xml.i
+++ /dev/null
@@ -1,19 +0,0 @@
-
-
-
- Tunnel remote address
-
- ipv4
- Tunnel remote IPv4 address
-
-
- ipv6
- Tunnel remote IPv6 address
-
-
-
-
-
-
-
-
diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in
index 559067ea5..0546b4199 100644
--- a/interface-definitions/interfaces-vxlan.xml.in
+++ b/interface-definitions/interfaces-vxlan.xml.in
@@ -98,7 +98,7 @@
#include
#include
- #include
+ #include
#include
#include
--
cgit v1.2.3
From a68c9238111c6caee78bb28f8054b8f0cfa0e374 Mon Sep 17 00:00:00 2001
From: Christian Poessinger
Date: Thu, 24 Feb 2022 22:47:12 +0100
Subject: scripts: T4269: node.def generator should automatically add default
values
Since introducing the XML node it was common, but redundant,
practice to also add a help string indicating which value would be used as
default if the node is unset.
This makes no sense b/c it's duplicated code/value/characters and prone to
error. The node.def scripts should be extended to automatically render the
appropriate default value into the CLI help string.
For e.g. SSH the current PoC renders:
$ cat templates-cfg/service/ssh/port/node.def
multi:
type: txt
help: Port for SSH service (default: 22)
val_help: u32:1-65535; Numeric IP port
...
Not all subsystems are already migrated to get_config_dict() and make use of
the defaults() call - those subsystems need to be migrated, first before the new
default is added to the CLI help.
---
interface-definitions/containers.xml.in | 6 ++--
interface-definitions/dhcp-relay.xml.in | 6 ++--
interface-definitions/dhcp-server.xml.in | 2 +-
interface-definitions/dhcpv6-relay.xml.in | 2 +-
interface-definitions/dns-domain-name.xml.in | 1 +
interface-definitions/dns-forwarding.xml.in | 6 ++--
interface-definitions/flow-accounting-conf.xml.in | 26 +++++++++---------
interface-definitions/high-availability.xml.in | 16 +++++------
interface-definitions/igmp-proxy.xml.in | 8 +++---
.../include/accel-ppp/client-ipv6-pool.xml.i | 2 +-
.../include/accel-ppp/radius-additions.xml.i | 6 ++--
interface-definitions/include/bfd/common.xml.i | 6 ++--
.../include/bgp/protocol-common-config.xml.i | 2 +-
.../include/bgp/timers-keepalive.xml.i | 2 +-
.../include/firewall/name-default-action.xml.i | 2 +-
.../include/interface/arp-cache-timeout.xml.i | 2 +-
.../include/interface/dhcp-options.xml.i | 2 +-
.../include/interface/dhcpv6-options.xml.i | 4 +--
.../include/nat-translation-options.xml.i | 4 +--
interface-definitions/include/ospf/auto-cost.xml.i | 2 +-
.../include/ospf/interface-common.xml.i | 2 +-
interface-definitions/include/ospf/intervals.xml.i | 8 +++---
.../include/ospf/metric-type.xml.i | 2 +-
.../include/ospf/protocol-common-config.xml.i | 18 ++++++------
.../include/ospfv3/protocol-common-config.xml.i | 2 +-
.../include/radius-server-port.xml.i | 2 +-
interface-definitions/include/rip/rip-timers.xml.i | 6 ++--
.../include/snmp/access-mode.xml.i | 2 +-
.../include/snmp/authentication-type.xml.i | 2 +-
.../include/snmp/privacy-type.xml.i | 2 +-
interface-definitions/include/snmp/protocol.xml.i | 2 +-
.../include/vpn-ipsec-encryption.xml.i | 2 +-
interface-definitions/include/vpn-ipsec-hash.xml.i | 2 +-
interface-definitions/interfaces-bonding.xml.in | 6 ++--
interface-definitions/interfaces-bridge.xml.in | 10 +++----
interface-definitions/interfaces-ethernet.xml.in | 4 +--
interface-definitions/interfaces-l2tpv3.xml.in | 6 ++--
interface-definitions/interfaces-macsec.xml.in | 4 +--
interface-definitions/interfaces-openvpn.xml.in | 22 +++++++--------
interface-definitions/interfaces-pppoe.xml.in | 2 +-
interface-definitions/interfaces-tunnel.xml.in | 4 +--
interface-definitions/interfaces-wireless.xml.in | 10 +++----
interface-definitions/protocols-rpki.xml.in | 2 +-
.../service_console-server.xml.in | 6 ++--
.../service_monitoring_telegraf.xml.in | 6 ++--
interface-definitions/service_router-advert.xml.in | 14 +++++-----
interface-definitions/service_webproxy.xml.in | 26 ++++++++++--------
interface-definitions/snmp.xml.in | 6 ++--
interface-definitions/ssh.xml.in | 2 +-
interface-definitions/system-ip.xml.in | 2 +-
interface-definitions/system-login.xml.in | 4 +--
interface-definitions/system-logs.xml.in | 8 +++---
interface-definitions/vpn_ipsec.xml.in | 32 +++++++++++-----------
interface-definitions/vpn_l2tp.xml.in | 10 +++----
interface-definitions/vpn_openconnect.xml.in | 12 ++++----
interface-definitions/zone-policy.xml.in | 6 ++--
scripts/build-command-templates | 17 +++++++++---
57 files changed, 197 insertions(+), 183 deletions(-)
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/containers.xml.in b/interface-definitions/containers.xml.in
index 07686b16e..9cd2b0902 100644
--- a/interface-definitions/containers.xml.in
+++ b/interface-definitions/containers.xml.in
@@ -111,7 +111,7 @@
- Constrain the memory available to a container (default: 512MB)
+ Constrain the memory available to a container
u32:0
Unlimited
@@ -212,7 +212,7 @@
on-failure
- Restart containers when they exit with a non-zero exit code, retrying indefinitely (default)
+ Restart containers when they exit with a non-zero exit code, retrying indefinitely
always
@@ -283,7 +283,7 @@
- Add registry (default docker.io)
+ Add registry
docker.io
diff --git a/interface-definitions/dhcp-relay.xml.in b/interface-definitions/dhcp-relay.xml.in
index 483e776a7..a5643add6 100644
--- a/interface-definitions/dhcp-relay.xml.in
+++ b/interface-definitions/dhcp-relay.xml.in
@@ -20,7 +20,7 @@
Policy to discard packets that have reached specified hop-count
u32:1-255
- Hop count (default: 10)
+ Hop count
@@ -34,7 +34,7 @@
Maximum packet size to send to a DHCPv4/BOOTP server
u32:64-1400
- Maximum packet size (default: 576)
+ Maximum packet size
@@ -44,7 +44,7 @@
- Policy to handle incoming DHCPv4 packets which already contain relay agent options (default: forward)
+ Policy to handle incoming DHCPv4 packets which already contain relay agent options
append replace forward discard
diff --git a/interface-definitions/dhcp-server.xml.in b/interface-definitions/dhcp-server.xml.in
index d1ed579e9..312dcd2a0 100644
--- a/interface-definitions/dhcp-server.xml.in
+++ b/interface-definitions/dhcp-server.xml.in
@@ -198,7 +198,7 @@
- Lease timeout in seconds (default: 86400)
+ Lease timeout in seconds
u32
DHCP lease time in seconds
diff --git a/interface-definitions/dhcpv6-relay.xml.in b/interface-definitions/dhcpv6-relay.xml.in
index 7162cf353..5abcbe804 100644
--- a/interface-definitions/dhcpv6-relay.xml.in
+++ b/interface-definitions/dhcpv6-relay.xml.in
@@ -36,7 +36,7 @@
Maximum hop count for which requests will be processed
u32:1-255
- Hop count (default: 10)
+ Hop count
diff --git a/interface-definitions/dns-domain-name.xml.in b/interface-definitions/dns-domain-name.xml.in
index 005a55ab3..7ae537d00 100644
--- a/interface-definitions/dns-domain-name.xml.in
+++ b/interface-definitions/dns-domain-name.xml.in
@@ -29,6 +29,7 @@
+
System host name (default: vyos)
diff --git a/interface-definitions/dns-forwarding.xml.in b/interface-definitions/dns-forwarding.xml.in
index 4faf604ad..a2e809da8 100644
--- a/interface-definitions/dns-forwarding.xml.in
+++ b/interface-definitions/dns-forwarding.xml.in
@@ -16,7 +16,7 @@
- DNS forwarding cache size (default: 10000)
+ DNS forwarding cache size
u32:0-2147483647
DNS forwarding cache size
@@ -38,7 +38,7 @@
- DNSSEC mode (default: process-no-validate)
+ DNSSEC mode
off process-no-validate process log-fail validate
@@ -587,7 +587,7 @@
#include
- Maximum amount of time negative entries are cached (default: 3600)
+ Maximum amount of time negative entries are cached
u32:0-7200
Seconds to cache NXDOMAIN entries
diff --git a/interface-definitions/flow-accounting-conf.xml.in b/interface-definitions/flow-accounting-conf.xml.in
index 1b57d706c..05cf5e170 100644
--- a/interface-definitions/flow-accounting-conf.xml.in
+++ b/interface-definitions/flow-accounting-conf.xml.in
@@ -14,7 +14,7 @@
Buffer size
u32
- Buffer size in MiB (default: 10)
+ Buffer size in MiB
@@ -27,7 +27,7 @@
Specifies the maximum number of bytes to capture for each packet
u32:128-750
- Packet length in bytes (default: 128)
+ Packet length in bytes
@@ -209,7 +209,7 @@
9
- NetFlow version 9 (default)
+ NetFlow version 9
10
@@ -240,7 +240,7 @@
NetFlow port number
u32:1025-65535
- NetFlow port number (default: 2055)
+ NetFlow port number
@@ -260,7 +260,7 @@
Expiry scan interval
u32:0-2147483647
- Expiry scan interval (default: 60)
+ Expiry scan interval
@@ -273,7 +273,7 @@
Generic flow timeout value
u32:0-2147483647
- Generic flow timeout in seconds (default: 3600)
+ Generic flow timeout in seconds
@@ -286,7 +286,7 @@
ICMP timeout value
u32:0-2147483647
- ICMP timeout in seconds (default: 300)
+ ICMP timeout in seconds
@@ -299,7 +299,7 @@
Max active timeout value
u32:0-2147483647
- Max active timeout in seconds (default: 604800)
+ Max active timeout in seconds
@@ -312,7 +312,7 @@
TCP finish timeout value
u32:0-2147483647
- TCP FIN timeout in seconds (default: 300)
+ TCP FIN timeout in seconds
@@ -325,7 +325,7 @@
TCP generic timeout value
u32:0-2147483647
- TCP generic timeout in seconds (default: 3600)
+ TCP generic timeout in seconds
@@ -338,7 +338,7 @@
TCP reset timeout value
u32:0-2147483647
- TCP RST timeout in seconds (default: 120)
+ TCP RST timeout in seconds
@@ -351,7 +351,7 @@
UDP timeout value
u32:0-2147483647
- UDP timeout in seconds (default: 300)
+ UDP timeout in seconds
@@ -418,7 +418,7 @@
sFlow port number
u32:1025-65535
- sFlow port number (default: 6343)
+ sFlow port number
diff --git a/interface-definitions/high-availability.xml.in b/interface-definitions/high-availability.xml.in
index ee1d70484..662052e12 100644
--- a/interface-definitions/high-availability.xml.in
+++ b/interface-definitions/high-availability.xml.in
@@ -22,7 +22,7 @@
Advertise interval
u32:1-255
- Advertise interval in seconds (default: 1)
+ Advertise interval in seconds
@@ -79,7 +79,7 @@
- Health check failure count required for transition to fault (default: 3)
+ Health check failure count required for transition to fault
@@ -88,7 +88,7 @@
- Health check execution interval in seconds (default: 60)
+ Health check execution interval in seconds
@@ -160,7 +160,7 @@
- Router priority (default: 100)
+ Router priority
u32:1-255
Router priority
@@ -333,7 +333,7 @@
Interval between health-checks (in seconds)
u32:1-600
- Interval in seconds (default: 10)
+ Interval in seconds
@@ -343,7 +343,7 @@
- Forwarding method (default: NAT)
+ Forwarding method
direct nat tunnel
@@ -371,7 +371,7 @@
Timeout for persistent connections
u32:1-86400
- Timeout for persistent connections (default: 300)
+ Timeout for persistent connections
@@ -381,7 +381,7 @@
- Protocol for port checks (default: TCP)
+ Protocol for port checks
tcp udp
diff --git a/interface-definitions/igmp-proxy.xml.in b/interface-definitions/igmp-proxy.xml.in
index 91c912d8b..c7ab60929 100644
--- a/interface-definitions/igmp-proxy.xml.in
+++ b/interface-definitions/igmp-proxy.xml.in
@@ -39,7 +39,7 @@
- IGMP interface role (default: downstream)
+ IGMP interface role
upstream downstream disabled
@@ -49,7 +49,7 @@
downstream
- Downstream interface(s) (default)
+ Downstream interface(s)
disabled
@@ -63,10 +63,10 @@
- TTL threshold (default: 1)
+ TTL threshold
u32:1-255
- TTL threshold for the interfaces (default: 1)
+ TTL threshold for the interfaces
diff --git a/interface-definitions/include/accel-ppp/client-ipv6-pool.xml.i b/interface-definitions/include/accel-ppp/client-ipv6-pool.xml.i
index a692f2335..01cf0e040 100644
--- a/interface-definitions/include/accel-ppp/client-ipv6-pool.xml.i
+++ b/interface-definitions/include/accel-ppp/client-ipv6-pool.xml.i
@@ -21,7 +21,7 @@
Prefix length used for individual client
u32:48-128
- Client prefix length (default: 64)
+ Client prefix length
diff --git a/interface-definitions/include/accel-ppp/radius-additions.xml.i b/interface-definitions/include/accel-ppp/radius-additions.xml.i
index 258ece2b5..441c9dda5 100644
--- a/interface-definitions/include/accel-ppp/radius-additions.xml.i
+++ b/interface-definitions/include/accel-ppp/radius-additions.xml.i
@@ -21,7 +21,7 @@
Accounting port
u32:1-65535
- Numeric IP port (default: 1813)
+ Numeric IP port
@@ -62,7 +62,7 @@
- Timeout for Interim-Update packets, terminate session afterwards (default 3 seconds)
+ Timeout for Interim-Update packets, terminate session afterwards
u32:0-60
Timeout in seconds, 0 to keep active
@@ -126,7 +126,7 @@
- Port for Dynamic Authorization Extension server (DM/CoA) (default: 1700)
+ Port for Dynamic Authorization Extension server (DM/CoA)
u32:1-65535
TCP port
diff --git a/interface-definitions/include/bfd/common.xml.i b/interface-definitions/include/bfd/common.xml.i
index e52221441..126ab9b9a 100644
--- a/interface-definitions/include/bfd/common.xml.i
+++ b/interface-definitions/include/bfd/common.xml.i
@@ -15,7 +15,7 @@
Minimum interval of receiving control packets
u32:10-60000
- Interval in milliseconds (default: 300)
+ Interval in milliseconds
@@ -28,7 +28,7 @@
Minimum interval of transmitting control packets
u32:10-60000
- Interval in milliseconds (default: 300)
+ Interval in milliseconds
@@ -41,7 +41,7 @@
Multiplier to determine packet loss
u32:2-255
- Remote transmission interval will be multiplied by this value (default: 3)
+ Remote transmission interval will be multiplied by this value
diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i
index 8214d0779..38337b032 100644
--- a/interface-definitions/include/bgp/protocol-common-config.xml.i
+++ b/interface-definitions/include/bgp/protocol-common-config.xml.i
@@ -1191,7 +1191,7 @@
Set period to rescan BGP table to check if condition is met
u32:5-240
- Period to rerun the conditional advertisement scanner process (default: 60)
+ Period to rerun the conditional advertisement scanner process
diff --git a/interface-definitions/include/bgp/timers-keepalive.xml.i b/interface-definitions/include/bgp/timers-keepalive.xml.i
index b2771e326..b23f96ec8 100644
--- a/interface-definitions/include/bgp/timers-keepalive.xml.i
+++ b/interface-definitions/include/bgp/timers-keepalive.xml.i
@@ -4,7 +4,7 @@
BGP keepalive interval for this neighbor
u32:1-65535
- Keepalive interval in seconds (default 60)
+ Keepalive interval in seconds
diff --git a/interface-definitions/include/firewall/name-default-action.xml.i b/interface-definitions/include/firewall/name-default-action.xml.i
index 1b61b076f..8470a29a9 100644
--- a/interface-definitions/include/firewall/name-default-action.xml.i
+++ b/interface-definitions/include/firewall/name-default-action.xml.i
@@ -7,7 +7,7 @@
drop
- Drop if no prior rules are hit (default)
+ Drop if no prior rules are hit
reject
diff --git a/interface-definitions/include/interface/arp-cache-timeout.xml.i b/interface-definitions/include/interface/arp-cache-timeout.xml.i
index cb01d0525..06d7ffe96 100644
--- a/interface-definitions/include/interface/arp-cache-timeout.xml.i
+++ b/interface-definitions/include/interface/arp-cache-timeout.xml.i
@@ -4,7 +4,7 @@
ARP cache entry timeout in seconds
u32:1-86400
- ARP cache entry timout in seconds (default 30)
+ ARP cache entry timout in seconds
diff --git a/interface-definitions/include/interface/dhcp-options.xml.i b/interface-definitions/include/interface/dhcp-options.xml.i
index f62b06640..098d02919 100644
--- a/interface-definitions/include/interface/dhcp-options.xml.i
+++ b/interface-definitions/include/interface/dhcp-options.xml.i
@@ -30,7 +30,7 @@
Distance for the default route from DHCP server
u32:1-255
- Distance for the default route from DHCP server (default: 210)
+ Distance for the default route from DHCP server
diff --git a/interface-definitions/include/interface/dhcpv6-options.xml.i b/interface-definitions/include/interface/dhcpv6-options.xml.i
index d1abf4a90..08e4f5e0a 100644
--- a/interface-definitions/include/interface/dhcpv6-options.xml.i
+++ b/interface-definitions/include/interface/dhcpv6-options.xml.i
@@ -57,10 +57,10 @@
- Local interface address assigned to interface
+ Local interface address assigned to interface (default: EUI-64)
>0
- Used to form IPv6 interface address (default: EUI-64)
+ Used to form IPv6 interface address
diff --git a/interface-definitions/include/nat-translation-options.xml.i b/interface-definitions/include/nat-translation-options.xml.i
index df2f76397..f1539757b 100644
--- a/interface-definitions/include/nat-translation-options.xml.i
+++ b/interface-definitions/include/nat-translation-options.xml.i
@@ -16,7 +16,7 @@
random
- Random source or destination address allocation for each connection (default)
+ Random source or destination address allocation for each connection
^(persistent|random)$
@@ -39,7 +39,7 @@
none
- Do not apply port randomization (default)
+ Do not apply port randomization
^(random|fully-random|none)$
diff --git a/interface-definitions/include/ospf/auto-cost.xml.i b/interface-definitions/include/ospf/auto-cost.xml.i
index 3e6cc8232..da6483a00 100644
--- a/interface-definitions/include/ospf/auto-cost.xml.i
+++ b/interface-definitions/include/ospf/auto-cost.xml.i
@@ -6,7 +6,7 @@
- Reference bandwidth method to assign cost (default: 100)
+ Reference bandwidth method to assign cost
u32:1-4294967
Reference bandwidth cost in Mbits/sec
diff --git a/interface-definitions/include/ospf/interface-common.xml.i b/interface-definitions/include/ospf/interface-common.xml.i
index 738651594..9c8b94f0b 100644
--- a/interface-definitions/include/ospf/interface-common.xml.i
+++ b/interface-definitions/include/ospf/interface-common.xml.i
@@ -20,7 +20,7 @@
- Router priority (default: 1)
+ Router priority
u32:0-255
OSPF router priority cost
diff --git a/interface-definitions/include/ospf/intervals.xml.i b/interface-definitions/include/ospf/intervals.xml.i
index fad1a6305..9f6e5df69 100644
--- a/interface-definitions/include/ospf/intervals.xml.i
+++ b/interface-definitions/include/ospf/intervals.xml.i
@@ -1,7 +1,7 @@
- Interval after which a neighbor is declared dead (default: 40)
+ Interval after which a neighbor is declared dead
u32:1-65535
Neighbor dead interval (seconds)
@@ -14,7 +14,7 @@
- Interval between hello packets (default: 10)
+ Interval between hello packets
u32:1-65535
Hello interval (seconds)
@@ -27,7 +27,7 @@
- Interval between retransmitting lost link state advertisements (default: 5)
+ Interval between retransmitting lost link state advertisements
u32:1-65535
Retransmit interval (seconds)
@@ -40,7 +40,7 @@
- Link state transmit delay (default: 1)
+ Link state transmit delay
u32:1-65535
Link state transmit delay (seconds)
diff --git a/interface-definitions/include/ospf/metric-type.xml.i b/interface-definitions/include/ospf/metric-type.xml.i
index ef9fd8ac0..de55c7645 100644
--- a/interface-definitions/include/ospf/metric-type.xml.i
+++ b/interface-definitions/include/ospf/metric-type.xml.i
@@ -1,7 +1,7 @@
- OSPF metric type for default routes (default: 2)
+ OSPF metric type for default routes
u32:1-2
Set OSPF External Type 1/2 metrics
diff --git a/interface-definitions/include/ospf/protocol-common-config.xml.i b/interface-definitions/include/ospf/protocol-common-config.xml.i
index e783f4bec..088bee2de 100644
--- a/interface-definitions/include/ospf/protocol-common-config.xml.i
+++ b/interface-definitions/include/ospf/protocol-common-config.xml.i
@@ -106,7 +106,7 @@
- Configure NSSA-ABR (default: candidate)
+ Configure NSSA-ABR
always candidate never
@@ -116,7 +116,7 @@
candidate
- Translate for election (default)
+ Translate for election
never
@@ -502,7 +502,7 @@
- Dead neighbor polling interval (default: 60)
+ Dead neighbor polling interval
u32:1-65535
Seconds between dead neighbor polling interval
@@ -515,7 +515,7 @@
- Neighbor priority in seconds (default: 0)
+ Neighbor priority in seconds
u32:0-255
Neighbor priority
@@ -535,13 +535,13 @@
- OSPF ABR type (default: cisco)
+ OSPF ABR type
cisco ibm shortcut standard
cisco
- Cisco ABR type (default)
+ Cisco ABR type
ibm
@@ -712,7 +712,7 @@
- Delay from the first change received to SPF calculation (default: 200)
+ Delay from the first change received to SPF calculation
u32:0-600000
Delay in milliseconds
@@ -725,7 +725,7 @@
- Initial hold time between consecutive SPF calculations (default: 1000)
+ Initial hold time between consecutive SPF calculations
u32:0-600000
Initial hold time in milliseconds
@@ -738,7 +738,7 @@
- Maximum hold time (default: 10000)
+ Maximum hold time
u32:0-600000
Max hold time in milliseconds
diff --git a/interface-definitions/include/ospfv3/protocol-common-config.xml.i b/interface-definitions/include/ospfv3/protocol-common-config.xml.i
index 5d08debda..792c873c8 100644
--- a/interface-definitions/include/ospfv3/protocol-common-config.xml.i
+++ b/interface-definitions/include/ospfv3/protocol-common-config.xml.i
@@ -158,7 +158,7 @@
- Instance Id (default: 0)
+ Instance ID
u32:0-255
Instance Id
diff --git a/interface-definitions/include/radius-server-port.xml.i b/interface-definitions/include/radius-server-port.xml.i
index 4e5d906bc..c6b691a0f 100644
--- a/interface-definitions/include/radius-server-port.xml.i
+++ b/interface-definitions/include/radius-server-port.xml.i
@@ -4,7 +4,7 @@
Authentication port
u32:1-65535
- Numeric IP port (default: 1812)
+ Numeric IP port
diff --git a/interface-definitions/include/rip/rip-timers.xml.i b/interface-definitions/include/rip/rip-timers.xml.i
index 3aaaf8e65..129d9ed23 100644
--- a/interface-definitions/include/rip/rip-timers.xml.i
+++ b/interface-definitions/include/rip/rip-timers.xml.i
@@ -9,7 +9,7 @@
Garbage collection timer
u32:5-2147483647
- Garbage colletion time (default 120)
+ Garbage colletion time
@@ -22,7 +22,7 @@
Routing information timeout timer
u32:5-2147483647
- Routing information timeout timer (default 180)
+ Routing information timeout timer
@@ -35,7 +35,7 @@
Routing table update timer
u32:5-2147483647
- Routing table update timer in seconds (default 30)
+ Routing table update timer in seconds
diff --git a/interface-definitions/include/snmp/access-mode.xml.i b/interface-definitions/include/snmp/access-mode.xml.i
index 1fce2364e..71c766774 100644
--- a/interface-definitions/include/snmp/access-mode.xml.i
+++ b/interface-definitions/include/snmp/access-mode.xml.i
@@ -7,7 +7,7 @@
ro
- Read-Only (default)
+ Read-Only
rw
diff --git a/interface-definitions/include/snmp/authentication-type.xml.i b/interface-definitions/include/snmp/authentication-type.xml.i
index 2a545864a..ca0bb10a6 100644
--- a/interface-definitions/include/snmp/authentication-type.xml.i
+++ b/interface-definitions/include/snmp/authentication-type.xml.i
@@ -7,7 +7,7 @@
md5
- Message Digest 5 (default)
+ Message Digest 5
sha
diff --git a/interface-definitions/include/snmp/privacy-type.xml.i b/interface-definitions/include/snmp/privacy-type.xml.i
index 47a1e632e..94029a6c6 100644
--- a/interface-definitions/include/snmp/privacy-type.xml.i
+++ b/interface-definitions/include/snmp/privacy-type.xml.i
@@ -7,7 +7,7 @@
des
- Data Encryption Standard (default)
+ Data Encryption Standard
aes
diff --git a/interface-definitions/include/snmp/protocol.xml.i b/interface-definitions/include/snmp/protocol.xml.i
index 335736724..ebdeef87e 100644
--- a/interface-definitions/include/snmp/protocol.xml.i
+++ b/interface-definitions/include/snmp/protocol.xml.i
@@ -7,7 +7,7 @@
udp
- Listen protocol UDP (default)
+ Listen protocol UDP
tcp
diff --git a/interface-definitions/include/vpn-ipsec-encryption.xml.i b/interface-definitions/include/vpn-ipsec-encryption.xml.i
index 9ef2f7c90..faa264d2f 100644
--- a/interface-definitions/include/vpn-ipsec-encryption.xml.i
+++ b/interface-definitions/include/vpn-ipsec-encryption.xml.i
@@ -11,7 +11,7 @@
aes128
- 128 bit AES-CBC (default)
+ 128 bit AES-CBC
aes192
diff --git a/interface-definitions/include/vpn-ipsec-hash.xml.i b/interface-definitions/include/vpn-ipsec-hash.xml.i
index 5a06b290e..b3ef4fb7a 100644
--- a/interface-definitions/include/vpn-ipsec-hash.xml.i
+++ b/interface-definitions/include/vpn-ipsec-hash.xml.i
@@ -15,7 +15,7 @@
sha1
- SHA1 HMAC (default)
+ SHA1 HMAC
sha1_160
diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in
index 723041ca5..b98f4b960 100644
--- a/interface-definitions/interfaces-bonding.xml.in
+++ b/interface-definitions/interfaces-bonding.xml.in
@@ -66,7 +66,7 @@
layer2
- use MAC addresses to generate the hash (802.3ad, default)
+ use MAC addresses to generate the hash
layer2+3
@@ -115,7 +115,7 @@
slow
- Request partner to transmit LACPDUs every 30 seconds (default)
+ Request partner to transmit LACPDUs every 30 seconds
fast
@@ -135,7 +135,7 @@
802.3ad
- IEEE 802.3ad Dynamic link aggregation (Default)
+ IEEE 802.3ad Dynamic link aggregation
active-backup
diff --git a/interface-definitions/interfaces-bridge.xml.in b/interface-definitions/interfaces-bridge.xml.in
index 89a6d2303..fabfb917a 100644
--- a/interface-definitions/interfaces-bridge.xml.in
+++ b/interface-definitions/interfaces-bridge.xml.in
@@ -26,7 +26,7 @@
u32:10-1000000
- MAC address aging time in seconds (default: 300)
+ MAC address aging time in seconds
@@ -48,7 +48,7 @@
Forwarding delay
u32:0-200
- Spanning Tree Protocol forwarding delay in seconds (default 15)
+ Spanning Tree Protocol forwarding delay in seconds
@@ -62,7 +62,7 @@
Hello packet advertisement interval
u32:1-10
- Spanning Tree Protocol hello advertisement interval in seconds (default 2)
+ Spanning Tree Protocol hello advertisement interval in seconds
@@ -99,7 +99,7 @@
Interval at which neighbor bridges are removed
u32:1-40
- Bridge maximum aging time in seconds (default 20)
+ Bridge maximum aging time in seconds
@@ -195,7 +195,7 @@
Priority for this bridge
u32:0-65535
- Bridge priority (default 32768)
+ Bridge priority
diff --git a/interface-definitions/interfaces-ethernet.xml.in b/interface-definitions/interfaces-ethernet.xml.in
index 9e113cb71..be7bddfa4 100644
--- a/interface-definitions/interfaces-ethernet.xml.in
+++ b/interface-definitions/interfaces-ethernet.xml.in
@@ -41,7 +41,7 @@
auto
- Auto negotiation (default)
+ Auto negotiation
half
@@ -110,7 +110,7 @@
- Link speed (default: auto)
+ Link speed
auto 10 100 1000 2500 5000 10000 25000 40000 50000 100000
diff --git a/interface-definitions/interfaces-l2tpv3.xml.in b/interface-definitions/interfaces-l2tpv3.xml.in
index 85d4ab992..ba9bcb0a2 100644
--- a/interface-definitions/interfaces-l2tpv3.xml.in
+++ b/interface-definitions/interfaces-l2tpv3.xml.in
@@ -20,7 +20,7 @@
#include
- UDP destination port for L2TPv3 tunnel (default: 5000)
+ UDP destination port for L2TPv3 tunnel
u32:1-65535
Numeric IP port
@@ -36,7 +36,7 @@
#include
- Encapsulation type (default: UDP)
+ Encapsulation type
udp ip
@@ -102,7 +102,7 @@
- UDP source port for L2TPv3 tunnel (default: 5000)
+ UDP source port for L2TPv3 tunnel
u32:1-65535
Numeric IP port
diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in
index 598935e51..7206e57b1 100644
--- a/interface-definitions/interfaces-macsec.xml.in
+++ b/interface-definitions/interfaces-macsec.xml.in
@@ -36,7 +36,7 @@
gcm-aes-128
- Galois/Counter Mode of AES cipher with 128-bit key (default)
+ Galois/Counter Mode of AES cipher with 128-bit key
gcm-aes-256
@@ -84,7 +84,7 @@
- Priority of MACsec Key Agreement protocol (MKA) actor (default: 255)
+ Priority of MACsec Key Agreement protocol (MKA) actor
u32:0-255
MACsec Key Agreement protocol (MKA) priority
diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in
index 16d91145f..eb574eb52 100644
--- a/interface-definitions/interfaces-openvpn.xml.in
+++ b/interface-definitions/interfaces-openvpn.xml.in
@@ -38,7 +38,7 @@
#include
- OpenVPN interface device-type (default: tun)
+ OpenVPN interface device-type
tun tap
@@ -206,7 +206,7 @@
- Maximum number of keepalive packet failures (default: 60)
+ Maximum number of keepalive packet failures
u32:0-1000
Maximum number of keepalive packet failures
@@ -219,7 +219,7 @@
- Keepalive packet interval in seconds (default: 10)
+ Keepalive packet interval in seconds
u32:0-600
Keepalive packet interval (seconds)
@@ -613,13 +613,13 @@
- Topology for clients (default: net30)
+ Topology for clients
net30 point-to-point subnet
net30
- net30 topology (default)
+ net30 topology
point-to-point
@@ -647,7 +647,7 @@
- Maximum allowed clock slop in seconds (default: 180)
+ Maximum allowed clock slop in seconds
1-65535
Seconds
@@ -660,7 +660,7 @@
- Time drift in seconds (default: 0)
+ Time drift in seconds
1-65535
Seconds
@@ -673,7 +673,7 @@
- Step value for totp in seconds (default: 30)
+ Step value for totp in seconds
1-65535
Seconds
@@ -686,7 +686,7 @@
- Number of digits to use for totp hash (default: 6)
+ Number of digits to use for totp hash
1-65535
Seconds
@@ -699,7 +699,7 @@
- Expect password as result of a challenge response protocol (default: enabled)
+ Expect password as result of a challenge response protocol
disable enable
@@ -709,7 +709,7 @@
enable
- Enable chalenge-response (default)
+ Enable chalenge-response
^(disable|enable)$
diff --git a/interface-definitions/interfaces-pppoe.xml.in b/interface-definitions/interfaces-pppoe.xml.in
index 80a890940..ed0e45840 100644
--- a/interface-definitions/interfaces-pppoe.xml.in
+++ b/interface-definitions/interfaces-pppoe.xml.in
@@ -23,7 +23,7 @@
#include
- Default route insertion behaviour (default: auto)
+ Default route insertion behaviour
auto none force
diff --git a/interface-definitions/interfaces-tunnel.xml.in b/interface-definitions/interfaces-tunnel.xml.in
index fd69fd177..eb1708aaa 100644
--- a/interface-definitions/interfaces-tunnel.xml.in
+++ b/interface-definitions/interfaces-tunnel.xml.in
@@ -241,7 +241,7 @@
u32:0-255
- Encapsulation limit (default: 4)
+ Encapsulation limit
none
@@ -261,7 +261,7 @@
Hoplimit
u32:0-255
- Hop limit (default: 64)
+ Hop limit
diff --git a/interface-definitions/interfaces-wireless.xml.in b/interface-definitions/interfaces-wireless.xml.in
index a2d1439a3..5b79ac671 100644
--- a/interface-definitions/interfaces-wireless.xml.in
+++ b/interface-definitions/interfaces-wireless.xml.in
@@ -291,7 +291,7 @@
0
- 20 or 40 MHz channel width (default)
+ 20 or 40 MHz channel width
1
@@ -431,7 +431,7 @@
- Wireless radio channel (default: 0)
+ Wireless radio channel
0
Automatic Channel Selection (ACS)
@@ -515,7 +515,7 @@
disabled
- no MFP (hostapd default)
+ no MFP
optional
@@ -546,7 +546,7 @@
g
- 802.11g - 54 Mbits/sec (default)
+ 802.11g - 54 Mbits/sec
n
@@ -564,7 +564,7 @@
- Wireless physical device (default: phy0)
+ Wireless physical device
diff --git a/interface-definitions/protocols-rpki.xml.in b/interface-definitions/protocols-rpki.xml.in
index a73d0aae4..68762ff9a 100644
--- a/interface-definitions/protocols-rpki.xml.in
+++ b/interface-definitions/protocols-rpki.xml.in
@@ -82,7 +82,7 @@
- RPKI cache polling period (default: 300)
+ RPKI cache polling period
u32:1-86400
Polling period in seconds
diff --git a/interface-definitions/service_console-server.xml.in b/interface-definitions/service_console-server.xml.in
index 28aa7ea71..549edb813 100644
--- a/interface-definitions/service_console-server.xml.in
+++ b/interface-definitions/service_console-server.xml.in
@@ -41,7 +41,7 @@
- Serial port data bits (default: 8)
+ Serial port data bits
7 8
@@ -53,7 +53,7 @@
- Serial port stop bits (default: 1)
+ Serial port stop bits
1 2
@@ -65,7 +65,7 @@
- Parity setting (default: none)
+ Parity setting
even odd none
diff --git a/interface-definitions/service_monitoring_telegraf.xml.in b/interface-definitions/service_monitoring_telegraf.xml.in
index 0db9052ff..f0a94d6a9 100644
--- a/interface-definitions/service_monitoring_telegraf.xml.in
+++ b/interface-definitions/service_monitoring_telegraf.xml.in
@@ -44,19 +44,19 @@
- Remote bucket, by default (main)
+ Remote bucket
main
- Source parameters for monitoring (default: all)
+ Source parameters for monitoring
all hardware-utilization logs network system telegraf
all
- All parameters (default)
+ All parameters
hardware-utilization
diff --git a/interface-definitions/service_router-advert.xml.in b/interface-definitions/service_router-advert.xml.in
index 0f4009f5c..ce1da85aa 100644
--- a/interface-definitions/service_router-advert.xml.in
+++ b/interface-definitions/service_router-advert.xml.in
@@ -18,7 +18,7 @@
- Set Hop Count field of the IP header for outgoing packets (default: 64)
+ Set Hop Count field of the IP header for outgoing packets
u32:0
Unspecified (by this router)
@@ -63,7 +63,7 @@
medium
- Default router has medium preference (default)
+ Default router has medium preference
high
@@ -108,7 +108,7 @@
- Maximum interval between unsolicited multicast RAs (default: 600)
+ Maximum interval between unsolicited multicast RAs
u32:4-1800
Maximum interval in seconds
@@ -156,7 +156,7 @@
- Time in seconds that the route will remain valid (default: 1800 seconds)
+ Time in seconds that the route will remain valid
infinity
@@ -187,7 +187,7 @@
medium
- Route has medium preference (default)
+ Route has medium preference
high
@@ -234,7 +234,7 @@
- Time in seconds that the prefix will remain preferred (default 4 hours)
+ Time in seconds that the prefix will remain preferred
infinity
@@ -255,7 +255,7 @@
- Time in seconds that the prefix will remain valid (default: 30 days)
+ Time in seconds that the prefix will remain valid
infinity
diff --git a/interface-definitions/service_webproxy.xml.in b/interface-definitions/service_webproxy.xml.in
index 03f504ac7..92e5ca37b 100644
--- a/interface-definitions/service_webproxy.xml.in
+++ b/interface-definitions/service_webproxy.xml.in
@@ -28,7 +28,7 @@
- Number of authentication helper processes (default: 5)
+ Number of authentication helper processes
n
Number of authentication helper processes
@@ -41,7 +41,7 @@
- Authenticated session time to live in minutes (default: 60)
+ Authenticated session time to live in minutes
n
Authenticated session timeout
@@ -105,7 +105,7 @@
- LDAP protocol version (default: 3)
+ LDAP protocol version
2 3
@@ -177,7 +177,7 @@
- Default Proxy Port (default: 3128)
+ Default Proxy Port
u32:1025-65535
Default port number
@@ -190,7 +190,11 @@
- Cache peer ICP port (default: disabled)
+ Cache peer ICP port
+
+ u32:0
+ Cache peer disabled
+
u32:1-65535
Cache peer ICP port
@@ -203,7 +207,7 @@
- Cache peer options (default: "no-query default")
+ Cache peer options
txt
Cache peer options
@@ -239,7 +243,7 @@
- Disk cache size in MB (default: 100)
+ Disk cache size in MB
u32
Disk cache size in MB
@@ -253,7 +257,7 @@
- Default Proxy Port (default: 3128)
+ Default Proxy Port
u32:1025-65535
Default port number
@@ -296,7 +300,7 @@
- Default Proxy Port (default: 3128)
+ Default Proxy Port
u32:1025-65535
Default port number
@@ -399,7 +403,7 @@
- Hour of day for database update [REQUIRED]
+ Hour of day for database update
u32:0-23
Hour for database update
@@ -414,7 +418,7 @@
- Redirect URL for filtered websites (default: block.vyos.net)
+ Redirect URL for filtered websites
url
URL for redirect
diff --git a/interface-definitions/snmp.xml.in b/interface-definitions/snmp.xml.in
index 67d3aef9a..b9e0f4cc5 100644
--- a/interface-definitions/snmp.xml.in
+++ b/interface-definitions/snmp.xml.in
@@ -26,7 +26,7 @@
ro
- Read-Only (default)
+ Read-Only
rw
@@ -226,7 +226,7 @@
auth
- Messages are authenticated but not encrypted (authNoPriv, default)
+ Messages are authenticated but not encrypted (authNoPriv)
priv
@@ -329,7 +329,7 @@
inform trap
- inform (default)
+ inform
Use INFORM
diff --git a/interface-definitions/ssh.xml.in b/interface-definitions/ssh.xml.in
index e3b9d16e1..187e5f8e8 100644
--- a/interface-definitions/ssh.xml.in
+++ b/interface-definitions/ssh.xml.in
@@ -105,7 +105,7 @@
^(quiet|fatal|error|info|verbose)$
- INFO
+ info
diff --git a/interface-definitions/system-ip.xml.in b/interface-definitions/system-ip.xml.in
index 86fbe5701..1fa63d517 100644
--- a/interface-definitions/system-ip.xml.in
+++ b/interface-definitions/system-ip.xml.in
@@ -15,7 +15,7 @@
- Maximum number of entries to keep in the ARP cache (default: 8192)
+ Maximum number of entries to keep in the ARP cache
1024 2048 4096 8192 16384 32768
diff --git a/interface-definitions/system-login.xml.in b/interface-definitions/system-login.xml.in
index 4bfe82268..a5519ee88 100644
--- a/interface-definitions/system-login.xml.in
+++ b/interface-definitions/system-login.xml.in
@@ -124,7 +124,7 @@
Session timeout
u32:1-30
- Session timeout in seconds (default: 2)
+ Session timeout in seconds
@@ -138,7 +138,7 @@
Server priority
u32:1-255
- Server priority (default: 255)
+ Server priority
diff --git a/interface-definitions/system-logs.xml.in b/interface-definitions/system-logs.xml.in
index 8b6c7c399..1caa7abb6 100644
--- a/interface-definitions/system-logs.xml.in
+++ b/interface-definitions/system-logs.xml.in
@@ -23,7 +23,7 @@
Size of a single log file that triggers rotation
u32:1-1024
- Size in MB (default: 10)
+ Size in MB
@@ -37,7 +37,7 @@
Count of rotations before old logs will be deleted
u32:1-100
- Rotations (default: 10)
+ Rotations
@@ -58,7 +58,7 @@
Size of a single log file that triggers rotation
u32:1-1024
- Size in MB (default: 1)
+ Size in MB
@@ -72,7 +72,7 @@
Count of rotations before old logs will be deleted
u32:1-100
- Rotations (default: 10)
+ Rotations
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index dae76218f..147bb99ba 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -30,7 +30,7 @@
disable
- Disable ESP compression (default)
+ Disable ESP compression
enable
@@ -47,7 +47,7 @@
ESP lifetime
u32:30-86400
- ESP lifetime in seconds (default: 3600)
+ ESP lifetime in seconds
@@ -87,7 +87,7 @@
tunnel
- Tunnel mode (default)
+ Tunnel mode
transport
@@ -107,7 +107,7 @@
enable
- Inherit Diffie-Hellman group from the IKE group (default)
+ Inherit Diffie-Hellman group from the IKE group
dh-group1
@@ -235,7 +235,7 @@
none
- Do nothing (default)
+ Do nothing
hold
@@ -267,7 +267,7 @@
hold
- Attempt to re-negotiate the connection when matching traffic is seen (default)
+ Attempt to re-negotiate the connection when matching traffic is seen
clear
@@ -287,7 +287,7 @@
Keep-alive interval
u32:2-86400
- Keep-alive interval in seconds (default: 30)
+ Keep-alive interval in seconds
@@ -299,7 +299,7 @@
Dead Peer Detection keep-alive timeout (IKEv1 only)
u32:2-86400
- Keep-alive timeout in seconds (default 120)
+ Keep-alive timeout in seconds
@@ -310,7 +310,7 @@
- Re-authentication of the remote peer during an IKE re-key. IKEv2 option only
+ Re-authentication of the remote peer during an IKE re-key - IKEv2 only
yes no
@@ -320,7 +320,7 @@
no
- Disable remote host re-authenticaton during an IKE rekey. (default)
+ Disable remote host re-authenticaton during an IKE rekey
^(yes|no)$
@@ -351,7 +351,7 @@
IKE lifetime
u32:30-86400
- IKE lifetime in seconds (default: 28800)
+ IKE lifetime in seconds
@@ -367,7 +367,7 @@
enable
- Enable MOBIKE (default for IKEv2)
+ Enable MOBIKE
disable
@@ -386,7 +386,7 @@
main
- Use the main mode (recommended, default)
+ Use the main mode (recommended)
aggressive
@@ -533,7 +533,7 @@
strongSwan logging Level
0
- Very basic auditing logs e.g. SA up/SA down (default)
+ Very basic auditing logs e.g. SA up/SA down
1
@@ -791,7 +791,7 @@
u32:1-86400
- Timeout in seconds (default: 28800)
+ Timeout in seconds
@@ -1067,7 +1067,7 @@
inherit
- Inherit the reauth configuration form your IKE-group (default)
+ Inherit the reauth configuration form your IKE-group
^(yes|no|inherit)$
diff --git a/interface-definitions/vpn_l2tp.xml.in b/interface-definitions/vpn_l2tp.xml.in
index 6a88756a7..9ca7b1fad 100644
--- a/interface-definitions/vpn_l2tp.xml.in
+++ b/interface-definitions/vpn_l2tp.xml.in
@@ -88,7 +88,7 @@
IKE lifetime
u32:30-86400
- IKE lifetime in seconds (default 3600)
+ IKE lifetime in seconds
@@ -101,7 +101,7 @@
ESP lifetime
u32:30-86400
- IKE lifetime in seconds (default 3600)
+ IKE lifetime in seconds
@@ -135,7 +135,7 @@
PPP idle timeout
u32:30-86400
- PPP idle timeout in seconds (default 1800)
+ PPP idle timeout in seconds
@@ -206,7 +206,7 @@
- Timeout to wait reply for Interim-Update packets. (default 3 seconds)
+ Timeout to wait reply for Interim-Update packets
@@ -244,7 +244,7 @@
- Specifies which radius attribute contains rate information. (default is Filter-Id)
+ Specifies which radius attribute contains rate information
diff --git a/interface-definitions/vpn_openconnect.xml.in b/interface-definitions/vpn_openconnect.xml.in
index 0db5e79d0..3fc34bacc 100644
--- a/interface-definitions/vpn_openconnect.xml.in
+++ b/interface-definitions/vpn_openconnect.xml.in
@@ -41,7 +41,7 @@
Session timeout
u32:1-30
- Session timeout in seconds (default: 2)
+ Session timeout in seconds
@@ -61,10 +61,10 @@
- tcp port number to accept connections (default: 443)
+ tcp port number to accept connections
u32:1-65535
- Numeric IP port (default: 443)
+ Numeric IP port
@@ -74,10 +74,10 @@
- udp port number to accept connections (default: 443)
+ udp port number to accept connections
u32:1-65535
- Numeric IP port (default: 443)
+ Numeric IP port
@@ -160,7 +160,7 @@
Prefix length used for individual client
u32:48-128
- Client prefix length (default: 64)
+ Client prefix length
diff --git a/interface-definitions/zone-policy.xml.in b/interface-definitions/zone-policy.xml.in
index 69ee031c7..b898c3ecd 100644
--- a/interface-definitions/zone-policy.xml.in
+++ b/interface-definitions/zone-policy.xml.in
@@ -27,7 +27,7 @@
drop
- Drop silently (default)
+ Drop silently
reject
@@ -97,7 +97,7 @@
accept
- Accept traffic (default)
+ Accept traffic
drop
@@ -138,7 +138,7 @@
Zone to be local-zone
-
+
diff --git a/scripts/build-command-templates b/scripts/build-command-templates
index d8abb0a13..876f5877c 100755
--- a/scripts/build-command-templates
+++ b/scripts/build-command-templates
@@ -117,7 +117,7 @@ def collect_validators(ve):
return regex_args + " " + validator_args
-def get_properties(p):
+def get_properties(p, default=None):
props = {}
if p is None:
@@ -125,7 +125,12 @@ def get_properties(p):
# Get the help string
try:
- props["help"] = p.find("help").text
+ help = p.find("help").text
+ if default != None:
+ # DNS forwarding for instance has multiple defaults - specified as whitespace separated list
+ tmp = ', '.join(default.text.split())
+ help += f' (default: {tmp})'
+ props["help"] = help
except:
pass
@@ -134,7 +139,11 @@ def get_properties(p):
vhe = p.findall("valueHelp")
vh = []
for v in vhe:
- vh.append( (v.find("format").text, v.find("description").text) )
+ format = v.find("format").text
+ description = v.find("description").text
+ if default != None and default.text == format:
+ description += f' (default)'
+ vh.append( (format, description) )
props["val_help"] = vh
except:
props["val_help"] = []
@@ -271,7 +280,7 @@ def process_node(n, tmpl_dir):
print("Name of the node: {0}. Created directory: {1}\n".format(name, "/".join(my_tmpl_dir)), end="")
os.makedirs(make_path(my_tmpl_dir), exist_ok=True)
- props = get_properties(props_elem)
+ props = get_properties(props_elem, n.find("defaultValue"))
if owner:
props["owner"] = owner
# Type should not be set for non-tag, non-leaf nodes
--
cgit v1.2.3
From ae51162283826e1a510aed1609778eb0223c8462 Mon Sep 17 00:00:00 2001
From: Christian Poessinger
Date: Fri, 25 Feb 2022 21:57:09 +0100
Subject: vpn: ipsec: T3093: add missing defaultValue entries
---
interface-definitions/include/vpn-ipsec-encryption.xml.i | 1 +
interface-definitions/include/vpn-ipsec-hash.xml.i | 1 +
interface-definitions/vpn_ipsec.xml.in | 4 ++++
3 files changed, 6 insertions(+)
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/vpn-ipsec-encryption.xml.i b/interface-definitions/include/vpn-ipsec-encryption.xml.i
index faa264d2f..eb0678aa9 100644
--- a/interface-definitions/include/vpn-ipsec-encryption.xml.i
+++ b/interface-definitions/include/vpn-ipsec-encryption.xml.i
@@ -229,5 +229,6 @@
^(null|aes128|aes192|aes256|aes128ctr|aes192ctr|aes256ctr|aes128ccm64|aes192ccm64|aes256ccm64|aes128ccm96|aes192ccm96|aes256ccm96|aes128ccm128|aes192ccm128|aes256ccm128|aes128gcm64|aes192gcm64|aes256gcm64|aes128gcm96|aes192gcm96|aes256gcm96|aes128gcm128|aes192gcm128|aes256gcm128|aes128gmac|aes192gmac|aes256gmac|3des|blowfish128|blowfish192|blowfish256|camellia128|camellia192|camellia256|camellia128ctr|camellia192ctr|camellia256ctr|camellia128ccm64|camellia192ccm64|camellia256ccm64|camellia128ccm96|camellia192ccm96|camellia256ccm96|camellia128ccm128|camellia192ccm128|camellia256ccm128|serpent128|serpent192|serpent256|twofish128|twofish192|twofish256|cast128|chacha20poly1305)$
+ aes128
diff --git a/interface-definitions/include/vpn-ipsec-hash.xml.i b/interface-definitions/include/vpn-ipsec-hash.xml.i
index b3ef4fb7a..d6259574a 100644
--- a/interface-definitions/include/vpn-ipsec-hash.xml.i
+++ b/interface-definitions/include/vpn-ipsec-hash.xml.i
@@ -61,5 +61,6 @@
^(md5|md5_128|sha1|sha1_160|sha256|sha256_96|sha384|sha512|aesxcbc|aescmac|aes128gmac|aes192gmac|aes256gmac)$
+ sha1
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 147bb99ba..885bac979 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -293,6 +293,7 @@
+ 30
@@ -305,6 +306,7 @@
+ 120
@@ -377,6 +379,7 @@
^(enable|disable)$
+ enable
@@ -396,6 +399,7 @@
^(main|aggressive)$
+ main
--
cgit v1.2.3
From e1c5f629fa310251e0516ac59fb5429b9e83d7fa Mon Sep 17 00:00:00 2001
From: Christian Poessinger
Date: Fri, 25 Feb 2022 22:33:16 +0100
Subject: nat: T1083: use defaultValue from XML when handling translations
---
interface-definitions/include/nat-translation-options.xml.i | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/nat-translation-options.xml.i b/interface-definitions/include/nat-translation-options.xml.i
index f1539757b..925f90106 100644
--- a/interface-definitions/include/nat-translation-options.xml.i
+++ b/interface-definitions/include/nat-translation-options.xml.i
@@ -22,7 +22,8 @@
^(persistent|random)$
-
+ random
+
Port mapping options
@@ -45,7 +46,8 @@
^(random|fully-random|none)$
-
+ none
+
--
cgit v1.2.3
From 9d2fa6f85847bbb59af42809c50e4547542e4845 Mon Sep 17 00:00:00 2001
From: Christian Poessinger
Date: Thu, 3 Mar 2022 19:10:07 +0100
Subject: static: T4283: fix help string for route/route6
---
interface-definitions/include/static/static-route.xml.i | 2 +-
interface-definitions/include/static/static-route6.xml.i | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/static/static-route.xml.i b/interface-definitions/include/static/static-route.xml.i
index 21babc015..903915066 100644
--- a/interface-definitions/include/static/static-route.xml.i
+++ b/interface-definitions/include/static/static-route.xml.i
@@ -1,7 +1,7 @@
- VRF static IPv4 route
+ Static IPv4 route
ipv4net
IPv4 static route
diff --git a/interface-definitions/include/static/static-route6.xml.i b/interface-definitions/include/static/static-route6.xml.i
index 0ea995588..e705c45fa 100644
--- a/interface-definitions/include/static/static-route6.xml.i
+++ b/interface-definitions/include/static/static-route6.xml.i
@@ -1,7 +1,7 @@
- VRF static IPv6 route
+ Static IPv6 route
ipv6net
IPv6 static route
--
cgit v1.2.3
From e3f86ce0d65fe8fe0c5eebebdfd3ab3723e2e539 Mon Sep 17 00:00:00 2001
From: Christian Poessinger
Date: Thu, 3 Mar 2022 19:10:38 +0100
Subject: static: T4283: create re-usable XML interface definitions for
blackhole
---
.../include/static/static-route-blackhole.xml.i | 3 ++-
.../include/static/static-route-tag.xml.i | 14 ++++++++++++++
.../include/static/static-route.xml.i | 21 +--------------------
.../include/static/static-route6.xml.i | 21 +--------------------
4 files changed, 18 insertions(+), 41 deletions(-)
create mode 100644 interface-definitions/include/static/static-route-tag.xml.i
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/static/static-route-blackhole.xml.i b/interface-definitions/include/static/static-route-blackhole.xml.i
index f2ad23e69..487f775f5 100644
--- a/interface-definitions/include/static/static-route-blackhole.xml.i
+++ b/interface-definitions/include/static/static-route-blackhole.xml.i
@@ -1,10 +1,11 @@
- Silently discard packets when matched
+ Silently discard pkts when matched
#include
+ #include
diff --git a/interface-definitions/include/static/static-route-tag.xml.i b/interface-definitions/include/static/static-route-tag.xml.i
new file mode 100644
index 000000000..24bfa732e
--- /dev/null
+++ b/interface-definitions/include/static/static-route-tag.xml.i
@@ -0,0 +1,14 @@
+
+
+
+ Tag value for this route
+
+ u32:1-4294967295
+ Tag value for this route
+
+
+
+
+
+
+
diff --git a/interface-definitions/include/static/static-route.xml.i b/interface-definitions/include/static/static-route.xml.i
index 903915066..8433703a5 100644
--- a/interface-definitions/include/static/static-route.xml.i
+++ b/interface-definitions/include/static/static-route.xml.i
@@ -11,26 +11,7 @@
-
-
- Silently discard pkts when matched
-
-
- #include
-
-
- Tag value for this route
-
- u32:1-4294967295
- Tag value for this route
-
-
-
-
-
-
-
-
+ #include
#include
diff --git a/interface-definitions/include/static/static-route6.xml.i b/interface-definitions/include/static/static-route6.xml.i
index e705c45fa..124b2b062 100644
--- a/interface-definitions/include/static/static-route6.xml.i
+++ b/interface-definitions/include/static/static-route6.xml.i
@@ -11,26 +11,7 @@
-
-
- Silently discard pkts when matched
-
-
- #include
-
-
- Tag value for this route
-
- u32:1-4294967295
- Tag value for this route
-
-
-
-
-
-
-
-
+ #include
IPv6 gateway interface name
--
cgit v1.2.3
From bb78f3a9ad28f62896a536719783011794deb64c Mon Sep 17 00:00:00 2001
From: Christian Poessinger
Date: Thu, 3 Mar 2022 20:23:09 +0100
Subject: static: T4283: support "reject" routes - emit an ICMP unreachable
when matched
---
data/templates/frr/static_routes_macro.j2 | 3 ++
.../include/static/static-route-reject.xml.i | 12 +++++
.../include/static/static-route.xml.i | 1 +
.../include/static/static-route6.xml.i | 1 +
smoketest/scripts/cli/test_protocols_static.py | 57 +++++++++++++++++++---
src/conf_mode/protocols_static.py | 4 ++
6 files changed, 70 insertions(+), 8 deletions(-)
create mode 100644 interface-definitions/include/static/static-route-reject.xml.i
(limited to 'interface-definitions/include')
diff --git a/data/templates/frr/static_routes_macro.j2 b/data/templates/frr/static_routes_macro.j2
index 86c7470ca..8359357b7 100644
--- a/data/templates/frr/static_routes_macro.j2
+++ b/data/templates/frr/static_routes_macro.j2
@@ -2,6 +2,9 @@
{% if prefix_config.blackhole is defined %}
{{ ip_ipv6 }} route {{ prefix }} blackhole {{ prefix_config.blackhole.distance if prefix_config.blackhole.distance is defined }} {{ 'tag ' + prefix_config.blackhole.tag if prefix_config.blackhole.tag is defined }} {{ 'table ' + table if table is defined and table is not none }}
{% endif %}
+{% if prefix_config.reject is defined %}
+{{ ip_ipv6 }} route {{ prefix }} reject {{ prefix_config.reject.distance if prefix_config.reject.distance is defined }} {{ 'tag ' + prefix_config.reject.tag if prefix_config.reject.tag is defined }} {{ 'table ' + table if table is defined and table is not none }}
+{% endif %}
{% if prefix_config.dhcp_interface is defined and prefix_config.dhcp_interface is not none %}
{% set next_hop = prefix_config.dhcp_interface | get_dhcp_router %}
{% if next_hop is defined and next_hop is not none %}
diff --git a/interface-definitions/include/static/static-route-reject.xml.i b/interface-definitions/include/static/static-route-reject.xml.i
new file mode 100644
index 000000000..81d4f9afd
--- /dev/null
+++ b/interface-definitions/include/static/static-route-reject.xml.i
@@ -0,0 +1,12 @@
+
+
+
+ Emit an ICMP unreachable when matched
+
+
+ #include
+ #include
+
+
+
+
diff --git a/interface-definitions/include/static/static-route.xml.i b/interface-definitions/include/static/static-route.xml.i
index 8433703a5..2de5dc58f 100644
--- a/interface-definitions/include/static/static-route.xml.i
+++ b/interface-definitions/include/static/static-route.xml.i
@@ -12,6 +12,7 @@
#include
+ #include
#include
diff --git a/interface-definitions/include/static/static-route6.xml.i b/interface-definitions/include/static/static-route6.xml.i
index 124b2b062..35feef41c 100644
--- a/interface-definitions/include/static/static-route6.xml.i
+++ b/interface-definitions/include/static/static-route6.xml.i
@@ -12,6 +12,7 @@
#include
+ #include
IPv6 gateway interface name
diff --git a/smoketest/scripts/cli/test_protocols_static.py b/smoketest/scripts/cli/test_protocols_static.py
index 4c4eb5a7c..3ef9c76d8 100755
--- a/smoketest/scripts/cli/test_protocols_static.py
+++ b/smoketest/scripts/cli/test_protocols_static.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2022 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -52,9 +52,16 @@ routes = {
},
'blackhole' : { 'distance' : '90' },
},
- '100.64.0.0/10' : {
+ '100.64.0.0/16' : {
'blackhole' : { },
},
+ '100.65.0.0/16' : {
+ 'reject' : { 'distance' : '10', 'tag' : '200' },
+ },
+ '100.66.0.0/16' : {
+ 'blackhole' : { },
+ 'reject' : { 'distance' : '10', 'tag' : '200' },
+ },
'2001:db8:100::/40' : {
'next_hop' : {
'2001:db8::1' : { 'distance' : '10' },
@@ -74,6 +81,9 @@ routes = {
},
'blackhole' : { 'distance' : '250', 'tag' : '500' },
},
+ '2001:db8:300::/40' : {
+ 'reject' : { 'distance' : '250', 'tag' : '500' },
+ },
'2001:db8::/32' : {
'blackhole' : { 'distance' : '200', 'tag' : '600' },
},
@@ -82,9 +92,15 @@ routes = {
tables = ['80', '81', '82']
class TestProtocolsStatic(VyOSUnitTestSHIM.TestCase):
- def setUp(self):
- # This is our "target" VRF when leaking routes:
- self.cli_set(['vrf', 'name', 'black', 'table', '43210'])
+ @classmethod
+ def setUpClass(cls):
+ super(cls, cls).setUpClass()
+ cls.cli_set(cls, ['vrf', 'name', 'black', 'table', '43210'])
+
+ @classmethod
+ def tearDownClass(cls):
+ cls.cli_delete(cls, ['vrf'])
+ super(cls, cls).tearDownClass()
def tearDown(self):
for route, route_config in routes.items():
@@ -135,6 +151,20 @@ class TestProtocolsStatic(VyOSUnitTestSHIM.TestCase):
if 'tag' in route_config['blackhole']:
self.cli_set(base + ['blackhole', 'tag', route_config['blackhole']['tag']])
+ if 'reject' in route_config:
+ self.cli_set(base + ['reject'])
+ if 'distance' in route_config['reject']:
+ self.cli_set(base + ['reject', 'distance', route_config['reject']['distance']])
+ if 'tag' in route_config['reject']:
+ self.cli_set(base + ['reject', 'tag', route_config['reject']['tag']])
+
+ if {'blackhole', 'reject'} <= set(route_config):
+ # Can not use blackhole and reject at the same time
+ with self.assertRaises(ConfigSessionError):
+ self.cli_commit()
+ self.cli_delete(base + ['blackhole'])
+ self.cli_delete(base + ['reject'])
+
# commit changes
self.cli_commit()
@@ -177,6 +207,11 @@ class TestProtocolsStatic(VyOSUnitTestSHIM.TestCase):
else:
self.assertIn(tmp, frrconfig)
+ if {'blackhole', 'reject'} <= set(route_config):
+ # Can not use blackhole and reject at the same time
+ # Config error validated above - skip this route
+ continue
+
if 'blackhole' in route_config:
tmp = f'{ip_ipv6} route {route} blackhole'
if 'tag' in route_config['blackhole']:
@@ -186,6 +221,15 @@ class TestProtocolsStatic(VyOSUnitTestSHIM.TestCase):
self.assertIn(tmp, frrconfig)
+ if 'reject' in route_config:
+ tmp = f'{ip_ipv6} route {route} reject'
+ if 'tag' in route_config['reject']:
+ tmp += ' tag ' + route_config['reject']['tag']
+ if 'distance' in route_config['reject']:
+ tmp += ' ' + route_config['reject']['distance']
+
+ self.assertIn(tmp, frrconfig)
+
def test_02_static_table(self):
for table in tables:
for route, route_config in routes.items():
@@ -389,11 +433,8 @@ class TestProtocolsStatic(VyOSUnitTestSHIM.TestCase):
self.assertIn(tmp, frrconfig)
- self.cli_delete(['vrf'])
-
def test_04_static_zebra_route_map(self):
# Implemented because of T3328
- self.debug = True
route_map = 'foo-static-in'
self.cli_set(['policy', 'route-map', route_map, 'rule', '10', 'action', 'permit'])
diff --git a/src/conf_mode/protocols_static.py b/src/conf_mode/protocols_static.py
index c1e427b16..f0ec48de4 100755
--- a/src/conf_mode/protocols_static.py
+++ b/src/conf_mode/protocols_static.py
@@ -82,6 +82,10 @@ def verify(static):
for interface, interface_config in prefix_options[type].items():
verify_vrf(interface_config)
+ if {'blackhole', 'reject'} <= set(prefix_options):
+ raise ConfigError(f'Can not use both blackhole and reject for '\
+ 'prefix "{prefix}"!')
+
return None
def generate(static):
--
cgit v1.2.3
From 27404f71c85187403b3ae1b73b95e6347e07ea97 Mon Sep 17 00:00:00 2001
From: srividya0208
Date: Mon, 7 Mar 2022 04:44:08 -0500
Subject: ipsec prefix: T4275: Fix for prefix val_help of remote-access and s2s
vpn
It accepts network as the input value but the completion help is showing
ip address, continuation of previous commit
---
interface-definitions/include/ipsec/local-traffic-selector.xml.i | 4 ++--
interface-definitions/vpn_ipsec.xml.in | 8 ++++----
2 files changed, 6 insertions(+), 6 deletions(-)
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/ipsec/local-traffic-selector.xml.i b/interface-definitions/include/ipsec/local-traffic-selector.xml.i
index d30a6d11a..9ae67f583 100644
--- a/interface-definitions/include/ipsec/local-traffic-selector.xml.i
+++ b/interface-definitions/include/ipsec/local-traffic-selector.xml.i
@@ -9,11 +9,11 @@
Local IPv4 or IPv6 prefix
- ipv4
+ ipv4net
Local IPv4 prefix
- ipv6
+ ipv6net
Local IPv6 prefix
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 0ad69c637..d8c06a310 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -897,11 +897,11 @@
Local IPv4 or IPv6 pool prefix
- ipv4
+ ipv4net
Local IPv4 pool prefix
- ipv6
+ ipv6net
Local IPv6 pool prefix
@@ -1114,11 +1114,11 @@
Remote IPv4 or IPv6 prefix
- ipv4
+ ipv4net
Remote IPv4 prefix
- ipv6
+ ipv6net
Remote IPv6 prefix
--
cgit v1.2.3
From c29c6d3d654c7280fdd4ea9fa66b5e84ef267285 Mon Sep 17 00:00:00 2001
From: fett0
Date: Thu, 17 Mar 2022 17:35:02 +0000
Subject: OSPF : T4304: Set import/export filter inter-area prefix
---
data/templates/frr/ospfd.frr.tmpl | 6 +++++
.../include/ospf/protocol-common-config.xml.i | 30 ++++++++++++++++++++++
2 files changed, 36 insertions(+)
(limited to 'interface-definitions/include')
diff --git a/data/templates/frr/ospfd.frr.tmpl b/data/templates/frr/ospfd.frr.tmpl
index 12213f162..59d936b55 100644
--- a/data/templates/frr/ospfd.frr.tmpl
+++ b/data/templates/frr/ospfd.frr.tmpl
@@ -97,6 +97,12 @@ router ospf {{ 'vrf ' + vrf if vrf is defined and vrf is not none }}
{% endif %}
{% endfor %}
{% endif %}
+{% if area_config.export_list is defined and area_config.export_list is not none %}
+ area {{ area_id }} export-list {{ area_config.export_list }}
+{% endif %}
+{% if area_config.import_list is defined and area_config.import_list is not none %}
+ area {{ area_id }} import-list {{ area_config.import_list }}
+{% endif %}
{% if area_config.shortcut is defined and area_config.shortcut is not none %}
area {{ area_id }} shortcut {{ area_config.shortcut }}
{% endif %}
diff --git a/interface-definitions/include/ospf/protocol-common-config.xml.i b/interface-definitions/include/ospf/protocol-common-config.xml.i
index 088bee2de..3a3372e47 100644
--- a/interface-definitions/include/ospf/protocol-common-config.xml.i
+++ b/interface-definitions/include/ospf/protocol-common-config.xml.i
@@ -256,6 +256,36 @@
+
+
+ Set the filter for networks announced to other areas
+
+ policy access-list
+
+
+ u32
+ Access-list number
+
+
+
+
+
+
+
+
+ Set the filter for networks from other areas announced
+
+ policy access-list
+
+
+ u32
+ Access-list number
+
+
+
+
+
+
Virtual link
--
cgit v1.2.3
From 3584691b35f35e40a1bfc22c34da031141fd0dfa Mon Sep 17 00:00:00 2001
From: Christian Poessinger
Date: Mon, 21 Mar 2022 21:41:41 +0100
Subject: qos: T4284: initial XML interface definitions for rewrite
---
Makefile | 6 +
data/configd-include.json | 1 +
.../include/interface/redirect.xml.i | 17 +
.../include/interface/traffic-policy.xml.i | 43 ++
.../include/interface/vif-s.xml.i | 4 +
interface-definitions/include/interface/vif.xml.i | 4 +-
interface-definitions/include/qos/bandwidth.xml.i | 15 +
interface-definitions/include/qos/burst.xml.i | 16 +
.../include/qos/codel-quantum.xml.i | 16 +
interface-definitions/include/qos/dscp.xml.i | 143 ++++
interface-definitions/include/qos/flows.xml.i | 16 +
interface-definitions/include/qos/hfsc-d.xml.i | 15 +
interface-definitions/include/qos/hfsc-m1.xml.i | 32 +
interface-definitions/include/qos/hfsc-m2.xml.i | 32 +
interface-definitions/include/qos/interval.xml.i | 16 +
interface-definitions/include/qos/match.xml.i | 221 +++++++
interface-definitions/include/qos/max-length.xml.i | 15 +
.../include/qos/queue-limit-1-4294967295.xml.i | 15 +
.../include/qos/queue-limit-2-10999.xml.i | 16 +
interface-definitions/include/qos/queue-type.xml.i | 30 +
interface-definitions/include/qos/set-dscp.xml.i | 63 ++
interface-definitions/include/qos/target.xml.i | 16 +
interface-definitions/include/qos/tcp-flags.xml.i | 21 +
interface-definitions/interfaces-bonding.xml.in | 2 +
interface-definitions/interfaces-bridge.xml.in | 2 +
interface-definitions/interfaces-dummy.xml.in | 2 +
interface-definitions/interfaces-ethernet.xml.in | 2 +
interface-definitions/interfaces-geneve.xml.in | 2 +
interface-definitions/interfaces-input.xml.in | 30 +
interface-definitions/interfaces-l2tpv3.xml.in | 1 +
interface-definitions/interfaces-loopback.xml.in | 2 +
interface-definitions/interfaces-macsec.xml.in | 2 +
interface-definitions/interfaces-openvpn.xml.in | 2 +
interface-definitions/interfaces-pppoe.xml.in | 4 +-
.../interfaces-pseudo-ethernet.xml.in | 2 +
interface-definitions/interfaces-tunnel.xml.in | 4 +-
interface-definitions/interfaces-vti.xml.in | 2 +
interface-definitions/interfaces-vxlan.xml.in | 2 +
interface-definitions/interfaces-wireguard.xml.in | 4 +-
interface-definitions/interfaces-wireless.xml.in | 2 +
interface-definitions/interfaces-wwan.xml.in | 4 +-
interface-definitions/qos.xml.in | 721 +++++++++++++++++++++
python/vyos/configverify.py | 16 +
src/conf_mode/interfaces-bonding.py | 4 +-
src/conf_mode/interfaces-bridge.py | 2 +
src/conf_mode/interfaces-dummy.py | 2 +
src/conf_mode/interfaces-ethernet.py | 2 +
src/conf_mode/interfaces-geneve.py | 2 +
src/conf_mode/interfaces-l2tpv3.py | 2 +
src/conf_mode/interfaces-loopback.py | 2 +
src/conf_mode/interfaces-macsec.py | 2 +
src/conf_mode/interfaces-pppoe.py | 2 +
src/conf_mode/interfaces-pseudo-ethernet.py | 2 +
src/conf_mode/interfaces-tunnel.py | 2 +
src/conf_mode/interfaces-vti.py | 2 +
src/conf_mode/interfaces-vxlan.py | 2 +
src/conf_mode/interfaces-wireguard.py | 2 +
src/conf_mode/interfaces-wireless.py | 2 +
src/conf_mode/interfaces-wwan.py | 2 +
src/conf_mode/qos.py | 90 +++
60 files changed, 1699 insertions(+), 6 deletions(-)
create mode 100644 interface-definitions/include/interface/redirect.xml.i
create mode 100644 interface-definitions/include/interface/traffic-policy.xml.i
create mode 100644 interface-definitions/include/qos/bandwidth.xml.i
create mode 100644 interface-definitions/include/qos/burst.xml.i
create mode 100644 interface-definitions/include/qos/codel-quantum.xml.i
create mode 100644 interface-definitions/include/qos/dscp.xml.i
create mode 100644 interface-definitions/include/qos/flows.xml.i
create mode 100644 interface-definitions/include/qos/hfsc-d.xml.i
create mode 100644 interface-definitions/include/qos/hfsc-m1.xml.i
create mode 100644 interface-definitions/include/qos/hfsc-m2.xml.i
create mode 100644 interface-definitions/include/qos/interval.xml.i
create mode 100644 interface-definitions/include/qos/match.xml.i
create mode 100644 interface-definitions/include/qos/max-length.xml.i
create mode 100644 interface-definitions/include/qos/queue-limit-1-4294967295.xml.i
create mode 100644 interface-definitions/include/qos/queue-limit-2-10999.xml.i
create mode 100644 interface-definitions/include/qos/queue-type.xml.i
create mode 100644 interface-definitions/include/qos/set-dscp.xml.i
create mode 100644 interface-definitions/include/qos/target.xml.i
create mode 100644 interface-definitions/include/qos/tcp-flags.xml.i
create mode 100644 interface-definitions/interfaces-input.xml.in
create mode 100644 interface-definitions/qos.xml.in
create mode 100755 src/conf_mode/qos.py
(limited to 'interface-definitions/include')
diff --git a/Makefile b/Makefile
index 29744b323..431f3a8c2 100644
--- a/Makefile
+++ b/Makefile
@@ -29,6 +29,12 @@ interface_definitions: $(config_xml_obj)
# XXX: delete top level node.def's that now live in other packages
# IPSec VPN EAP-RADIUS does not support source-address
rm -rf $(TMPL_DIR)/vpn/ipsec/remote-access/radius/source-address
+
+ # T4284 neq QoS implementation is not yet live
+ find $(TMPL_DIR)/interfaces -name traffic-policy -type d -exec rm -rf {} \;
+ find $(TMPL_DIR)/interfaces -name redirect -type d -exec rm -rf {} \;
+ rm -rf $(TMPL_DIR)/interfaces/input
+
# XXX: test if there are empty node.def files - this is not allowed as these
# could mask help strings or mandatory priority statements
find $(TMPL_DIR) -name node.def -type f -empty -exec false {} + || sh -c 'echo "There are empty node.def files! Check your interface definitions." && exit 1'
diff --git a/data/configd-include.json b/data/configd-include.json
index c85ab0725..b77d48001 100644
--- a/data/configd-include.json
+++ b/data/configd-include.json
@@ -48,6 +48,7 @@
"protocols_ripng.py",
"protocols_static.py",
"protocols_static_multicast.py",
+"qos.py",
"salt-minion.py",
"service_console-server.py",
"service_ids_fastnetmon.py",
diff --git a/interface-definitions/include/interface/redirect.xml.i b/interface-definitions/include/interface/redirect.xml.i
new file mode 100644
index 000000000..3be9ee16b
--- /dev/null
+++ b/interface-definitions/include/interface/redirect.xml.i
@@ -0,0 +1,17 @@
+
+
+
+ Incoming packet redirection destination
+
+
+
+
+ txt
+ Interface name
+
+
+
+
+
+
+
diff --git a/interface-definitions/include/interface/traffic-policy.xml.i b/interface-definitions/include/interface/traffic-policy.xml.i
new file mode 100644
index 000000000..cd60b62a5
--- /dev/null
+++ b/interface-definitions/include/interface/traffic-policy.xml.i
@@ -0,0 +1,43 @@
+
+
+
+ Traffic-policy for interface
+
+
+
+
+ Ingress traffic policy for interface
+
+ traffic-policy drop-tail
+ traffic-policy fair-queue
+ traffic-policy fq-codel
+ traffic-policy limiter
+ traffic-policy network-emulator
+ traffic-policy priority-queue
+ traffic-policy random-detect
+ traffic-policy rate-control
+ traffic-policy round-robin
+ traffic-policy shaper
+ traffic-policy shaper-hfsc
+
+
+ txt
+ Policy name
+
+
+
+
+
+ Egress traffic policy for interface
+
+ traffic-policy
+
+
+ txt
+ Policy name
+
+
+
+
+
+
\ No newline at end of file
diff --git a/interface-definitions/include/interface/vif-s.xml.i b/interface-definitions/include/interface/vif-s.xml.i
index f1a61ff64..59a47b5ff 100644
--- a/interface-definitions/include/interface/vif-s.xml.i
+++ b/interface-definitions/include/interface/vif-s.xml.i
@@ -64,11 +64,15 @@
#include
#include
#include
+ #include
+ #include
#include
#include
#include
+ #include
+ #include
#include
diff --git a/interface-definitions/include/interface/vif.xml.i b/interface-definitions/include/interface/vif.xml.i
index 11ba7e2f8..8a1475711 100644
--- a/interface-definitions/include/interface/vif.xml.i
+++ b/interface-definitions/include/interface/vif.xml.i
@@ -18,7 +18,6 @@
#include
#include
#include
- #include
#include
#include
@@ -51,6 +50,9 @@
#include
#include
#include
+ #include
+ #include
+ #include
diff --git a/interface-definitions/include/qos/bandwidth.xml.i b/interface-definitions/include/qos/bandwidth.xml.i
new file mode 100644
index 000000000..82af22f42
--- /dev/null
+++ b/interface-definitions/include/qos/bandwidth.xml.i
@@ -0,0 +1,15 @@
+
+
+
+ Traffic-limit used for this class
+
+ <number>
+ Rate in kbit (kilobit per second)
+
+
+ <number><suffix>
+ Rate with scaling suffix (mbit, mbps, ...)
+
+
+
+
diff --git a/interface-definitions/include/qos/burst.xml.i b/interface-definitions/include/qos/burst.xml.i
new file mode 100644
index 000000000..761618027
--- /dev/null
+++ b/interface-definitions/include/qos/burst.xml.i
@@ -0,0 +1,16 @@
+
+
+
+ Burst size for this class
+
+ <number>
+ Bytes
+
+
+ <number><suffix>
+ Bytes with scaling suffix (kb, mb, gb)
+
+
+ 15k
+
+
diff --git a/interface-definitions/include/qos/codel-quantum.xml.i b/interface-definitions/include/qos/codel-quantum.xml.i
new file mode 100644
index 000000000..bc24630b6
--- /dev/null
+++ b/interface-definitions/include/qos/codel-quantum.xml.i
@@ -0,0 +1,16 @@
+
+
+
+ Deficit in the fair queuing algorithm
+
+ u32:0-1048576
+ Number of bytes used as 'deficit'
+
+
+
+
+ Interval must be in range 0 to 1048576
+
+ 1514
+
+
diff --git a/interface-definitions/include/qos/dscp.xml.i b/interface-definitions/include/qos/dscp.xml.i
new file mode 100644
index 000000000..bb90850ac
--- /dev/null
+++ b/interface-definitions/include/qos/dscp.xml.i
@@ -0,0 +1,143 @@
+
+
+
+ Match on Differentiated Services Codepoint (DSCP)
+
+ default reliability throughput lowdelay priority immediate flash flash-override critical internet network AF11 AF12 AF13 AF21 AF22 AF23 AF31 AF32 AF33 AF41 AF42 AF43 CS1 CS2 CS3 CS4 CS5 CS6 CS7 EF
+
+
+ u32:0-63
+ Differentiated Services Codepoint (DSCP) value
+
+
+ default
+ match DSCP (000000)
+
+
+ reliability
+ match DSCP (000001)
+
+
+ throughput
+ match DSCP (000010)
+
+
+ lowdelay
+ match DSCP (000100)
+
+
+ priority
+ match DSCP (001000)
+
+
+ immediate
+ match DSCP (010000)
+
+
+ flash
+ match DSCP (011000)
+
+
+ flash-override
+ match DSCP (100000)
+
+
+ critical
+ match DSCP (101000)
+
+
+ internet
+ match DSCP (110000)
+
+
+ network
+ match DSCP (111000)
+
+
+ AF11
+ High-throughput data
+
+
+ AF12
+ High-throughput data
+
+
+ AF13
+ High-throughput data
+
+
+ AF21
+ Low-latency data
+
+
+ AF22
+ Low-latency data
+
+
+ AF23
+ Low-latency data
+
+
+ AF31
+ Multimedia streaming
+
+
+ AF32
+ Multimedia streaming
+
+
+ AF33
+ Multimedia streaming
+
+
+ AF41
+ Multimedia conferencing
+
+
+ AF42
+ Multimedia conferencing
+
+
+ AF43
+ Multimedia conferencing
+
+
+ CS1
+ Low-priority data
+
+
+ CS2
+ OAM
+
+
+ CS3
+ Broadcast video
+
+
+ CS4
+ Real-time interactive
+
+
+ CS5
+ Signaling
+
+
+ CS6
+ Network control
+
+
+ CS7
+
+
+
+ EF
+ Expedited Forwarding
+
+
+
+ (default|reliability|throughput|lowdelay|priority|immediate|flash|flash-override|critical|internet|network|AF11|AF12|AF13|AF21|AF22|AF23|AF31|AF32|AF33|AF41|AF42|AF43|CS1|CS2|CS3|CS4|CS5|CS6|CS7|EF)
+
+ Priority must be between 0 and 63
+
+
+
diff --git a/interface-definitions/include/qos/flows.xml.i b/interface-definitions/include/qos/flows.xml.i
new file mode 100644
index 000000000..a7d7c6422
--- /dev/null
+++ b/interface-definitions/include/qos/flows.xml.i
@@ -0,0 +1,16 @@
+
+
+
+ Number of flows into which the incoming packets are classified
+
+ u32:1-65536
+ Number of flows
+
+
+
+
+ Interval must be in range 1 to 65536
+
+ 1024
+
+
diff --git a/interface-definitions/include/qos/hfsc-d.xml.i b/interface-definitions/include/qos/hfsc-d.xml.i
new file mode 100644
index 000000000..2a513509c
--- /dev/null
+++ b/interface-definitions/include/qos/hfsc-d.xml.i
@@ -0,0 +1,15 @@
+
+
+
+ Service curve delay
+
+ <number>
+ Time in milliseconds
+
+
+
+
+ Priority must be between 0 and 65535
+
+
+
diff --git a/interface-definitions/include/qos/hfsc-m1.xml.i b/interface-definitions/include/qos/hfsc-m1.xml.i
new file mode 100644
index 000000000..749d01f57
--- /dev/null
+++ b/interface-definitions/include/qos/hfsc-m1.xml.i
@@ -0,0 +1,32 @@
+
+
+
+ Linkshare m1 parameter for class traffic
+
+ <number>
+ Rate in kbit (kilobit per second)
+
+
+ <number>%%
+ Percentage of overall rate
+
+
+ <number>bit
+ bit(1), kbit(10^3), mbit(10^6), gbit, tbit
+
+
+ <number>ibit
+ kibit(1024), mibit(1024^2), gibit(1024^3), tbit(1024^4)
+
+
+ <number>ibps
+ kibps(1024*8), mibps(1024^2*8), gibps, tibps - Byte/sec
+
+
+ <number>bps
+ bps(8),kbps(8*10^3),mbps(8*10^6), gbps, tbps - Byte/sec
+
+
+ 100%
+
+
diff --git a/interface-definitions/include/qos/hfsc-m2.xml.i b/interface-definitions/include/qos/hfsc-m2.xml.i
new file mode 100644
index 000000000..24e8f5d63
--- /dev/null
+++ b/interface-definitions/include/qos/hfsc-m2.xml.i
@@ -0,0 +1,32 @@
+
+
+
+ Linkshare m2 parameter for class traffic
+
+ <number>
+ Rate in kbit (kilobit per second)
+
+
+ <number>%%
+ Percentage of overall rate
+
+
+ <number>bit
+ bit(1), kbit(10^3), mbit(10^6), gbit, tbit
+
+
+ <number>ibit
+ kibit(1024), mibit(1024^2), gibit(1024^3), tbit(1024^4)
+
+
+ <number>ibps
+ kibps(1024*8), mibps(1024^2*8), gibps, tibps - Byte/sec
+
+
+ <number>bps
+ bps(8),kbps(8*10^3),mbps(8*10^6), gbps, tbps - Byte/sec
+
+
+ 100%
+
+
diff --git a/interface-definitions/include/qos/interval.xml.i b/interface-definitions/include/qos/interval.xml.i
new file mode 100644
index 000000000..41896ac9c
--- /dev/null
+++ b/interface-definitions/include/qos/interval.xml.i
@@ -0,0 +1,16 @@
+
+
+
+ Interval used to measure the delay
+
+ u32
+ Interval in milliseconds
+
+
+
+
+ Interval must be in range 0 to 4294967295
+
+ 100
+
+
diff --git a/interface-definitions/include/qos/match.xml.i b/interface-definitions/include/qos/match.xml.i
new file mode 100644
index 000000000..7d89e4460
--- /dev/null
+++ b/interface-definitions/include/qos/match.xml.i
@@ -0,0 +1,221 @@
+
+
+
+ Class matching rule name
+
+ [^-].*
+
+ Match queue name cannot start with hyphen (-)
+
+
+ #include
+
+
+ Ethernet header match
+
+
+
+
+ Ethernet destination address for this match
+
+ macaddr
+ MAC address to match
+
+
+
+
+
+
+
+
+ Ethernet protocol for this match
+
+
+ all 802.1Q 802_2 802_3 aarp aoe arp atalk dec ip ipv6 ipx lat localtalk rarp snap x25
+
+
+ u32:0-65535
+ Ethernet protocol number
+
+
+ txt
+ Ethernet protocol name
+
+
+ all
+ Any protocol
+
+
+ ip
+ Internet IP (IPv4)
+
+
+ ipv6
+ Internet IP (IPv6)
+
+
+ arp
+ Address Resolution Protocol
+
+
+ atalk
+ Appletalk
+
+
+ ipx
+ Novell Internet Packet Exchange
+
+
+ 802.1Q
+ 802.1Q VLAN tag
+
+
+
+
+
+
+
+
+ Ethernet source address for this match
+
+ macaddr
+ MAC address to match
+
+
+
+
+
+
+
+
+ #include
+
+
+ Match IP protocol header
+
+
+
+
+ Match on destination port or address
+
+
+
+
+ IPv4 destination address for this match
+
+ ipv4net
+ IPv4 address and prefix length
+
+
+
+
+
+
+ #include
+
+
+ #include
+ #include
+ #include
+
+
+ Match on source port or address
+
+
+
+
+ IPv4 source address for this match
+
+ ipv4net
+ IPv4 address and prefix length
+
+
+
+
+
+
+ #include
+
+
+ #include
+
+
+
+
+ Match IPv6 protocol header
+
+
+
+
+ Match on destination port or address
+
+
+
+
+ IPv6 destination address for this match
+
+ ipv6net
+ IPv6 address and prefix length
+
+
+
+
+
+
+ #include
+
+
+ #include
+ #include
+ #include
+
+
+ Match on source port or address
+
+
+
+
+ IPv6 source address for this match
+
+ ipv6net
+ IPv6 address and prefix length
+
+
+
+
+
+
+ #include
+
+
+ #include
+
+
+
+
+ Match on mark applied by firewall
+
+ txt
+ FW mark to match
+
+
+
+
+
+
+
+
+ Virtual Local Area Network (VLAN) ID for this match
+
+ u32:0-4095
+ Virtual Local Area Network (VLAN) tag
+
+
+
+
+ VLAN ID must be between 0 and 4095
+
+
+
+
+
diff --git a/interface-definitions/include/qos/max-length.xml.i b/interface-definitions/include/qos/max-length.xml.i
new file mode 100644
index 000000000..4cc20f8c4
--- /dev/null
+++ b/interface-definitions/include/qos/max-length.xml.i
@@ -0,0 +1,15 @@
+
+
+
+ Maximum packet length (ipv4)
+
+ u32:0-65535
+ Maximum packet/payload length
+
+
+
+
+ Maximum IPv4 total packet length is 65535
+
+
+
diff --git a/interface-definitions/include/qos/queue-limit-1-4294967295.xml.i b/interface-definitions/include/qos/queue-limit-1-4294967295.xml.i
new file mode 100644
index 000000000..2f2d44631
--- /dev/null
+++ b/interface-definitions/include/qos/queue-limit-1-4294967295.xml.i
@@ -0,0 +1,15 @@
+
+
+
+ Maximum queue size
+
+ u32:1-4294967295
+ Queue size in packets
+
+
+
+
+ Queue limit must be greater than zero
+
+
+
diff --git a/interface-definitions/include/qos/queue-limit-2-10999.xml.i b/interface-definitions/include/qos/queue-limit-2-10999.xml.i
new file mode 100644
index 000000000..7a9c8266b
--- /dev/null
+++ b/interface-definitions/include/qos/queue-limit-2-10999.xml.i
@@ -0,0 +1,16 @@
+
+
+
+ Upper limit of the queue
+
+ u32:2-10999
+ Queue size in packets
+
+
+
+
+ Queue limit must greater than 1 and less than 11000
+
+ 10240
+
+
diff --git a/interface-definitions/include/qos/queue-type.xml.i b/interface-definitions/include/qos/queue-type.xml.i
new file mode 100644
index 000000000..634f61024
--- /dev/null
+++ b/interface-definitions/include/qos/queue-type.xml.i
@@ -0,0 +1,30 @@
+
+
+
+ Queue type for default traffic
+
+ fq-codel fair-queue drop-tail random-detect
+
+
+ fq-codel
+ Fair Queue Codel
+
+
+ fair-queue
+ Stochastic Fair Queue (SFQ)
+
+
+ drop-tail
+ First-In-First-Out (FIFO)
+
+
+ random-detect
+ Random Early Detection (RED)
+
+
+ (fq-codel|fair-queue|drop-tail|random-detect)
+
+
+ drop-tail
+
+
diff --git a/interface-definitions/include/qos/set-dscp.xml.i b/interface-definitions/include/qos/set-dscp.xml.i
new file mode 100644
index 000000000..55c0ea44d
--- /dev/null
+++ b/interface-definitions/include/qos/set-dscp.xml.i
@@ -0,0 +1,63 @@
+
+
+
+ Change the Differentiated Services (DiffServ) field in the IP header
+
+ default reliability throughput lowdelay priority immediate flash flash-override critical internet network
+
+
+ u32:0-63
+ Priority order for bandwidth pool
+
+
+ default
+ match DSCP (000000)
+
+
+ reliability
+ match DSCP (000001)
+
+
+ throughput
+ match DSCP (000010)
+
+
+ lowdelay
+ match DSCP (000100)
+
+
+ priority
+ match DSCP (001000)
+
+
+ immediate
+ match DSCP (010000)
+
+
+ flash
+ match DSCP (011000)
+
+
+ flash-override
+ match DSCP (100000)
+
+
+ critical
+ match DSCP (101000)
+
+
+ internet
+ match DSCP (110000)
+
+
+ network
+ match DSCP (111000)
+
+
+
+ (default|reliability|throughput|lowdelay|priority|immediate|flash|flash-override|critical|internet|network)
+
+ Priority must be between 0 and 63
+
+
+
diff --git a/interface-definitions/include/qos/target.xml.i b/interface-definitions/include/qos/target.xml.i
new file mode 100644
index 000000000..bf6342ac9
--- /dev/null
+++ b/interface-definitions/include/qos/target.xml.i
@@ -0,0 +1,16 @@
+
+
+
+ Acceptable minimum standing/persistent queue delay
+
+ u32
+ Queue delay in milliseconds
+
+
+
+
+ Delay must be in range 0 to 4294967295
+
+ 5
+
+
diff --git a/interface-definitions/include/qos/tcp-flags.xml.i b/interface-definitions/include/qos/tcp-flags.xml.i
new file mode 100644
index 000000000..81d70d1f3
--- /dev/null
+++ b/interface-definitions/include/qos/tcp-flags.xml.i
@@ -0,0 +1,21 @@
+
+
+
+ TCP Flags matching
+
+
+
+
+ Match TCP ACK
+
+
+
+
+
+ Match TCP SYN
+
+
+
+
+
+
diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in
index b98f4b960..20ece5137 100644
--- a/interface-definitions/interfaces-bonding.xml.in
+++ b/interface-definitions/interfaces-bonding.xml.in
@@ -207,6 +207,8 @@
+ #include
+ #include
#include
#include
#include
diff --git a/interface-definitions/interfaces-bridge.xml.in b/interface-definitions/interfaces-bridge.xml.in
index fabfb917a..6957067cd 100644
--- a/interface-definitions/interfaces-bridge.xml.in
+++ b/interface-definitions/interfaces-bridge.xml.in
@@ -210,6 +210,8 @@
+ #include
+ #include
#include
diff --git a/interface-definitions/interfaces-dummy.xml.in b/interface-definitions/interfaces-dummy.xml.in
index 3bca8b950..109ed1b50 100644
--- a/interface-definitions/interfaces-dummy.xml.in
+++ b/interface-definitions/interfaces-dummy.xml.in
@@ -30,6 +30,8 @@
#include
+ #include
+ #include
#include
diff --git a/interface-definitions/interfaces-ethernet.xml.in b/interface-definitions/interfaces-ethernet.xml.in
index be7bddfa4..7d28912c0 100644
--- a/interface-definitions/interfaces-ethernet.xml.in
+++ b/interface-definitions/interfaces-ethernet.xml.in
@@ -196,6 +196,8 @@
+ #include
+ #include
#include
#include
#include
diff --git a/interface-definitions/interfaces-geneve.xml.in b/interface-definitions/interfaces-geneve.xml.in
index dd4d324d4..aa5809e60 100644
--- a/interface-definitions/interfaces-geneve.xml.in
+++ b/interface-definitions/interfaces-geneve.xml.in
@@ -50,6 +50,8 @@
+ #include
+ #include
#include
#include
diff --git a/interface-definitions/interfaces-input.xml.in b/interface-definitions/interfaces-input.xml.in
new file mode 100644
index 000000000..f2eb01c58
--- /dev/null
+++ b/interface-definitions/interfaces-input.xml.in
@@ -0,0 +1,30 @@
+
+
+
+
+
+
+ Input Functional Block (IFB) interface name
+
+ 310
+
+ ifb[0-9]+
+
+ Input interface must be named ifbN
+
+ ifbN
+ Input interface name
+
+
+
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+
+
+
+
+
diff --git a/interface-definitions/interfaces-l2tpv3.xml.in b/interface-definitions/interfaces-l2tpv3.xml.in
index ba9bcb0a2..124863653 100644
--- a/interface-definitions/interfaces-l2tpv3.xml.in
+++ b/interface-definitions/interfaces-l2tpv3.xml.in
@@ -125,6 +125,7 @@
+ #include
#include
diff --git a/interface-definitions/interfaces-loopback.xml.in b/interface-definitions/interfaces-loopback.xml.in
index 7be15ab89..ffffc0220 100644
--- a/interface-definitions/interfaces-loopback.xml.in
+++ b/interface-definitions/interfaces-loopback.xml.in
@@ -26,6 +26,8 @@
#include
+ #include
+ #include
diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in
index 7206e57b1..311e95c2f 100644
--- a/interface-definitions/interfaces-macsec.xml.in
+++ b/interface-definitions/interfaces-macsec.xml.in
@@ -122,6 +122,8 @@
1460
#include
+ #include
+ #include
#include
diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in
index eb574eb52..73e30e590 100644
--- a/interface-definitions/interfaces-openvpn.xml.in
+++ b/interface-definitions/interfaces-openvpn.xml.in
@@ -816,6 +816,8 @@
+ #include
+ #include
#include
diff --git a/interface-definitions/interfaces-pppoe.xml.in b/interface-definitions/interfaces-pppoe.xml.in
index ed0e45840..1d888236e 100644
--- a/interface-definitions/interfaces-pppoe.xml.in
+++ b/interface-definitions/interfaces-pppoe.xml.in
@@ -49,7 +49,6 @@
#include
#include
#include
- #include
Delay before disconnecting idle session (in seconds)
@@ -134,6 +133,9 @@
Service name must be alphanumeric only
+ #include
+ #include
+ #include
diff --git a/interface-definitions/interfaces-pseudo-ethernet.xml.in b/interface-definitions/interfaces-pseudo-ethernet.xml.in
index bf7055f8d..7baeac537 100644
--- a/interface-definitions/interfaces-pseudo-ethernet.xml.in
+++ b/interface-definitions/interfaces-pseudo-ethernet.xml.in
@@ -59,6 +59,8 @@
private
#include
+ #include
+ #include
#include
#include
diff --git a/interface-definitions/interfaces-tunnel.xml.in b/interface-definitions/interfaces-tunnel.xml.in
index eb1708aaa..bc9297c86 100644
--- a/interface-definitions/interfaces-tunnel.xml.in
+++ b/interface-definitions/interfaces-tunnel.xml.in
@@ -20,7 +20,6 @@
#include
#include
#include
- #include
#include
1476
@@ -288,6 +287,9 @@
+ #include
+ #include
+ #include
diff --git a/interface-definitions/interfaces-vti.xml.in b/interface-definitions/interfaces-vti.xml.in
index f03c7476d..538194c2b 100644
--- a/interface-definitions/interfaces-vti.xml.in
+++ b/interface-definitions/interfaces-vti.xml.in
@@ -34,6 +34,8 @@
#include
#include
#include
+ #include
+ #include
#include
#include
#include
diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in
index 0546b4199..18abf9f20 100644
--- a/interface-definitions/interfaces-vxlan.xml.in
+++ b/interface-definitions/interfaces-vxlan.xml.in
@@ -99,6 +99,8 @@
#include
#include
#include
+ #include
+ #include
#include
#include
diff --git a/interface-definitions/interfaces-wireguard.xml.in b/interface-definitions/interfaces-wireguard.xml.in
index 1b4b4a816..2f130c6f2 100644
--- a/interface-definitions/interfaces-wireguard.xml.in
+++ b/interface-definitions/interfaces-wireguard.xml.in
@@ -19,7 +19,6 @@
#include
#include
#include
- #include
#include
#include
#include
@@ -120,6 +119,9 @@
+ #include
+ #include
+ #include
diff --git a/interface-definitions/interfaces-wireless.xml.in b/interface-definitions/interfaces-wireless.xml.in
index 9db9fd757..eebe8f841 100644
--- a/interface-definitions/interfaces-wireless.xml.in
+++ b/interface-definitions/interfaces-wireless.xml.in
@@ -778,6 +778,8 @@
monitor
+ #include
+ #include
#include
#include
diff --git a/interface-definitions/interfaces-wwan.xml.in b/interface-definitions/interfaces-wwan.xml.in
index 03554feed..7007a67ae 100644
--- a/interface-definitions/interfaces-wwan.xml.in
+++ b/interface-definitions/interfaces-wwan.xml.in
@@ -30,7 +30,6 @@
#include
#include
#include
- #include
#include
#include
@@ -41,6 +40,9 @@
#include
#include
#include
+ #include
+ #include
+ #include
diff --git a/interface-definitions/qos.xml.in b/interface-definitions/qos.xml.in
new file mode 100644
index 000000000..d4468543c
--- /dev/null
+++ b/interface-definitions/qos.xml.in
@@ -0,0 +1,721 @@
+
+
+
+
+ Quality of Service (QOS) policy type
+ 900
+
+
+
+
+ Packet limited First In, First Out queue
+
+ txt
+ Policy name
+
+
+ [[:alnum:]][-_[:alnum:]]*
+
+ Only alpha-numeric policy name allowed
+
+
+ #include
+ #include
+
+
+
+
+ Stochastic Fairness Queueing
+
+ txt
+ Policy name
+
+
+ [[:alnum:]][-_[:alnum:]]*
+
+ Only alpha-numeric policy name allowed
+
+
+ #include
+
+
+ Interval in seconds for queue algorithm perturbation
+
+ u32:0
+ No perturbation
+
+
+ u32:1-127
+ Interval in seconds for queue algorithm perturbation (advised: 10)
+
+
+
+
+ Interval must be in range 0 to 127
+
+ 0
+
+
+
+ Upper limit of the SFQ
+
+ u32:2-127
+ Queue size in packets
+
+
+
+
+ Queue limit must greater than 1 and less than 128
+
+ 127
+
+
+
+
+
+ Fair Queuing Controlled Delay
+
+ txt
+ Policy name
+
+
+ [[:alnum:]][-_[:alnum:]]*
+
+ Only alpha-numeric policy name allowed
+
+
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+
+
+
+
+ Traffic input limiting policy
+
+ txt
+ Policy name
+
+
+ [[:alnum:]][-_[:alnum:]]*
+
+ Only alpha-numeric policy name allowed
+
+
+
+
+ Class ID
+
+ u32:1-4090
+ Class Identifier
+
+
+
+
+ Class identifier must be between 1 and 4090
+
+
+ #include
+ #include
+ #include
+ #include
+
+
+ Priority for rule evaluation
+
+ u32:0-20
+ Priority for match rule evaluation
+
+
+
+
+ Priority must be between 0 and 20
+
+ 20
+
+
+
+
+
+ Default policy
+
+
+ #include
+ #include
+
+
+ #include
+
+
+
+
+ Network emulator policy
+
+ txt
+ Policy name
+
+
+ [[:alnum:]][-_[:alnum:]]*
+
+ Only alpha-numeric policy name allowed
+
+
+ #include
+ #include
+ #include
+
+
+ Adds delay to packets outgoing to chosen network interface
+
+ <number>
+ Time in milliseconds
+
+
+
+
+ Priority must be between 0 and 65535
+
+
+
+
+ Introducing error in a random position for chosen percent of packets
+
+ <number>
+ Percentage of packets affected
+
+
+
+
+ Priority must be between 0 and 100
+
+
+
+
+ Add independent loss probability to the packets outgoing to chosen network interface
+
+ <number>
+ Percentage of packets affected
+
+
+
+
+ Must be between 0 and 100
+
+
+
+
+ Add independent loss probability to the packets outgoing to chosen network interface
+
+ <number>
+ Percentage of packets affected
+
+
+
+
+ Must be between 0 and 100
+
+
+
+
+ Packet reordering percentage
+
+ <number>
+ Percentage of packets affected
+
+
+
+
+ Must be between 0 and 100
+
+
+ #include
+
+
+
+
+ Priority queuing based policy
+
+ txt
+ Policy name
+
+
+ [[:alnum:]][-_[:alnum:]]*
+
+ Only alpha-numeric policy name allowed
+
+
+
+
+ Class Handle
+
+ u32:1-7
+ Priority
+
+
+
+
+ Class handle must be between 1 and 7
+
+
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+
+
+
+
+ Default policy
+
+
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+
+
+ #include
+
+
+
+
+ Priority queuing based policy
+
+ txt
+ Policy name
+
+
+ [[:alnum:]][-_[:alnum:]]*
+
+ Only alpha-numeric policy name allowed
+
+
+ #include
+
+ auto
+
+ #include
+
+
+ IP precedence
+
+ u32:0-7
+ IP precedence value
+
+
+
+
+ IP precedence value must be between 0 and 7
+
+
+ #include
+
+
+ Average packet size (bytes)
+
+ u32:16-10240
+ Average packet size in bytes
+
+
+
+
+ Average packet size must be between 16 and 10240
+
+ 1024
+
+
+
+ Mark probability for this precedence
+
+ <number>
+ Numeric value (1/N)
+
+
+
+
+ Mark probability must be greater than 0
+
+
+
+
+ Maximum threshold for random detection
+
+ u32:0-4096
+ Maximum Threshold in packets
+
+
+
+
+ Threshold must be between 0 and 4096
+
+
+
+
+ Minimum threshold for random detection
+
+ u32:0-4096
+ Maximum Threshold in packets
+
+
+
+
+ Threshold must be between 0 and 4096
+
+
+
+
+
+
+
+
+ Rate limiting policy (Token Bucket Filter)
+
+ txt
+ Policy name
+
+
+ [[:alnum:]][-_[:alnum:]]*
+
+ Only alpha-numeric policy name allowed
+
+
+ #include
+ #include
+ #include
+
+
+ Maximum latency
+
+ <number>
+ Time in milliseconds
+
+
+
+
+ Threshold must be between 0 and 4096
+
+ 50
+
+
+
+
+
+ Round-Robin based policy
+
+ txt
+ Policy name
+
+
+ [[:alnum:]][-_[:alnum:]]*
+
+ Only alpha-numeric policy name allowed
+
+
+ #include
+
+
+ Class ID
+
+ u32:1-4095
+ Class Identifier
+
+
+
+
+ Class identifier must be between 1 and 4095
+
+
+ #include
+ #include
+ #include
+ #include
+ #include
+
+
+ Packet scheduling quantum
+
+ u32:1-4294967295
+ Packet scheduling quantum (bytes)
+
+
+
+
+ Quantum must be in range 1 to 4294967295
+
+
+ #include
+ #include
+ #include
+
+
+
+
+
+
+ Hierarchical Fair Service Curve's policy
+
+ txt
+ Policy name
+
+
+ [[:alnum:]][-_[:alnum:]]*
+
+ Only alpha-numeric policy name allowed
+
+
+ #include
+
+ auto
+
+ #include
+
+
+ Class ID
+
+ u32:1-4095
+ Class Identifier
+
+
+
+
+ Class identifier must be between 1 and 4095
+
+
+ #include
+
+
+ Linkshare class settings
+
+
+ #include
+ #include
+ #include
+
+
+ #include
+
+
+ Realtime class settings
+
+
+ #include
+ #include
+ #include
+
+
+
+
+ Upperlimit class settings
+
+
+ #include
+ #include
+ #include
+
+
+
+
+
+
+ Default policy
+
+
+
+
+ Linkshare class settings
+
+
+ #include
+ #include
+ #include
+
+
+
+
+ Realtime class settings
+
+
+ #include
+ #include
+ #include
+
+
+
+
+ Upperlimit class settings
+
+
+ #include
+ #include
+ #include
+
+
+
+
+
+
+
+
+ Traffic shaping based policy (Hierarchy Token Bucket)
+
+ txt
+ Policy name
+
+
+ [[:alnum:]][-_[:alnum:]]*
+
+ Only alpha-numeric policy name allowed
+
+
+ #include
+
+ auto
+
+
+
+ Class ID
+
+ u32:2-4095
+ Class Identifier
+
+
+
+
+ Class identifier must be between 2 and 4095
+
+
+ #include
+
+ 100%
+
+ #include
+
+
+ Bandwidth limit for this class
+
+ <number>
+ Rate in kbit (kilobit per second)
+
+
+ <number>%%
+ Percentage of overall rate
+
+
+ <number>bit
+ bit(1), kbit(10^3), mbit(10^6), gbit, tbit
+
+
+ <number>ibit
+ kibit(1024), mibit(1024^2), gibit(1024^3), tbit(1024^4)
+
+
+ <number>ibps
+ kibps(1024*8), mibps(1024^2*8), gibps, tibps - Byte/sec
+
+
+ <number>bps
+ bps(8),kbps(8*10^3),mbps(8*10^6), gbps, tbps - Byte/sec
+
+
+
+ #include
+ #include
+ #include
+ #include
+ #include
+
+
+ Priority for usage of excess bandwidth
+
+ u32:0-7
+ Priority order for bandwidth pool
+
+
+
+
+ Priority must be between 0 and 7
+
+ 20
+
+ #include
+ #include
+ #include
+ #include
+
+
+ #include
+
+
+ Default policy
+
+
+ #include
+ #include
+
+
+ Bandwidth limit for this class
+
+ <number>
+ Rate in kbit (kilobit per second)
+
+
+ <number>%%
+ Percentage of overall rate
+
+
+ <number>bit
+ bit(1), kbit(10^3), mbit(10^6), gbit, tbit
+
+
+ <number>ibit
+ kibit(1024), mibit(1024^2), gibit(1024^3), tbit(1024^4)
+
+
+ <number>ibps
+ kibps(1024*8), mibps(1024^2*8), gibps, tibps - Byte/sec
+
+
+ <number>bps
+ bps(8),kbps(8*10^3),mbps(8*10^6), gbps, tbps - Byte/sec
+
+
+
+ #include
+ #include
+ #include
+ #include
+
+
+ Priority for usage of excess bandwidth
+
+ u32:0-7
+ Priority order for bandwidth pool
+
+
+
+
+ Priority must be between 0 and 7
+
+ 20
+
+ #include
+ #include
+ #include
+ #include
+
+
+
+
+
+
+
diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py
index fab88bc72..7f1258575 100644
--- a/python/vyos/configverify.py
+++ b/python/vyos/configverify.py
@@ -191,6 +191,19 @@ def verify_mirror(config):
raise ConfigError(f'Can not mirror "{direction}" traffic back ' \
'the originating interface!')
+def verify_redirect(config):
+ """
+ Common helper function used by interface implementations to perform
+ recurring validation of the redirect interface configuration.
+
+ It makes no sense to mirror and redirect traffic at the same time!
+ """
+ if {'mirror', 'redirect'} <= set(config):
+ raise ConfigError('Can not do both redirect and mirror')
+
+ if dict_search('traffic_policy.in', config) != None:
+ raise ConfigError('Can not use ingress policy and redirect')
+
def verify_authentication(config):
"""
Common helper function used by interface implementations to perform
@@ -315,6 +328,7 @@ def verify_vlan_config(config):
verify_dhcpv6(vlan)
verify_address(vlan)
verify_vrf(vlan)
+ verify_redirect(vlan)
verify_mtu_parent(vlan, config)
# 802.1ad (Q-in-Q) VLANs
@@ -323,6 +337,7 @@ def verify_vlan_config(config):
verify_dhcpv6(s_vlan)
verify_address(s_vlan)
verify_vrf(s_vlan)
+ verify_redirect(s_vlan)
verify_mtu_parent(s_vlan, config)
for c_vlan in s_vlan.get('vif_c', {}):
@@ -330,6 +345,7 @@ def verify_vlan_config(config):
verify_dhcpv6(c_vlan)
verify_address(c_vlan)
verify_vrf(c_vlan)
+ verify_redirect(c_vlan)
verify_mtu_parent(c_vlan, config)
verify_mtu_parent(c_vlan, s_vlan)
diff --git a/src/conf_mode/interfaces-bonding.py b/src/conf_mode/interfaces-bonding.py
index bb53cd6c2..661dc2298 100755
--- a/src/conf_mode/interfaces-bonding.py
+++ b/src/conf_mode/interfaces-bonding.py
@@ -27,9 +27,10 @@ from vyos.configdict import is_source_interface
from vyos.configverify import verify_address
from vyos.configverify import verify_bridge_delete
from vyos.configverify import verify_dhcpv6
-from vyos.configverify import verify_source_interface
from vyos.configverify import verify_mirror
from vyos.configverify import verify_mtu_ipv6
+from vyos.configverify import verify_redirect
+from vyos.configverify import verify_source_interface
from vyos.configverify import verify_vlan_config
from vyos.configverify import verify_vrf
from vyos.ifconfig import BondIf
@@ -151,6 +152,7 @@ def verify(bond):
verify_dhcpv6(bond)
verify_vrf(bond)
verify_mirror(bond)
+ verify_redirect(bond)
# use common function to verify VLAN configuration
verify_vlan_config(bond)
diff --git a/src/conf_mode/interfaces-bridge.py b/src/conf_mode/interfaces-bridge.py
index 9f840cb58..e16c0e9f4 100755
--- a/src/conf_mode/interfaces-bridge.py
+++ b/src/conf_mode/interfaces-bridge.py
@@ -28,6 +28,7 @@ from vyos.configdict import has_vlan_subinterface_configured
from vyos.configdict import dict_merge
from vyos.configverify import verify_dhcpv6
from vyos.configverify import verify_mirror
+from vyos.configverify import verify_redirect
from vyos.configverify import verify_vrf
from vyos.ifconfig import BridgeIf
from vyos.validate import has_address_configured
@@ -107,6 +108,7 @@ def verify(bridge):
verify_dhcpv6(bridge)
verify_vrf(bridge)
verify_mirror(bridge)
+ verify_redirect(bridge)
ifname = bridge['ifname']
diff --git a/src/conf_mode/interfaces-dummy.py b/src/conf_mode/interfaces-dummy.py
index 55c783f38..4072c4452 100755
--- a/src/conf_mode/interfaces-dummy.py
+++ b/src/conf_mode/interfaces-dummy.py
@@ -21,6 +21,7 @@ from vyos.configdict import get_interface_dict
from vyos.configverify import verify_vrf
from vyos.configverify import verify_address
from vyos.configverify import verify_bridge_delete
+from vyos.configverify import verify_redirect
from vyos.ifconfig import DummyIf
from vyos import ConfigError
from vyos import airbag
@@ -46,6 +47,7 @@ def verify(dummy):
verify_vrf(dummy)
verify_address(dummy)
+ verify_redirect(dummy)
return None
diff --git a/src/conf_mode/interfaces-ethernet.py b/src/conf_mode/interfaces-ethernet.py
index 2a8a126f2..3eeddf190 100755
--- a/src/conf_mode/interfaces-ethernet.py
+++ b/src/conf_mode/interfaces-ethernet.py
@@ -28,6 +28,7 @@ from vyos.configverify import verify_interface_exists
from vyos.configverify import verify_mirror
from vyos.configverify import verify_mtu
from vyos.configverify import verify_mtu_ipv6
+from vyos.configverify import verify_redirect
from vyos.configverify import verify_vlan_config
from vyos.configverify import verify_vrf
from vyos.ethtool import Ethtool
@@ -84,6 +85,7 @@ def verify(ethernet):
verify_vrf(ethernet)
verify_eapol(ethernet)
verify_mirror(ethernet)
+ verify_redirect(ethernet)
ethtool = Ethtool(ifname)
# No need to check speed and duplex keys as both have default values.
diff --git a/src/conf_mode/interfaces-geneve.py b/src/conf_mode/interfaces-geneve.py
index 2a63b60aa..a94b5e1f7 100755
--- a/src/conf_mode/interfaces-geneve.py
+++ b/src/conf_mode/interfaces-geneve.py
@@ -24,6 +24,7 @@ from vyos.configdict import get_interface_dict
from vyos.configverify import verify_address
from vyos.configverify import verify_mtu_ipv6
from vyos.configverify import verify_bridge_delete
+from vyos.configverify import verify_redirect
from vyos.ifconfig import GeneveIf
from vyos import ConfigError
@@ -50,6 +51,7 @@ def verify(geneve):
verify_mtu_ipv6(geneve)
verify_address(geneve)
+ verify_redirect(geneve)
if 'remote' not in geneve:
raise ConfigError('Remote side must be configured')
diff --git a/src/conf_mode/interfaces-l2tpv3.py b/src/conf_mode/interfaces-l2tpv3.py
index 9b6ddd5aa..5ea7159dc 100755
--- a/src/conf_mode/interfaces-l2tpv3.py
+++ b/src/conf_mode/interfaces-l2tpv3.py
@@ -25,6 +25,7 @@ from vyos.configdict import leaf_node_changed
from vyos.configverify import verify_address
from vyos.configverify import verify_bridge_delete
from vyos.configverify import verify_mtu_ipv6
+from vyos.configverify import verify_redirect
from vyos.ifconfig import L2TPv3If
from vyos.util import check_kmod
from vyos.validate import is_addr_assigned
@@ -76,6 +77,7 @@ def verify(l2tpv3):
verify_mtu_ipv6(l2tpv3)
verify_address(l2tpv3)
+ verify_redirect(l2tpv3)
return None
def generate(l2tpv3):
diff --git a/src/conf_mode/interfaces-loopback.py b/src/conf_mode/interfaces-loopback.py
index 193334443..e6a851113 100755
--- a/src/conf_mode/interfaces-loopback.py
+++ b/src/conf_mode/interfaces-loopback.py
@@ -20,6 +20,7 @@ from sys import exit
from vyos.config import Config
from vyos.configdict import get_interface_dict
+from vyos.configverify import verify_redirect
from vyos.ifconfig import LoopbackIf
from vyos import ConfigError
from vyos import airbag
@@ -39,6 +40,7 @@ def get_config(config=None):
return loopback
def verify(loopback):
+ verify_redirect(loopback)
return None
def generate(loopback):
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py
index eab69f36e..6a29fdb11 100755
--- a/src/conf_mode/interfaces-macsec.py
+++ b/src/conf_mode/interfaces-macsec.py
@@ -29,6 +29,7 @@ from vyos.configverify import verify_vrf
from vyos.configverify import verify_address
from vyos.configverify import verify_bridge_delete
from vyos.configverify import verify_mtu_ipv6
+from vyos.configverify import verify_redirect
from vyos.configverify import verify_source_interface
from vyos import ConfigError
from vyos import airbag
@@ -66,6 +67,7 @@ def verify(macsec):
verify_vrf(macsec)
verify_mtu_ipv6(macsec)
verify_address(macsec)
+ verify_redirect(macsec)
if not (('security' in macsec) and
('cipher' in macsec['security'])):
diff --git a/src/conf_mode/interfaces-pppoe.py b/src/conf_mode/interfaces-pppoe.py
index 584adc75e..9962e0a08 100755
--- a/src/conf_mode/interfaces-pppoe.py
+++ b/src/conf_mode/interfaces-pppoe.py
@@ -28,6 +28,7 @@ from vyos.configverify import verify_source_interface
from vyos.configverify import verify_interface_exists
from vyos.configverify import verify_vrf
from vyos.configverify import verify_mtu_ipv6
+from vyos.configverify import verify_redirect
from vyos.ifconfig import PPPoEIf
from vyos.template import render
from vyos.util import call
@@ -85,6 +86,7 @@ def verify(pppoe):
verify_authentication(pppoe)
verify_vrf(pppoe)
verify_mtu_ipv6(pppoe)
+ verify_redirect(pppoe)
if {'connect_on_demand', 'vrf'} <= set(pppoe):
raise ConfigError('On-demand dialing and VRF can not be used at the same time')
diff --git a/src/conf_mode/interfaces-pseudo-ethernet.py b/src/conf_mode/interfaces-pseudo-ethernet.py
index 945a2ea9c..f57e41cc4 100755
--- a/src/conf_mode/interfaces-pseudo-ethernet.py
+++ b/src/conf_mode/interfaces-pseudo-ethernet.py
@@ -25,6 +25,7 @@ from vyos.configverify import verify_bridge_delete
from vyos.configverify import verify_source_interface
from vyos.configverify import verify_vlan_config
from vyos.configverify import verify_mtu_parent
+from vyos.configverify import verify_redirect
from vyos.ifconfig import MACVLANIf
from vyos import ConfigError
@@ -60,6 +61,7 @@ def verify(peth):
verify_vrf(peth)
verify_address(peth)
verify_mtu_parent(peth, peth['parent'])
+ verify_redirect(peth)
# use common function to verify VLAN configuration
verify_vlan_config(peth)
diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces-tunnel.py
index 433764b8a..005fae5eb 100755
--- a/src/conf_mode/interfaces-tunnel.py
+++ b/src/conf_mode/interfaces-tunnel.py
@@ -26,6 +26,7 @@ from vyos.configverify import verify_address
from vyos.configverify import verify_bridge_delete
from vyos.configverify import verify_interface_exists
from vyos.configverify import verify_mtu_ipv6
+from vyos.configverify import verify_redirect
from vyos.configverify import verify_vrf
from vyos.configverify import verify_tunnel
from vyos.ifconfig import Interface
@@ -157,6 +158,7 @@ def verify(tunnel):
verify_mtu_ipv6(tunnel)
verify_address(tunnel)
verify_vrf(tunnel)
+ verify_redirect(tunnel)
if 'source_interface' in tunnel:
verify_interface_exists(tunnel['source_interface'])
diff --git a/src/conf_mode/interfaces-vti.py b/src/conf_mode/interfaces-vti.py
index 57950ffea..30e13536f 100755
--- a/src/conf_mode/interfaces-vti.py
+++ b/src/conf_mode/interfaces-vti.py
@@ -19,6 +19,7 @@ from sys import exit
from vyos.config import Config
from vyos.configdict import get_interface_dict
+from vyos.configverify import verify_redirect
from vyos.ifconfig import VTIIf
from vyos.util import dict_search
from vyos import ConfigError
@@ -39,6 +40,7 @@ def get_config(config=None):
return vti
def verify(vti):
+ verify_redirect(vti)
return None
def generate(vti):
diff --git a/src/conf_mode/interfaces-vxlan.py b/src/conf_mode/interfaces-vxlan.py
index 29b16af89..a29836efd 100755
--- a/src/conf_mode/interfaces-vxlan.py
+++ b/src/conf_mode/interfaces-vxlan.py
@@ -25,6 +25,7 @@ from vyos.configdict import leaf_node_changed
from vyos.configverify import verify_address
from vyos.configverify import verify_bridge_delete
from vyos.configverify import verify_mtu_ipv6
+from vyos.configverify import verify_redirect
from vyos.configverify import verify_source_interface
from vyos.ifconfig import Interface
from vyos.ifconfig import VXLANIf
@@ -140,6 +141,7 @@ def verify(vxlan):
verify_mtu_ipv6(vxlan)
verify_address(vxlan)
+ verify_redirect(vxlan)
return None
def generate(vxlan):
diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py
index da64dd076..dc0fe7b9c 100755
--- a/src/conf_mode/interfaces-wireguard.py
+++ b/src/conf_mode/interfaces-wireguard.py
@@ -28,6 +28,7 @@ from vyos.configverify import verify_vrf
from vyos.configverify import verify_address
from vyos.configverify import verify_bridge_delete
from vyos.configverify import verify_mtu_ipv6
+from vyos.configverify import verify_redirect
from vyos.ifconfig import WireGuardIf
from vyos.util import check_kmod
from vyos.util import check_port_availability
@@ -70,6 +71,7 @@ def verify(wireguard):
verify_mtu_ipv6(wireguard)
verify_address(wireguard)
verify_vrf(wireguard)
+ verify_redirect(wireguard)
if 'private_key' not in wireguard:
raise ConfigError('Wireguard private-key not defined')
diff --git a/src/conf_mode/interfaces-wireless.py b/src/conf_mode/interfaces-wireless.py
index af35b5f03..fdf9e3988 100755
--- a/src/conf_mode/interfaces-wireless.py
+++ b/src/conf_mode/interfaces-wireless.py
@@ -27,6 +27,7 @@ from vyos.configverify import verify_address
from vyos.configverify import verify_bridge_delete
from vyos.configverify import verify_dhcpv6
from vyos.configverify import verify_source_interface
+from vyos.configverify import verify_redirect
from vyos.configverify import verify_vlan_config
from vyos.configverify import verify_vrf
from vyos.ifconfig import WiFiIf
@@ -189,6 +190,7 @@ def verify(wifi):
verify_address(wifi)
verify_vrf(wifi)
+ verify_redirect(wifi)
# use common function to verify VLAN configuration
verify_vlan_config(wifi)
diff --git a/src/conf_mode/interfaces-wwan.py b/src/conf_mode/interfaces-wwan.py
index a4b033374..367a50e82 100755
--- a/src/conf_mode/interfaces-wwan.py
+++ b/src/conf_mode/interfaces-wwan.py
@@ -23,6 +23,7 @@ from vyos.config import Config
from vyos.configdict import get_interface_dict
from vyos.configverify import verify_authentication
from vyos.configverify import verify_interface_exists
+from vyos.configverify import verify_redirect
from vyos.configverify import verify_vrf
from vyos.ifconfig import WWANIf
from vyos.util import cmd
@@ -77,6 +78,7 @@ def verify(wwan):
verify_interface_exists(ifname)
verify_authentication(wwan)
verify_vrf(wwan)
+ verify_redirect(wwan)
return None
diff --git a/src/conf_mode/qos.py b/src/conf_mode/qos.py
new file mode 100755
index 000000000..cf447d4b5
--- /dev/null
+++ b/src/conf_mode/qos.py
@@ -0,0 +1,90 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2022 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+from sys import exit
+
+from vyos.config import Config
+from vyos.configdict import dict_merge
+from vyos.xml import defaults
+from vyos import ConfigError
+from vyos import airbag
+airbag.enable()
+
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['traffic-policy']
+ if not conf.exists(base):
+ return None
+
+ qos = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
+
+ for traffic_policy in ['drop-tail', 'fair-queue', 'fq-codel', 'limiter',
+ 'network-emulator', 'priority-queue', 'random-detect',
+ 'rate-control', 'round-robin', 'shaper', 'shaper-hfsc']:
+ traffic_policy_us = traffic_policy.replace('-','_')
+ # Individual policy type not present on CLI - no need to blend in
+ # any default values
+ if traffic_policy_us not in qos:
+ continue
+
+ default_values = defaults(base + [traffic_policy_us])
+
+ # class is another tag node which requires individual handling
+ class_default_values = defaults(base + [traffic_policy_us, 'class'])
+ if 'class' in default_values:
+ del default_values['class']
+
+ for policy, policy_config in qos[traffic_policy_us].items():
+ qos[traffic_policy_us][policy] = dict_merge(
+ default_values, qos[traffic_policy_us][policy])
+
+ if 'class' in policy_config:
+ for policy_class in policy_config['class']:
+ qos[traffic_policy_us][policy]['class'][policy_class] = dict_merge(
+ class_default_values, qos[traffic_policy_us][policy]['class'][policy_class])
+
+ import pprint
+ pprint.pprint(qos)
+ return qos
+
+def verify(qos):
+ if not qos:
+ return None
+
+ # network policy emulator
+ # reorder rerquires delay to be set
+
+ raise ConfigError('123')
+ return None
+
+def generate(qos):
+ return None
+
+def apply(qos):
+ return None
+
+if __name__ == '__main__':
+ try:
+ c = get_config()
+ verify(c)
+ generate(c)
+ apply(c)
+ except ConfigError as e:
+ print(e)
+ exit(1)
--
cgit v1.2.3
From e700bd3e22e080525e70ce560c0e48d41a80a9d2 Mon Sep 17 00:00:00 2001
From: Christian Poessinger
Date: Thu, 24 Mar 2022 18:42:40 +0100
Subject: ipsec: T4288: bump config version 8 -> 9
---
interface-definitions/include/version/ipsec-version.xml.i | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/version/ipsec-version.xml.i b/interface-definitions/include/version/ipsec-version.xml.i
index fcdd6c702..59295cc91 100644
--- a/interface-definitions/include/version/ipsec-version.xml.i
+++ b/interface-definitions/include/version/ipsec-version.xml.i
@@ -1,3 +1,3 @@
-
+
--
cgit v1.2.3
From eaf4b60c9e7fa094d17b87b29bebaf81182ee7a1 Mon Sep 17 00:00:00 2001
From: Christian Poessinger
Date: Fri, 25 Mar 2022 18:53:50 +0100
Subject: xml: T4319: use common building block for table-size CLI option
---
interface-definitions/include/arp-ndp-table-size.xml.i | 14 ++++++++++++++
interface-definitions/system-ip.xml.in | 13 +------------
interface-definitions/system-ipv6.xml.in | 14 ++------------
3 files changed, 17 insertions(+), 24 deletions(-)
create mode 100644 interface-definitions/include/arp-ndp-table-size.xml.i
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/arp-ndp-table-size.xml.i b/interface-definitions/include/arp-ndp-table-size.xml.i
new file mode 100644
index 000000000..dec86e91a
--- /dev/null
+++ b/interface-definitions/include/arp-ndp-table-size.xml.i
@@ -0,0 +1,14 @@
+
+
+
+ Maximum number of entries to keep in the cache
+
+ 1024 2048 4096 8192 16384 32768
+
+
+ (1024|2048|4096|8192|16384|32768)
+
+
+ 8192
+
+
diff --git a/interface-definitions/system-ip.xml.in b/interface-definitions/system-ip.xml.in
index b43100418..21d70694b 100644
--- a/interface-definitions/system-ip.xml.in
+++ b/interface-definitions/system-ip.xml.in
@@ -14,18 +14,7 @@
Parameters for ARP cache
-
-
- Maximum number of entries to keep in the ARP cache
-
- 1024 2048 4096 8192 16384 32768
-
-
- ^(1024|2048|4096|8192|16384|32768)$
-
-
- 8192
-
+ #include
diff --git a/interface-definitions/system-ipv6.xml.in b/interface-definitions/system-ipv6.xml.in
index ff1080544..af4dcdb0f 100644
--- a/interface-definitions/system-ipv6.xml.in
+++ b/interface-definitions/system-ipv6.xml.in
@@ -36,20 +36,10 @@
- Parameters for Neighbor cache
+ Parameters for neighbor discovery cache
-
-
- Maximum number of entries to keep in the Neighbor cache
-
- 1024 2048 4096 8192 16384 32768
-
-
- ^(1024|2048|4096|8192|16384|32768)$
-
-
-
+ #include
--
cgit v1.2.3
From 7d4160f5e2ef1b0c7d5443850fa5b694b940547a Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko
Date: Thu, 31 Mar 2022 13:08:05 +0000
Subject: bgp: T4326: Add bgp parameter no-suppress-duplicates
Add new bgp parameter 'no-suppress-duplicates'
set protocols bgp parameters no-suppress-duplicates
---
data/templates/frr/bgpd.frr.tmpl | 3 +++
interface-definitions/include/bgp/protocol-common-config.xml.i | 6 ++++++
smoketest/scripts/cli/test_protocols_bgp.py | 2 ++
3 files changed, 11 insertions(+)
(limited to 'interface-definitions/include')
diff --git a/data/templates/frr/bgpd.frr.tmpl b/data/templates/frr/bgpd.frr.tmpl
index 45e0544b7..0bc0fd36e 100644
--- a/data/templates/frr/bgpd.frr.tmpl
+++ b/data/templates/frr/bgpd.frr.tmpl
@@ -545,6 +545,9 @@ router bgp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is defined and vrf is not none
{% if parameters.no_fast_external_failover is defined %}
no bgp fast-external-failover
{% endif %}
+{% if parameters.no_suppress_duplicates is defined %}
+ no bgp suppress-duplicates
+{% endif %}
{% if parameters.reject_as_sets is defined %}
bgp reject-as-sets
{% endif %}
diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i
index 38337b032..b59ff0287 100644
--- a/interface-definitions/include/bgp/protocol-common-config.xml.i
+++ b/interface-definitions/include/bgp/protocol-common-config.xml.i
@@ -1430,6 +1430,12 @@
+
+
+ Disable suppress duplicate updates if the route actually not changed
+
+
+
Reject routes with AS_SET or AS_CONFED_SET flag
diff --git a/smoketest/scripts/cli/test_protocols_bgp.py b/smoketest/scripts/cli/test_protocols_bgp.py
index d7230baf4..db1587ba7 100755
--- a/smoketest/scripts/cli/test_protocols_bgp.py
+++ b/smoketest/scripts/cli/test_protocols_bgp.py
@@ -274,6 +274,7 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase):
self.cli_set(base_path + ['parameters', 'conditional-advertisement', 'timer', cond_adv_timer])
self.cli_set(base_path + ['parameters', 'fast-convergence'])
self.cli_set(base_path + ['parameters', 'minimum-holdtime', min_hold_time])
+ self.cli_set(base_path + ['parameters', 'no-suppress-duplicates'])
self.cli_set(base_path + ['parameters', 'reject-as-sets'])
self.cli_set(base_path + ['parameters', 'shutdown'])
self.cli_set(base_path + ['parameters', 'suppress-fib-pending'])
@@ -305,6 +306,7 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase):
self.assertIn(f' bgp shutdown', frrconfig)
self.assertIn(f' bgp suppress-fib-pending', frrconfig)
self.assertNotIn(f'bgp ebgp-requires-policy', frrconfig)
+ self.assertIn(f' no bgp suppress-duplicates', frrconfig)
afiv4_config = self.getFRRconfig(' address-family ipv4 unicast')
self.assertIn(f' maximum-paths {max_path_v4}', afiv4_config)
--
cgit v1.2.3
From a6c936997611de85dc73152297679d0b53095713 Mon Sep 17 00:00:00 2001
From: Christian Poessinger
Date: Sun, 3 Apr 2022 12:11:29 +0200
Subject: isis: T4336: add support for MD5 authentication password on a circuit
---
data/templates/frr/isisd.frr.tmpl | 4 +-
interface-definitions/include/isis/password.xml.i | 20 ++++++++
.../include/isis/protocol-common-config.xml.i | 54 +++-------------------
3 files changed, 29 insertions(+), 49 deletions(-)
create mode 100644 interface-definitions/include/isis/password.xml.i
(limited to 'interface-definitions/include')
diff --git a/data/templates/frr/isisd.frr.tmpl b/data/templates/frr/isisd.frr.tmpl
index 2bf3a3b8a..d8545bea7 100644
--- a/data/templates/frr/isisd.frr.tmpl
+++ b/data/templates/frr/isisd.frr.tmpl
@@ -31,7 +31,9 @@ interface {{ iface }}
{% if iface_config.passive is vyos_defined %}
isis passive
{% endif %}
-{% if iface_config.password.plaintext_password is vyos_defined %}
+{% if iface_config.password.md5 is vyos_defined %}
+ isis password md5 {{ iface_config.password.md5 }}
+{% elif iface_config.password.plaintext_password is vyos_defined %}
isis password clear {{ iface_config.password.plaintext_password }}
{% endif %}
{% if iface_config.priority is vyos_defined %}
diff --git a/interface-definitions/include/isis/password.xml.i b/interface-definitions/include/isis/password.xml.i
new file mode 100644
index 000000000..27c3b0fa0
--- /dev/null
+++ b/interface-definitions/include/isis/password.xml.i
@@ -0,0 +1,20 @@
+
+
+
+ Plain-text authentication type
+
+ txt
+ Circuit password
+
+
+
+
+
+ MD5 authentication type
+
+ txt
+ Level-wide password
+
+
+
+
diff --git a/interface-definitions/include/isis/protocol-common-config.xml.i b/interface-definitions/include/isis/protocol-common-config.xml.i
index 8ffa14a19..e0145f7a4 100644
--- a/interface-definitions/include/isis/protocol-common-config.xml.i
+++ b/interface-definitions/include/isis/protocol-common-config.xml.i
@@ -4,24 +4,7 @@
Configure the authentication password for an area
-
-
- Plain-text authentication type
-
- txt
- Level-wide password
-
-
-
-
-
- MD5 authentication type
-
- txt
- Level-wide password
-
-
-
+ #include
@@ -59,24 +42,7 @@
Set the authentication password for a routing domain
-
-
- Plain-text authentication type
-
- txt
- Level-wide password
-
-
-
-
-
- MD5 authentication type
-
- txt
- Level-wide password
-
-
-
+ #include
@@ -104,7 +70,7 @@
Act as an area router
- ^(level-1|level-1-2|level-2)$
+ (level-1|level-1-2|level-2)
@@ -182,7 +148,7 @@
Use new style of TLVs to carry wider metric
- ^(narrow|transition|wide)$
+ (narrow|transition|wide)
@@ -668,7 +634,7 @@
Level-2 only adjacencies are formed
- ^(level-1|level-1-2|level-2-only)$
+ (level-1|level-1-2|level-2-only)
@@ -722,15 +688,7 @@
Configure the authentication password for a circuit
-
-
- Plain-text authentication type
-
- txt
- Circuit password
-
-
-
+ #include
--
cgit v1.2.3
From abdd80c7387e0b819aba5e74777695421fcb70bf Mon Sep 17 00:00:00 2001
From: Christian Poessinger
Date: Sun, 3 Apr 2022 13:27:44 +0200
Subject: xml: isis: T3236: create common high-low label value include block
---
.../include/isis/high-low-label-value.xml.i | 26 +++++++++++
.../include/isis/protocol-common-config.xml.i | 50 +---------------------
2 files changed, 28 insertions(+), 48 deletions(-)
create mode 100644 interface-definitions/include/isis/high-low-label-value.xml.i
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/isis/high-low-label-value.xml.i b/interface-definitions/include/isis/high-low-label-value.xml.i
new file mode 100644
index 000000000..adc28417d
--- /dev/null
+++ b/interface-definitions/include/isis/high-low-label-value.xml.i
@@ -0,0 +1,26 @@
+
+
+
+ MPLS label lower bound
+
+ u32:16-1048575
+ Label value
+
+
+
+
+
+
+
+
+ MPLS label upper bound
+
+ u32:16-1048575
+ Label value
+
+
+
+
+
+
+
diff --git a/interface-definitions/include/isis/protocol-common-config.xml.i b/interface-definitions/include/isis/protocol-common-config.xml.i
index e0145f7a4..af9d87a0d 100644
--- a/interface-definitions/include/isis/protocol-common-config.xml.i
+++ b/interface-definitions/include/isis/protocol-common-config.xml.i
@@ -244,30 +244,7 @@
Global block label range
-
-
- The lower bound of the global block
-
- u32:16-1048575
- MPLS label value
-
-
-
-
-
-
-
-
- The upper bound of the global block
-
- u32:16-1048575
- MPLS label value
-
-
-
-
-
-
+ #include
--
cgit v1.2.3
From 7d3ae5fc3ba113b67281c9605f3a8a71b924efe2 Mon Sep 17 00:00:00 2001
From: Christian Poessinger
Date: Sun, 3 Apr 2022 14:11:06 +0200
Subject: isis: T3156: add segment routing local-block for ISIS
---
data/templates/frr/isisd.frr.tmpl | 7 ++--
.../include/isis/protocol-common-config.xml.i | 6 +--
src/conf_mode/protocols_isis.py | 44 ++++++++++++++--------
3 files changed, 34 insertions(+), 23 deletions(-)
(limited to 'interface-definitions/include')
diff --git a/data/templates/frr/isisd.frr.tmpl b/data/templates/frr/isisd.frr.tmpl
index 33adac64e..238541903 100644
--- a/data/templates/frr/isisd.frr.tmpl
+++ b/data/templates/frr/isisd.frr.tmpl
@@ -114,10 +114,11 @@ router isis VyOS {{ 'vrf ' + vrf if vrf is vyos_defined }}
segment-routing node-msd {{ segment_routing.maximum_label_depth }}
{% endif %}
{% if segment_routing.global_block is vyos_defined %}
+{% if segment_routing.local_block is vyos_defined %}
+ segment-routing global-block {{ segment_routing.global_block.low_label_value }} {{ segment_routing.global_block.high_label_value }} local-block {{ segment_routing.local_block.low_label_value }} {{ segment_routing.local_block.high_label_value }}
+{% else %}
segment-routing global-block {{ segment_routing.global_block.low_label_value }} {{ segment_routing.global_block.high_label_value }}
-{% endif %}
-{% if segment_routing.local_block is vyos_defined %}
- segment-routing local-block {{ segment_routing.global_block.low_label_value }} {{ segment_routing.local_block.high_label_value }}
+{% endif %}
{% endif %}
{% if segment_routing.prefix is vyos_defined %}
{% for prefixes in segment_routing.prefix %}
diff --git a/interface-definitions/include/isis/protocol-common-config.xml.i b/interface-definitions/include/isis/protocol-common-config.xml.i
index af9d87a0d..75a0355d4 100644
--- a/interface-definitions/include/isis/protocol-common-config.xml.i
+++ b/interface-definitions/include/isis/protocol-common-config.xml.i
@@ -241,22 +241,20 @@
- Global block label range
+ Segment Routing Global Block label range
#include
-
Maximum MPLS labels allowed for this router
diff --git a/src/conf_mode/protocols_isis.py b/src/conf_mode/protocols_isis.py
index 9b4b215de..f2501e38a 100755
--- a/src/conf_mode/protocols_isis.py
+++ b/src/conf_mode/protocols_isis.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2020-2021 VyOS maintainers and contributors
+# Copyright (C) 2020-2022 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -169,28 +169,40 @@ def verify(isis):
# Segment routing checks
if dict_search('segment_routing.global_block', isis):
- high_label_value = dict_search('segment_routing.global_block.high_label_value', isis)
- low_label_value = dict_search('segment_routing.global_block.low_label_value', isis)
+ g_high_label_value = dict_search('segment_routing.global_block.high_label_value', isis)
+ g_low_label_value = dict_search('segment_routing.global_block.low_label_value', isis)
- # If segment routing global block high value is blank, throw error
- if (low_label_value and not high_label_value) or (high_label_value and not low_label_value):
- raise ConfigError('Segment routing global block requires both low and high value!')
+ # If segment routing global block high or low value is blank, throw error
+ if not (g_low_label_value or g_high_label_value):
+ raise ConfigError('Segment routing global-block requires both low and high value!')
# If segment routing global block low value is higher than the high value, throw error
- if int(low_label_value) > int(high_label_value):
- raise ConfigError('Segment routing global block low value must be lower than high value')
+ if int(g_low_label_value) > int(g_high_label_value):
+ raise ConfigError('Segment routing global-block low value must be lower than high value')
if dict_search('segment_routing.local_block', isis):
- high_label_value = dict_search('segment_routing.local_block.high_label_value', isis)
- low_label_value = dict_search('segment_routing.local_block.low_label_value', isis)
+ if dict_search('segment_routing.global_block', isis) == None:
+ raise ConfigError('Segment routing local-block requires global-block to be configured!')
- # If segment routing local block high value is blank, throw error
- if (low_label_value and not high_label_value) or (high_label_value and not low_label_value):
- raise ConfigError('Segment routing local block requires both high and low value!')
+ l_high_label_value = dict_search('segment_routing.local_block.high_label_value', isis)
+ l_low_label_value = dict_search('segment_routing.local_block.low_label_value', isis)
- # If segment routing local block low value is higher than the high value, throw error
- if int(low_label_value) > int(high_label_value):
- raise ConfigError('Segment routing local block low value must be lower than high value')
+ # If segment routing local-block high or low value is blank, throw error
+ if not (l_low_label_value or l_high_label_value):
+ raise ConfigError('Segment routing local-block requires both high and low value!')
+
+ # If segment routing local-block low value is higher than the high value, throw error
+ if int(l_low_label_value) > int(l_high_label_value):
+ raise ConfigError('Segment routing local-block low value must be lower than high value')
+
+ # local-block most live outside global block
+ global_range = range(int(g_low_label_value), int(g_high_label_value) +1)
+ local_range = range(int(l_low_label_value), int(l_high_label_value) +1)
+
+ # Check for overlapping ranges
+ if list(set(global_range) & set(local_range)):
+ raise ConfigError(f'Segment-Routing Global Block ({g_low_label_value}/{g_high_label_value}) '\
+ f'conflicts with Local Block ({l_low_label_value}/{l_high_label_value})!')
return None
--
cgit v1.2.3
From dbd922397dcfe6df3f0e766787d9aee69410dd58 Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko
Date: Mon, 4 Apr 2022 10:12:08 +0000
Subject: ipoe: T2580: Add pools and gateway options
Add new feature to allow to use named pools
Can be used also with Radius attribute 'Framed-Pool'
set service ipoe-server client-ip-pool name POOL1 gateway-address '192.0.2.1'
set service ipoe-server client-ip-pool name POOL1 subnet '192.0.2.0/24'
---
data/templates/accel-ppp/ipoe.config.tmpl | 28 +++++++++++++++++++---
.../accel-ppp/client-ip-pool-subnet-single.xml.i | 15 ++++++++++++
interface-definitions/service_ipoe-server.xml.in | 16 +++++++++++++
src/conf_mode/service_ipoe-server.py | 23 ++++++++++++++----
4 files changed, 74 insertions(+), 8 deletions(-)
create mode 100644 interface-definitions/include/accel-ppp/client-ip-pool-subnet-single.xml.i
(limited to 'interface-definitions/include')
diff --git a/data/templates/accel-ppp/ipoe.config.tmpl b/data/templates/accel-ppp/ipoe.config.tmpl
index 1cf2ab0be..92c2d5715 100644
--- a/data/templates/accel-ppp/ipoe.config.tmpl
+++ b/data/templates/accel-ppp/ipoe.config.tmpl
@@ -25,11 +25,21 @@ level=5
verbose=1
{% for interface in interfaces %}
{% if interface.vlan_mon %}
-interface=re:{{ interface.name }}\.\d+,{% else %}interface={{ interface.name }},{% endif %}shared={{ interface.shared }},mode={{ interface.mode }},ifcfg={{ interface.ifcfg }},range={{ interface.range }},start={{ interface.sess_start }},ipv6=1
+interface=re:{{ interface.name }}\.\d+,{% else %}interface={{ interface.name }},{% endif %}shared={{ interface.shared }},mode={{ interface.mode }},ifcfg={{ interface.ifcfg }}{{ ',range=' + interface.range if interface.range is defined and interface.range is not none }},start={{ interface.sess_start }},ipv6=1
{% endfor %}
-{% if auth_mode == 'noauth' %}
+{% if auth_mode == 'noauth' %}
noauth=1
-{% elif auth_mode == 'local' %}
+{% if client_named_ip_pool %}
+{% for pool in client_named_ip_pool %}
+{% if pool.subnet is defined %}
+ip-pool={{ pool.name }}
+{% endif %}
+{% if pool.gateway_address is defined %}
+gw-ip-address={{ pool.gateway_address }}/{{ pool.subnet.split('/')[1] }}
+{% endif %}
+{% endfor%}
+{% endif %}
+{% elif auth_mode == 'local' %}
username=ifname
password=csid
{% endif %}
@@ -61,6 +71,18 @@ verbose=1
[ipv6-dhcp]
verbose=1
+{% if client_named_ip_pool %}
+[ip-pool]
+{% for pool in client_named_ip_pool %}
+{% if pool.subnet is defined %}
+{{ pool.subnet }},name={{ pool.name }}
+{% endif %}
+{% if pool.gateway_address is defined %}
+gw-ip-address={{ pool.gateway_address }}/{{ pool.subnet.split('/')[1] }}
+{% endif %}
+{% endfor%}
+{% endif %}
+
{% if client_ipv6_pool %}
[ipv6-pool]
{% for p in client_ipv6_pool %}
diff --git a/interface-definitions/include/accel-ppp/client-ip-pool-subnet-single.xml.i b/interface-definitions/include/accel-ppp/client-ip-pool-subnet-single.xml.i
new file mode 100644
index 000000000..e5918b765
--- /dev/null
+++ b/interface-definitions/include/accel-ppp/client-ip-pool-subnet-single.xml.i
@@ -0,0 +1,15 @@
+
+
+
+ Client IP subnet (CIDR notation)
+
+ ipv4net
+ IPv4 address and prefix length
+
+
+
+
+ Not a valid CIDR formatted prefix
+
+
+
diff --git a/interface-definitions/service_ipoe-server.xml.in b/interface-definitions/service_ipoe-server.xml.in
index b19acab56..1325ba10d 100644
--- a/interface-definitions/service_ipoe-server.xml.in
+++ b/interface-definitions/service_ipoe-server.xml.in
@@ -112,6 +112,22 @@
#include
+
+
+ Client IP pools and gateway setting
+
+
+
+
+ Pool name
+
+
+ #include
+ #include
+
+
+
+
#include
diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py
index f676fdbbe..2ebee8018 100755
--- a/src/conf_mode/service_ipoe-server.py
+++ b/src/conf_mode/service_ipoe-server.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2018-2020 VyOS maintainers and contributors
+# Copyright (C) 2018-2022 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -41,6 +41,7 @@ default_config_data = {
'interfaces': [],
'dnsv4': [],
'dnsv6': [],
+ 'client_named_ip_pool': [],
'client_ipv6_pool': [],
'client_ipv6_delegate_prefix': [],
'radius_server': [],
@@ -219,6 +220,22 @@ def get_config(config=None):
conf.set_level(base_path)
+ # Named client-ip-pool
+ if conf.exists(['client-ip-pool', 'name']):
+ for name in conf.list_nodes(['client-ip-pool', 'name']):
+ tmp = {
+ 'name': name,
+ 'gateway_address': '',
+ 'subnet': ''
+ }
+
+ if conf.exists(['client-ip-pool', 'name', name, 'gateway-address']):
+ tmp['gateway_address'] += conf.return_value(['client-ip-pool', 'name', name, 'gateway-address'])
+ if conf.exists(['client-ip-pool', 'name', name, 'subnet']):
+ tmp['subnet'] += conf.return_value(['client-ip-pool', 'name', name, 'subnet'])
+
+ ipoe['client_named_ip_pool'].append(tmp)
+
if conf.exists(['client-ipv6-pool', 'prefix']):
for prefix in conf.list_nodes(['client-ipv6-pool', 'prefix']):
tmp = {
@@ -254,10 +271,6 @@ def verify(ipoe):
if not ipoe['interfaces']:
raise ConfigError('No IPoE interface configured')
- for interface in ipoe['interfaces']:
- if not interface['range']:
- raise ConfigError(f'No IPoE client subnet defined on interface "{ interface }"')
-
if len(ipoe['dnsv4']) > 2:
raise ConfigError('Not more then two IPv4 DNS name-servers can be configured')
--
cgit v1.2.3
From c514cea0ad94a00838530cd07f87723be372ea8f Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Tue, 5 Apr 2022 20:40:45 +0200
Subject: firewall: T4345: Fix incorrect rule limit rate syntax
---
interface-definitions/include/firewall/common-rule.xml.i | 6 +++---
python/vyos/firewall.py | 2 +-
smoketest/configs/dialup-router-complex | 3 +++
smoketest/scripts/cli/test_firewall.py | 5 +++++
src/conf_mode/firewall.py | 6 ++++++
5 files changed, 18 insertions(+), 4 deletions(-)
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i
index 353804990..cd80b7e28 100644
--- a/interface-definitions/include/firewall/common-rule.xml.i
+++ b/interface-definitions/include/firewall/common-rule.xml.i
@@ -66,11 +66,11 @@
Maximum average matching rate
- u32:0-4294967295
- Maximum average matching rate
+ txt
+ integer/unit (Example: 5/minute)
-
+ ^\d+/(second|minute|hour|day)$
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 55ce318e7..ff8623592 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -174,7 +174,7 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
if 'limit' in rule_conf:
if 'rate' in rule_conf['limit']:
- output.append(f'limit rate {rule_conf["limit"]["rate"]}/second')
+ output.append(f'limit rate {rule_conf["limit"]["rate"]}')
if 'burst' in rule_conf['limit']:
output.append(f'burst {rule_conf["limit"]["burst"]} packets')
diff --git a/smoketest/configs/dialup-router-complex b/smoketest/configs/dialup-router-complex
index 1b62deb5c..ac5ff5e99 100644
--- a/smoketest/configs/dialup-router-complex
+++ b/smoketest/configs/dialup-router-complex
@@ -498,6 +498,9 @@ firewall {
destination {
port 110,995
}
+ limit {
+ rate "10/minute"
+ }
protocol tcp
}
rule 123 {
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index ecc0c29a0..16b020e07 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -88,6 +88,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'destination', 'port', '8888'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'tcp', 'flags', 'syn'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'tcp', 'flags', 'not', 'ack'])
+ self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'action', 'accept'])
+ self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'protocol', 'tcp'])
+ self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'destination', 'port', '22'])
+ self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'limit', 'rate', '5/minute'])
self.cli_set(['interfaces', 'ethernet', 'eth0', 'firewall', 'in', 'name', 'smoketest'])
@@ -97,6 +101,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
['iifname "eth0"', 'jump NAME_smoketest'],
['saddr 172.16.20.10', 'daddr 172.16.10.10', 'return'],
['tcp flags & (syn | ack) == syn', 'tcp dport { 8888 }', 'reject'],
+ ['tcp dport { 22 }', 'limit rate 5/minute', 'return'],
['smoketest default-action', 'drop']
]
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 41df1b84a..f33198a49 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -171,6 +171,12 @@ def verify_rule(firewall, rule_conf, ipv6):
if {'match_frag', 'match_non_frag'} <= set(rule_conf['fragment']):
raise ConfigError('Cannot specify both "match-frag" and "match-non-frag"')
+ if 'limit' in rule_conf:
+ if 'rate' in rule_conf['limit']:
+ rate_int = re.sub(r'\D', '', rule_conf['limit']['rate'])
+ if int(rate_int) < 1:
+ raise ConfigError('Limit rate integer cannot be less than 1')
+
if 'ipsec' in rule_conf:
if {'match_ipsec', 'match_non_ipsec'} <= set(rule_conf['ipsec']):
raise ConfigError('Cannot specify both "match-ipsec" and "match-non-ipsec"')
--
cgit v1.2.3
From 4ecf558f53d1740b5ddb0de1f7effbaf0f44ff5f Mon Sep 17 00:00:00 2001
From: Christian Poessinger
Date: Wed, 23 Mar 2022 10:40:06 +0100
Subject: qos: T4284: support mirror and redirect on vlan subinterfaces
---
interface-definitions/include/interface/vif-s.xml.i | 2 ++
interface-definitions/include/interface/vif.xml.i | 1 +
python/vyos/configverify.py | 19 +++++++++++++------
python/vyos/ifconfig/interface.py | 3 ---
4 files changed, 16 insertions(+), 9 deletions(-)
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/interface/vif-s.xml.i b/interface-definitions/include/interface/vif-s.xml.i
index 59a47b5ff..40a87e3d3 100644
--- a/interface-definitions/include/interface/vif-s.xml.i
+++ b/interface-definitions/include/interface/vif-s.xml.i
@@ -44,6 +44,7 @@
#include
#include
#include
+ #include
#include
@@ -63,6 +64,7 @@
#include
#include
#include
+ #include
#include
#include
#include
diff --git a/interface-definitions/include/interface/vif.xml.i b/interface-definitions/include/interface/vif.xml.i
index 8a1475711..615101664 100644
--- a/interface-definitions/include/interface/vif.xml.i
+++ b/interface-definitions/include/interface/vif.xml.i
@@ -49,6 +49,7 @@
#include
#include
#include
+ #include
#include
#include
#include
diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py
index df2c5775a..9f2771854 100644
--- a/python/vyos/configverify.py
+++ b/python/vyos/configverify.py
@@ -317,9 +317,12 @@ def verify_vlan_config(config):
if duplicate:
raise ConfigError(f'Duplicate VLAN id "{duplicate[0]}" used for vif and vif-s interfaces!')
+ parent_ifname = config['ifname']
# 802.1q VLANs
- for vlan in config.get('vif', {}):
- vlan = config['vif'][vlan]
+ for vlan_id in config.get('vif', {}):
+ vlan = config['vif'][vlan_id]
+ vlan['ifname'] = f'{parent_ifname}.{vlan_id}'
+
verify_dhcpv6(vlan)
verify_address(vlan)
verify_vrf(vlan)
@@ -327,16 +330,20 @@ def verify_vlan_config(config):
verify_mtu_parent(vlan, config)
# 802.1ad (Q-in-Q) VLANs
- for s_vlan in config.get('vif_s', {}):
- s_vlan = config['vif_s'][s_vlan]
+ for s_vlan_id in config.get('vif_s', {}):
+ s_vlan = config['vif_s'][s_vlan_id]
+ s_vlan['ifname'] = f'{parent_ifname}.{s_vlan_id}'
+
verify_dhcpv6(s_vlan)
verify_address(s_vlan)
verify_vrf(s_vlan)
verify_mirror_redirect(s_vlan)
verify_mtu_parent(s_vlan, config)
- for c_vlan in s_vlan.get('vif_c', {}):
- c_vlan = s_vlan['vif_c'][c_vlan]
+ for c_vlan_id in s_vlan.get('vif_c', {}):
+ c_vlan = s_vlan['vif_c'][c_vlan_id]
+ c_vlan['ifname'] = f'{parent_ifname}.{s_vlan_id}.{c_vlan_id}'
+
verify_dhcpv6(c_vlan)
verify_address(c_vlan)
verify_vrf(c_vlan)
diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py
index 76164ca32..1464b2969 100755
--- a/python/vyos/ifconfig/interface.py
+++ b/python/vyos/ifconfig/interface.py
@@ -1734,6 +1734,3 @@ class VLANIf(Interface):
return None
return super().set_admin_state(state)
-
- def set_mirror_redirect(self):
- return
--
cgit v1.2.3
From 0bf386cee9b09d2e1a220330d3662c6ca2642645 Mon Sep 17 00:00:00 2001
From: Christian Poessinger
Date: Wed, 6 Apr 2022 20:09:31 +0200
Subject: qos: T4284: rename "traffic-policy" node to "qos policy"
"set traffic-policy" now becomes "set qos policy"
"set interface ethernet eth0 traffic-policy" now bvecomes "set qos interface eth0"
---
Makefile | 3 +-
.../include/interface/traffic-policy.xml.i | 43 -
.../include/interface/vif-s.xml.i | 2 -
interface-definitions/include/interface/vif.xml.i | 1 -
interface-definitions/interfaces-bonding.xml.in | 1 -
interface-definitions/interfaces-bridge.xml.in | 1 -
interface-definitions/interfaces-dummy.xml.in | 1 -
interface-definitions/interfaces-ethernet.xml.in | 1 -
interface-definitions/interfaces-geneve.xml.in | 1 -
interface-definitions/interfaces-input.xml.in | 1 -
interface-definitions/interfaces-l2tpv3.xml.in | 1 -
interface-definitions/interfaces-loopback.xml.in | 1 -
interface-definitions/interfaces-macsec.xml.in | 1 -
interface-definitions/interfaces-openvpn.xml.in | 1 -
interface-definitions/interfaces-pppoe.xml.in | 1 -
.../interfaces-pseudo-ethernet.xml.in | 1 -
interface-definitions/interfaces-tunnel.xml.in | 1 -
interface-definitions/interfaces-vti.xml.in | 1 -
interface-definitions/interfaces-vxlan.xml.in | 1 -
interface-definitions/interfaces-wireguard.xml.in | 1 -
interface-definitions/interfaces-wireless.xml.in | 1 -
interface-definitions/interfaces-wwan.xml.in | 1 -
interface-definitions/qos.xml.in | 1148 +++++++++++---------
src/conf_mode/qos.py | 47 +-
24 files changed, 631 insertions(+), 631 deletions(-)
delete mode 100644 interface-definitions/include/interface/traffic-policy.xml.i
(limited to 'interface-definitions/include')
diff --git a/Makefile b/Makefile
index 54f3892ba..dc1301100 100644
--- a/Makefile
+++ b/Makefile
@@ -31,9 +31,8 @@ interface_definitions: $(config_xml_obj)
rm -rf $(TMPL_DIR)/vpn/ipsec/remote-access/radius/source-address
# T4284 neq QoS implementation is not yet live
- find $(TMPL_DIR)/interfaces -name traffic-policy -type d -exec rm -rf {} \;
find $(TMPL_DIR)/interfaces -name redirect -type d -exec rm -rf {} \;
- rm -rf $(TMPL_DIR)/traffic-policy
+ rm -rf $(TMPL_DIR)/qos
rm -rf $(TMPL_DIR)/interfaces/input
# XXX: test if there are empty node.def files - this is not allowed as these
diff --git a/interface-definitions/include/interface/traffic-policy.xml.i b/interface-definitions/include/interface/traffic-policy.xml.i
deleted file mode 100644
index cd60b62a5..000000000
--- a/interface-definitions/include/interface/traffic-policy.xml.i
+++ /dev/null
@@ -1,43 +0,0 @@
-
-
-
- Traffic-policy for interface
-
-
-
-
- Ingress traffic policy for interface
-
- traffic-policy drop-tail
- traffic-policy fair-queue
- traffic-policy fq-codel
- traffic-policy limiter
- traffic-policy network-emulator
- traffic-policy priority-queue
- traffic-policy random-detect
- traffic-policy rate-control
- traffic-policy round-robin
- traffic-policy shaper
- traffic-policy shaper-hfsc
-
-
- txt
- Policy name
-
-
-
-
-
- Egress traffic policy for interface
-
- traffic-policy
-
-
- txt
- Policy name
-
-
-
-
-
-
\ No newline at end of file
diff --git a/interface-definitions/include/interface/vif-s.xml.i b/interface-definitions/include/interface/vif-s.xml.i
index 40a87e3d3..3b305618e 100644
--- a/interface-definitions/include/interface/vif-s.xml.i
+++ b/interface-definitions/include/interface/vif-s.xml.i
@@ -67,14 +67,12 @@
#include
#include
#include
- #include
#include
#include
#include
#include
- #include
#include
diff --git a/interface-definitions/include/interface/vif.xml.i b/interface-definitions/include/interface/vif.xml.i
index 615101664..4e7f9b3c2 100644
--- a/interface-definitions/include/interface/vif.xml.i
+++ b/interface-definitions/include/interface/vif.xml.i
@@ -52,7 +52,6 @@
#include
#include
#include
- #include
#include
diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in
index 20ece5137..5ae67a672 100644
--- a/interface-definitions/interfaces-bonding.xml.in
+++ b/interface-definitions/interfaces-bonding.xml.in
@@ -208,7 +208,6 @@
#include
- #include
#include
#include
#include
diff --git a/interface-definitions/interfaces-bridge.xml.in b/interface-definitions/interfaces-bridge.xml.in
index 6957067cd..be4c92583 100644
--- a/interface-definitions/interfaces-bridge.xml.in
+++ b/interface-definitions/interfaces-bridge.xml.in
@@ -211,7 +211,6 @@
#include
- #include
#include
diff --git a/interface-definitions/interfaces-dummy.xml.in b/interface-definitions/interfaces-dummy.xml.in
index 988d87502..7f9ae90e5 100644
--- a/interface-definitions/interfaces-dummy.xml.in
+++ b/interface-definitions/interfaces-dummy.xml.in
@@ -32,7 +32,6 @@
#include
#include
#include
- #include
#include
diff --git a/interface-definitions/interfaces-ethernet.xml.in b/interface-definitions/interfaces-ethernet.xml.in
index 7d28912c0..7fa07e9ec 100644
--- a/interface-definitions/interfaces-ethernet.xml.in
+++ b/interface-definitions/interfaces-ethernet.xml.in
@@ -197,7 +197,6 @@
#include
- #include
#include
#include
#include
diff --git a/interface-definitions/interfaces-geneve.xml.in b/interface-definitions/interfaces-geneve.xml.in
index 5f2c6bc05..fa5a78be5 100644
--- a/interface-definitions/interfaces-geneve.xml.in
+++ b/interface-definitions/interfaces-geneve.xml.in
@@ -52,7 +52,6 @@
#include
#include
- #include
#include
#include
diff --git a/interface-definitions/interfaces-input.xml.in b/interface-definitions/interfaces-input.xml.in
index f2eb01c58..2164bfa4e 100644
--- a/interface-definitions/interfaces-input.xml.in
+++ b/interface-definitions/interfaces-input.xml.in
@@ -22,7 +22,6 @@
#include
#include
#include
- #include
diff --git a/interface-definitions/interfaces-l2tpv3.xml.in b/interface-definitions/interfaces-l2tpv3.xml.in
index 0dcabf7a0..1f23a89a5 100644
--- a/interface-definitions/interfaces-l2tpv3.xml.in
+++ b/interface-definitions/interfaces-l2tpv3.xml.in
@@ -125,7 +125,6 @@
- #include
#include
diff --git a/interface-definitions/interfaces-loopback.xml.in b/interface-definitions/interfaces-loopback.xml.in
index 1e093d95b..7ac0545c6 100644
--- a/interface-definitions/interfaces-loopback.xml.in
+++ b/interface-definitions/interfaces-loopback.xml.in
@@ -28,7 +28,6 @@
#include
#include
- #include
diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in
index fbdd1562a..cb3c489aa 100644
--- a/interface-definitions/interfaces-macsec.xml.in
+++ b/interface-definitions/interfaces-macsec.xml.in
@@ -124,7 +124,6 @@
#include
#include
- #include
#include
diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in
index 761f8bcad..c917b9312 100644
--- a/interface-definitions/interfaces-openvpn.xml.in
+++ b/interface-definitions/interfaces-openvpn.xml.in
@@ -818,7 +818,6 @@
#include
- #include
#include
diff --git a/interface-definitions/interfaces-pppoe.xml.in b/interface-definitions/interfaces-pppoe.xml.in
index adf5f4040..3a0b7a40c 100644
--- a/interface-definitions/interfaces-pppoe.xml.in
+++ b/interface-definitions/interfaces-pppoe.xml.in
@@ -135,7 +135,6 @@
#include
- #include
#include
diff --git a/interface-definitions/interfaces-pseudo-ethernet.xml.in b/interface-definitions/interfaces-pseudo-ethernet.xml.in
index aed2052f5..5f5e9fdef 100644
--- a/interface-definitions/interfaces-pseudo-ethernet.xml.in
+++ b/interface-definitions/interfaces-pseudo-ethernet.xml.in
@@ -61,7 +61,6 @@
#include
#include
- #include
#include
#include
diff --git a/interface-definitions/interfaces-tunnel.xml.in b/interface-definitions/interfaces-tunnel.xml.in
index b31f22552..42ec62775 100644
--- a/interface-definitions/interfaces-tunnel.xml.in
+++ b/interface-definitions/interfaces-tunnel.xml.in
@@ -290,7 +290,6 @@
#include
#include
- #include
diff --git a/interface-definitions/interfaces-vti.xml.in b/interface-definitions/interfaces-vti.xml.in
index d66fc952e..5893e4c4c 100644
--- a/interface-definitions/interfaces-vti.xml.in
+++ b/interface-definitions/interfaces-vti.xml.in
@@ -36,7 +36,6 @@
#include
#include
#include
- #include
#include
#include
#include
diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in
index b1a2dfaec..9747b1816 100644
--- a/interface-definitions/interfaces-vxlan.xml.in
+++ b/interface-definitions/interfaces-vxlan.xml.in
@@ -101,7 +101,6 @@
#include
#include
#include
- #include
#include
#include
diff --git a/interface-definitions/interfaces-wireguard.xml.in b/interface-definitions/interfaces-wireguard.xml.in
index 51565cfe6..eb0892f07 100644
--- a/interface-definitions/interfaces-wireguard.xml.in
+++ b/interface-definitions/interfaces-wireguard.xml.in
@@ -121,7 +121,6 @@
#include
- #include
#include
diff --git a/interface-definitions/interfaces-wireless.xml.in b/interface-definitions/interfaces-wireless.xml.in
index a16a7841e..db01657eb 100644
--- a/interface-definitions/interfaces-wireless.xml.in
+++ b/interface-definitions/interfaces-wireless.xml.in
@@ -783,7 +783,6 @@
monitor
#include
- #include
#include
#include
diff --git a/interface-definitions/interfaces-wwan.xml.in b/interface-definitions/interfaces-wwan.xml.in
index 33bc0cb3d..3cb1645c4 100644
--- a/interface-definitions/interfaces-wwan.xml.in
+++ b/interface-definitions/interfaces-wwan.xml.in
@@ -42,7 +42,6 @@
#include
#include
#include
- #include
#include
diff --git a/interface-definitions/qos.xml.in b/interface-definitions/qos.xml.in
index d4468543c..e8f575a1e 100644
--- a/interface-definitions/qos.xml.in
+++ b/interface-definitions/qos.xml.in
@@ -1,721 +1,789 @@
-
+
- Quality of Service (QOS) policy type
- 900
+ Quality of Service (QoS)
-
+
- Packet limited First In, First Out queue
+ Interface to apply QoS policy
+
+
+
txt
- Policy name
+ Interface name
- [[:alnum:]][-_[:alnum:]]*
+
- Only alpha-numeric policy name allowed
- #include
- #include
-
-
-
-
- Stochastic Fairness Queueing
-
- txt
- Policy name
-
-
- [[:alnum:]][-_[:alnum:]]*
-
- Only alpha-numeric policy name allowed
-
-
- #include
-
+
- Interval in seconds for queue algorithm perturbation
-
- u32:0
- No perturbation
-
+ Interface ingress traffic policy
+
+ traffic-policy drop-tail
+ traffic-policy fair-queue
+ traffic-policy fq-codel
+ traffic-policy limiter
+ traffic-policy network-emulator
+ traffic-policy priority-queue
+ traffic-policy random-detect
+ traffic-policy rate-control
+ traffic-policy round-robin
+ traffic-policy shaper
+ traffic-policy shaper-hfsc
+
- u32:1-127
- Interval in seconds for queue algorithm perturbation (advised: 10)
+ txt
+ QoS Policy name
-
-
-
- Interval must be in range 0 to 127
- 0
-
+
- Upper limit of the SFQ
+ Interface egress traffic policy
+
+ traffic-policy drop-tail
+ traffic-policy fair-queue
+ traffic-policy fq-codel
+ traffic-policy limiter
+ traffic-policy network-emulator
+ traffic-policy priority-queue
+ traffic-policy random-detect
+ traffic-policy rate-control
+ traffic-policy round-robin
+ traffic-policy shaper
+ traffic-policy shaper-hfsc
+
- u32:2-127
- Queue size in packets
+ txt
+ QoS Policy name
-
-
-
- Queue limit must greater than 1 and less than 128
- 127
-
+
- Fair Queuing Controlled Delay
-
- txt
- Policy name
-
-
- [[:alnum:]][-_[:alnum:]]*
-
- Only alpha-numeric policy name allowed
+ Service Policy definitions
+ 900
- #include
- #include
- #include
- #include
- #include
- #include
-
-
-
-
- Traffic input limiting policy
-
- txt
- Policy name
-
-
- [[:alnum:]][-_[:alnum:]]*
-
- Only alpha-numeric policy name allowed
-
-
-
+
- Class ID
+ Packet limited First In, First Out queue
- u32:1-4090
- Class Identifier
+ txt
+ Policy name
-
+ [[:alnum:]][-_[:alnum:]]*
- Class identifier must be between 1 and 4090
+ Only alpha-numeric policy name allowed
+
+
+ #include
+ #include
+
+
+
+
+ Stochastic Fairness Queueing
+
+ txt
+ Policy name
+
+
+ [[:alnum:]][-_[:alnum:]]*
+
+ Only alpha-numeric policy name allowed
- #include
- #include
#include
- #include
-
+
+
+ Interval in seconds for queue algorithm perturbation
+
+ u32:0
+ No perturbation
+
+
+ u32:1-127
+ Interval in seconds for queue algorithm perturbation (advised: 10)
+
+
+
+
+ Interval must be in range 0 to 127
+
+ 0
+
+
- Priority for rule evaluation
+ Upper limit of the SFQ
- u32:0-20
- Priority for match rule evaluation
+ u32:2-127
+ Queue size in packets
-
+
- Priority must be between 0 and 20
+ Queue limit must greater than 1 and less than 128
- 20
+ 127
-
-
- Default policy
-
-
- #include
- #include
-
-
- #include
-
-
-
-
- Network emulator policy
-
- txt
- Policy name
-
-
- [[:alnum:]][-_[:alnum:]]*
-
- Only alpha-numeric policy name allowed
-
-
- #include
- #include
- #include
-
-
- Adds delay to packets outgoing to chosen network interface
-
- <number>
- Time in milliseconds
-
-
-
-
- Priority must be between 0 and 65535
-
-
-
-
- Introducing error in a random position for chosen percent of packets
-
- <number>
- Percentage of packets affected
-
-
-
-
- Priority must be between 0 and 100
-
-
-
-
- Add independent loss probability to the packets outgoing to chosen network interface
-
- <number>
- Percentage of packets affected
-
-
-
-
- Must be between 0 and 100
-
-
-
+
- Add independent loss probability to the packets outgoing to chosen network interface
+ Fair Queuing Controlled Delay
- <number>
- Percentage of packets affected
+ txt
+ Policy name
-
+ [[:alnum:]][-_[:alnum:]]*
- Must be between 0 and 100
-
-
-
-
- Packet reordering percentage
-
- <number>
- Percentage of packets affected
-
-
-
-
- Must be between 0 and 100
-
-
- #include
-
-
-
-
- Priority queuing based policy
-
- txt
- Policy name
-
-
- [[:alnum:]][-_[:alnum:]]*
-
- Only alpha-numeric policy name allowed
-
-
-
-
- Class Handle
-
- u32:1-7
- Priority
-
-
-
-
- Class handle must be between 1 and 7
+ Only alpha-numeric policy name allowed
#include
#include
#include
#include
- #include
#include
#include
- #include
-
+
- Default policy
+ Traffic input limiting policy
+
+ txt
+ Policy name
+
+
+ [[:alnum:]][-_[:alnum:]]*
+
+ Only alpha-numeric policy name allowed
+
+
+ Class ID
+
+ u32:1-4090
+ Class Identifier
+
+
+
+
+ Class identifier must be between 1 and 4090
+
+
+ #include
+ #include
+ #include
+ #include
+
+
+ Priority for rule evaluation
+
+ u32:0-20
+ Priority for match rule evaluation
+
+
+
+
+ Priority must be between 0 and 20
+
+ 20
+
+
+
+
+
+ Default policy
+
+
+ #include
+ #include
+
+
#include
- #include
- #include
- #include
- #include
- #include
- #include
-
- #include
-
-
-
-
- Priority queuing based policy
-
- txt
- Policy name
-
-
- [[:alnum:]][-_[:alnum:]]*
-
- Only alpha-numeric policy name allowed
-
-
- #include
-
- auto
-
- #include
-
+
+
- IP precedence
+ Network emulator policy
- u32:0-7
- IP precedence value
+ txt
+ Policy name
-
+ [[:alnum:]][-_[:alnum:]]*
- IP precedence value must be between 0 and 7
+ Only alpha-numeric policy name allowed
- #include
-
+ #include
+ #include
+ #include
+
- Average packet size (bytes)
+ Adds delay to packets outgoing to chosen network interface
- u32:16-10240
- Average packet size in bytes
+ <number>
+ Time in milliseconds
-
+
- Average packet size must be between 16 and 10240
+ Priority must be between 0 and 65535
- 1024
-
+
- Mark probability for this precedence
+ Introducing error in a random position for chosen percent of packets
<number>
- Numeric value (1/N)
+ Percentage of packets affected
-
+
- Mark probability must be greater than 0
+ Priority must be between 0 and 100
-
+
- Maximum threshold for random detection
+ Add independent loss probability to the packets outgoing to chosen network interface
- u32:0-4096
- Maximum Threshold in packets
+ <number>
+ Percentage of packets affected
-
+
- Threshold must be between 0 and 4096
+ Must be between 0 and 100
-
+
- Minimum threshold for random detection
+ Add independent loss probability to the packets outgoing to chosen network interface
- u32:0-4096
- Maximum Threshold in packets
+ <number>
+ Percentage of packets affected
-
+
- Threshold must be between 0 and 4096
+ Must be between 0 and 100
-
-
-
-
-
-
- Rate limiting policy (Token Bucket Filter)
-
- txt
- Policy name
-
-
- [[:alnum:]][-_[:alnum:]]*
-
- Only alpha-numeric policy name allowed
-
-
- #include
- #include
- #include
-
-
- Maximum latency
-
- <number>
- Time in milliseconds
-
-
-
-
- Threshold must be between 0 and 4096
-
- 50
-
-
-
-
-
- Round-Robin based policy
-
- txt
- Policy name
-
-
- [[:alnum:]][-_[:alnum:]]*
-
- Only alpha-numeric policy name allowed
-
-
- #include
-
-
- Class ID
-
- u32:1-4095
- Class Identifier
-
-
-
-
- Class identifier must be between 1 and 4095
-
-
- #include
- #include
- #include
- #include
- #include
-
+
- Packet scheduling quantum
+ Packet reordering percentage
- u32:1-4294967295
- Packet scheduling quantum (bytes)
+ <number>
+ Percentage of packets affected
-
+
- Quantum must be in range 1 to 4294967295
+ Must be between 0 and 100
#include
- #include
- #include
-
-
-
-
- Hierarchical Fair Service Curve's policy
-
- txt
- Policy name
-
-
- [[:alnum:]][-_[:alnum:]]*
-
- Only alpha-numeric policy name allowed
-
-
- #include
-
- auto
-
- #include
-
+
- Class ID
+ Priority queuing based policy
- u32:1-4095
- Class Identifier
+ txt
+ Policy name
-
+ [[:alnum:]][-_[:alnum:]]*
- Class identifier must be between 1 and 4095
+ Only alpha-numeric policy name allowed
- #include
-
+
- Linkshare class settings
-
-
- #include
- #include
- #include
-
-
- #include
-
-
- Realtime class settings
+ Class Handle
+
+ u32:1-7
+ Priority
+
+
+
+
+ Class handle must be between 1 and 7
- #include
- #include
- #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
-
-
+
+
- Upperlimit class settings
+ Default policy
- #include
- #include
- #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
-
+
- Default policy
+ Priority queuing based policy
+
+ txt
+ Policy name
+
+
+ [[:alnum:]][-_[:alnum:]]*
+
+ Only alpha-numeric policy name allowed
-
-
- Linkshare class settings
-
-
- #include
- #include
- #include
-
-
-
-
- Realtime class settings
-
-
- #include
- #include
- #include
-
-
-
+ #include
+
+ auto
+
+ #include
+
- Upperlimit class settings
+ IP precedence
+
+ u32:0-7
+ IP precedence value
+
+
+
+
+ IP precedence value must be between 0 and 7
- #include
- #include
- #include
+ #include
+
+
+ Average packet size (bytes)
+
+ u32:16-10240
+ Average packet size in bytes
+
+
+
+
+ Average packet size must be between 16 and 10240
+
+ 1024
+
+
+
+ Mark probability for this precedence
+
+ <number>
+ Numeric value (1/N)
+
+
+
+
+ Mark probability must be greater than 0
+
+
+
+
+ Maximum threshold for random detection
+
+ u32:0-4096
+ Maximum Threshold in packets
+
+
+
+
+ Threshold must be between 0 and 4096
+
+
+
+
+ Minimum threshold for random detection
+
+ u32:0-4096
+ Maximum Threshold in packets
+
+
+
+
+ Threshold must be between 0 and 4096
+
+
-
+
-
-
-
-
-
- Traffic shaping based policy (Hierarchy Token Bucket)
-
- txt
- Policy name
-
-
- [[:alnum:]][-_[:alnum:]]*
-
- Only alpha-numeric policy name allowed
-
-
- #include
-
- auto
-
-
+
+
- Class ID
+ Rate limiting policy (Token Bucket Filter)
- u32:2-4095
- Class Identifier
+ txt
+ Policy name
-
+ [[:alnum:]][-_[:alnum:]]*
- Class identifier must be between 2 and 4095
+ Only alpha-numeric policy name allowed
#include
-
- 100%
-
+ #include
#include
-
+
- Bandwidth limit for this class
+ Maximum latency
<number>
- Rate in kbit (kilobit per second)
-
-
- <number>%%
- Percentage of overall rate
-
-
- <number>bit
- bit(1), kbit(10^3), mbit(10^6), gbit, tbit
-
-
- <number>ibit
- kibit(1024), mibit(1024^2), gibit(1024^3), tbit(1024^4)
-
-
- <number>ibps
- kibps(1024*8), mibps(1024^2*8), gibps, tibps - Byte/sec
-
-
- <number>bps
- bps(8),kbps(8*10^3),mbps(8*10^6), gbps, tbps - Byte/sec
+ Time in milliseconds
+
+
+
+ Threshold must be between 0 and 4096
+ 50
- #include
+
+
+
+
+ Round-Robin based policy
+
+ txt
+ Policy name
+
+
+ [[:alnum:]][-_[:alnum:]]*
+
+ Only alpha-numeric policy name allowed
+
+
#include
- #include
- #include
- #include
-
+
- Priority for usage of excess bandwidth
+ Class ID
- u32:0-7
- Priority order for bandwidth pool
+ u32:1-4095
+ Class Identifier
-
+
- Priority must be between 0 and 7
+ Class identifier must be between 1 and 4095
- 20
-
- #include
- #include
- #include
- #include
+
+ #include
+ #include
+ #include
+ #include
+ #include
+
+
+ Packet scheduling quantum
+
+ u32:1-4294967295
+ Packet scheduling quantum (bytes)
+
+
+
+
+ Quantum must be in range 1 to 4294967295
+
+
+ #include
+ #include
+ #include
+
+
- #include
-
+
- Default policy
+ Hierarchical Fair Service Curve's policy
+
+ txt
+ Policy name
+
+
+ [[:alnum:]][-_[:alnum:]]*
+
+ Only alpha-numeric policy name allowed
#include
- #include
-
+
+ auto
+
+ #include
+
- Bandwidth limit for this class
-
- <number>
- Rate in kbit (kilobit per second)
-
-
- <number>%%
- Percentage of overall rate
-
+ Class ID
- <number>bit
- bit(1), kbit(10^3), mbit(10^6), gbit, tbit
-
-
- <number>ibit
- kibit(1024), mibit(1024^2), gibit(1024^3), tbit(1024^4)
-
-
- <number>ibps
- kibps(1024*8), mibps(1024^2*8), gibps, tibps - Byte/sec
-
-
- <number>bps
- bps(8),kbps(8*10^3),mbps(8*10^6), gbps, tbps - Byte/sec
+ u32:1-4095
+ Class Identifier
+
+
+
+ Class identifier must be between 1 and 4095
+
+
+ #include
+
+
+ Linkshare class settings
+
+
+ #include
+ #include
+ #include
+
+
+ #include
+
+
+ Realtime class settings
+
+
+ #include
+ #include
+ #include
+
+
+
+
+ Upperlimit class settings
+
+
+ #include
+ #include
+ #include
+
+
+
+
+
+
+ Default policy
+
+
+
+ Linkshare class settings
+
+
+ #include
+ #include
+ #include
+
+
+
+
+ Realtime class settings
+
+
+ #include
+ #include
+ #include
+
+
+
+
+ Upperlimit class settings
+
+
+ #include
+ #include
+ #include
+
+
+
+
+
+
+
+
+ Traffic shaping based policy (Hierarchy Token Bucket)
+
+ txt
+ Policy name
+
+
+ [[:alnum:]][-_[:alnum:]]*
+
+ Only alpha-numeric policy name allowed
+
+
+ #include
+
+ auto
- #include
- #include
- #include
- #include
-
+
- Priority for usage of excess bandwidth
+ Class ID
- u32:0-7
- Priority order for bandwidth pool
+ u32:2-4095
+ Class Identifier
-
+
- Priority must be between 0 and 7
+ Class identifier must be between 2 and 4095
- 20
-
- #include
- #include
- #include
- #include
+
+ #include
+
+ 100%
+
+ #include
+
+
+ Bandwidth limit for this class
+
+ <number>
+ Rate in kbit (kilobit per second)
+
+
+ <number>%%
+ Percentage of overall rate
+
+
+ <number>bit
+ bit(1), kbit(10^3), mbit(10^6), gbit, tbit
+
+
+ <number>ibit
+ kibit(1024), mibit(1024^2), gibit(1024^3), tbit(1024^4)
+
+
+ <number>ibps
+ kibps(1024*8), mibps(1024^2*8), gibps, tibps - Byte/sec
+
+
+ <number>bps
+ bps(8),kbps(8*10^3),mbps(8*10^6), gbps, tbps - Byte/sec
+
+
+
+ #include
+ #include
+ #include
+ #include
+ #include
+
+
+ Priority for usage of excess bandwidth
+
+ u32:0-7
+ Priority order for bandwidth pool
+
+
+
+
+ Priority must be between 0 and 7
+
+ 20
+
+ #include
+ #include
+ #include
+ #include
+
+
+ #include
+
+
+ Default policy
+
+
+ #include
+ #include
+
+
+ Bandwidth limit for this class
+
+ <number>
+ Rate in kbit (kilobit per second)
+
+
+ <number>%%
+ Percentage of overall rate
+
+
+ <number>bit
+ bit(1), kbit(10^3), mbit(10^6), gbit, tbit
+
+
+ <number>ibit
+ kibit(1024), mibit(1024^2), gibit(1024^3), tbit(1024^4)
+
+
+ <number>ibps
+ kibps(1024*8), mibps(1024^2*8), gibps, tibps - Byte/sec
+
+
+ <number>bps
+ bps(8),kbps(8*10^3),mbps(8*10^6), gbps, tbps - Byte/sec
+
+
+
+ #include
+ #include
+ #include
+ #include
+
+
+ Priority for usage of excess bandwidth
+
+ u32:0-7
+ Priority order for bandwidth pool
+
+
+
+
+ Priority must be between 0 and 7
+
+ 20
+
+ #include
+ #include
+ #include
+ #include
+
+
-
+
-
+
diff --git a/src/conf_mode/qos.py b/src/conf_mode/qos.py
index cf447d4b5..dbe3be225 100755
--- a/src/conf_mode/qos.py
+++ b/src/conf_mode/qos.py
@@ -28,36 +28,33 @@ def get_config(config=None):
conf = config
else:
conf = Config()
- base = ['traffic-policy']
+ base = ['qos']
if not conf.exists(base):
return None
qos = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
- for traffic_policy in ['drop-tail', 'fair-queue', 'fq-codel', 'limiter',
- 'network-emulator', 'priority-queue', 'random-detect',
- 'rate-control', 'round-robin', 'shaper', 'shaper-hfsc']:
- traffic_policy_us = traffic_policy.replace('-','_')
- # Individual policy type not present on CLI - no need to blend in
- # any default values
- if traffic_policy_us not in qos:
- continue
-
- default_values = defaults(base + [traffic_policy_us])
-
- # class is another tag node which requires individual handling
- class_default_values = defaults(base + [traffic_policy_us, 'class'])
- if 'class' in default_values:
- del default_values['class']
-
- for policy, policy_config in qos[traffic_policy_us].items():
- qos[traffic_policy_us][policy] = dict_merge(
- default_values, qos[traffic_policy_us][policy])
-
- if 'class' in policy_config:
- for policy_class in policy_config['class']:
- qos[traffic_policy_us][policy]['class'][policy_class] = dict_merge(
- class_default_values, qos[traffic_policy_us][policy]['class'][policy_class])
+ if 'policy' in qos:
+ for policy in qos['policy']:
+ # CLI mangles - to _ for better Jinja2 compatibility - do we need
+ # Jinja2 here?
+ policy = policy.replace('-','_')
+
+ default_values = defaults(base + ['policy', policy])
+
+ # class is another tag node which requires individual handling
+ class_default_values = defaults(base + ['policy', policy, 'class'])
+ if 'class' in default_values:
+ del default_values['class']
+
+ for p_name, p_config in qos['policy'][policy].items():
+ qos['policy'][policy][p_name] = dict_merge(
+ default_values, qos['policy'][policy][p_name])
+
+ if 'class' in p_config:
+ for p_class in p_config['class']:
+ qos['policy'][policy][p_name]['class'][p_class] = dict_merge(
+ class_default_values, qos['policy'][policy][p_name]['class'][p_class])
import pprint
pprint.pprint(qos)
--
cgit v1.2.3
From 440a7a1c965be39ca0b13b4ea5985dd9c95fabef Mon Sep 17 00:00:00 2001
From: Christian Poessinger
Date: Thu, 7 Apr 2022 19:07:52 +0200
Subject: ipv6: T4346: delete (migrate) CLI command to disable IPv6 address
family
---
.../include/version/system-version.xml.i | 2 +-
interface-definitions/system-ipv6.xml.in | 6 --
python/vyos/ifconfig/interface.py | 91 ++++++++++------------
python/vyos/ifconfig/loopback.py | 12 ++-
python/vyos/util.py | 4 -
smoketest/configs/ipv6-disable | 83 ++++++++++++++++++++
smoketest/scripts/cli/test_system_ipv6.py | 36 ---------
src/conf_mode/system-ipv6.py | 18 -----
src/conf_mode/vrf.py | 4 +-
src/migration-scripts/system/22-to-23 | 50 ++++++++++++
src/tests/test_util.py | 10 ---
11 files changed, 181 insertions(+), 135 deletions(-)
create mode 100644 smoketest/configs/ipv6-disable
create mode 100755 src/migration-scripts/system/22-to-23
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/version/system-version.xml.i b/interface-definitions/include/version/system-version.xml.i
index fb4629bf1..19591256d 100644
--- a/interface-definitions/include/version/system-version.xml.i
+++ b/interface-definitions/include/version/system-version.xml.i
@@ -1,3 +1,3 @@
-
+
diff --git a/interface-definitions/system-ipv6.xml.in b/interface-definitions/system-ipv6.xml.in
index af4dcdb0f..63260d00c 100644
--- a/interface-definitions/system-ipv6.xml.in
+++ b/interface-definitions/system-ipv6.xml.in
@@ -15,12 +15,6 @@
-
-
- Disable assignment of IPv6 addresses on all interfaces
-
-
-
IPv6 multipath settings
diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py
index 5b2760386..6b0f08fd4 100755
--- a/python/vyos/ifconfig/interface.py
+++ b/python/vyos/ifconfig/interface.py
@@ -38,7 +38,6 @@ from vyos.util import read_file
from vyos.util import get_interface_config
from vyos.util import get_interface_namespace
from vyos.util import is_systemd_service_active
-from vyos.util import is_ipv6_enabled
from vyos.template import is_ipv4
from vyos.template import is_ipv6
from vyos.validate import is_intf_addr_assigned
@@ -1080,12 +1079,6 @@ class Interface(Control):
if addr in self._addr:
return False
- addr_is_v4 = is_ipv4(addr)
-
- # Failsave - do not add IPv6 address if IPv6 is disabled
- if is_ipv6(addr) and not is_ipv6_enabled():
- return False
-
# add to interface
if addr == 'dhcp':
self.set_dhcp(True)
@@ -1517,50 +1510,48 @@ class Interface(Control):
if 'mtu' in config:
self.set_mtu(config.get('mtu'))
- # Only change IPv6 parameters if IPv6 was not explicitly disabled
- if is_ipv6_enabled():
- # Configure MSS value for IPv6 TCP connections
- tmp = dict_search('ipv6.adjust_mss', config)
- value = tmp if (tmp != None) else '0'
- self.set_tcp_ipv6_mss(value)
-
- # IPv6 forwarding
- tmp = dict_search('ipv6.disable_forwarding', config)
- value = '0' if (tmp != None) else '1'
- self.set_ipv6_forwarding(value)
-
- # IPv6 router advertisements
- tmp = dict_search('ipv6.address.autoconf', config)
- value = '2' if (tmp != None) else '1'
- if 'dhcpv6' in new_addr:
- value = '2'
- self.set_ipv6_accept_ra(value)
-
- # IPv6 address autoconfiguration
- tmp = dict_search('ipv6.address.autoconf', config)
- value = '1' if (tmp != None) else '0'
- self.set_ipv6_autoconf(value)
-
- # IPv6 Duplicate Address Detection (DAD) tries
- tmp = dict_search('ipv6.dup_addr_detect_transmits', config)
- value = tmp if (tmp != None) else '1'
- self.set_ipv6_dad_messages(value)
-
- # Delete old IPv6 EUI64 addresses before changing MAC
- for addr in (dict_search('ipv6.address.eui64_old', config) or []):
- self.del_ipv6_eui64_address(addr)
-
- # Manage IPv6 link-local addresses
- if dict_search('ipv6.address.no_default_link_local', config) != None:
- self.del_ipv6_eui64_address('fe80::/64')
- else:
- self.add_ipv6_eui64_address('fe80::/64')
+ # Configure MSS value for IPv6 TCP connections
+ tmp = dict_search('ipv6.adjust_mss', config)
+ value = tmp if (tmp != None) else '0'
+ self.set_tcp_ipv6_mss(value)
+
+ # IPv6 forwarding
+ tmp = dict_search('ipv6.disable_forwarding', config)
+ value = '0' if (tmp != None) else '1'
+ self.set_ipv6_forwarding(value)
+
+ # IPv6 router advertisements
+ tmp = dict_search('ipv6.address.autoconf', config)
+ value = '2' if (tmp != None) else '1'
+ if 'dhcpv6' in new_addr:
+ value = '2'
+ self.set_ipv6_accept_ra(value)
+
+ # IPv6 address autoconfiguration
+ tmp = dict_search('ipv6.address.autoconf', config)
+ value = '1' if (tmp != None) else '0'
+ self.set_ipv6_autoconf(value)
+
+ # IPv6 Duplicate Address Detection (DAD) tries
+ tmp = dict_search('ipv6.dup_addr_detect_transmits', config)
+ value = tmp if (tmp != None) else '1'
+ self.set_ipv6_dad_messages(value)
+
+ # Delete old IPv6 EUI64 addresses before changing MAC
+ for addr in (dict_search('ipv6.address.eui64_old', config) or []):
+ self.del_ipv6_eui64_address(addr)
+
+ # Manage IPv6 link-local addresses
+ if dict_search('ipv6.address.no_default_link_local', config) != None:
+ self.del_ipv6_eui64_address('fe80::/64')
+ else:
+ self.add_ipv6_eui64_address('fe80::/64')
- # Add IPv6 EUI-based addresses
- tmp = dict_search('ipv6.address.eui64', config)
- if tmp:
- for addr in tmp:
- self.add_ipv6_eui64_address(addr)
+ # Add IPv6 EUI-based addresses
+ tmp = dict_search('ipv6.address.eui64', config)
+ if tmp:
+ for addr in tmp:
+ self.add_ipv6_eui64_address(addr)
# re-add ourselves to any bridge we might have fallen out of
if 'is_bridge_member' in config:
diff --git a/python/vyos/ifconfig/loopback.py b/python/vyos/ifconfig/loopback.py
index 30c890fdf..b3babfadc 100644
--- a/python/vyos/ifconfig/loopback.py
+++ b/python/vyos/ifconfig/loopback.py
@@ -14,7 +14,6 @@
# License along with this library. If not, see .
from vyos.ifconfig.interface import Interface
-from vyos.util import is_ipv6_enabled
@Interface.register
class LoopbackIf(Interface):
@@ -58,15 +57,14 @@ class LoopbackIf(Interface):
interface setup code and provide a single point of entry when workin
on any interface. """
- addr = config.get('address', [])
-
+ address = config.get('address', [])
# We must ensure that the loopback addresses are never deleted from the system
- addr.append('127.0.0.1/8')
- if is_ipv6_enabled():
- addr.append('::1/128')
+ for tmp in self._persistent_addresses:
+ if tmp not in address:
+ address.append(tmp)
# Update IP address entry in our dictionary
- config.update({'address' : addr})
+ config.update({'address' : address})
# call base class
super().update(config)
diff --git a/python/vyos/util.py b/python/vyos/util.py
index 0bf6b699e..de55e108b 100644
--- a/python/vyos/util.py
+++ b/python/vyos/util.py
@@ -1024,7 +1024,3 @@ def sysctl_write(name, value):
call(f'sysctl -wq {name}={value}')
return True
return False
-
-def is_ipv6_enabled() -> bool:
- """ Check if IPv6 support on the system is enabled or not """
- return (sysctl_read('net.ipv6.conf.all.disable_ipv6') == '0')
diff --git a/smoketest/configs/ipv6-disable b/smoketest/configs/ipv6-disable
new file mode 100644
index 000000000..da41e9020
--- /dev/null
+++ b/smoketest/configs/ipv6-disable
@@ -0,0 +1,83 @@
+interfaces {
+ ethernet eth0 {
+ duplex auto
+ smp-affinity auto
+ speed auto
+ vif 201 {
+ address 172.18.201.10/24
+ }
+ vif 202 {
+ address 172.18.202.10/24
+ }
+ vif 203 {
+ address 172.18.203.10/24
+ }
+ vif 204 {
+ address 172.18.204.10/24
+ }
+ }
+}
+protocols {
+ static {
+ route 0.0.0.0/0 {
+ next-hop 172.18.201.254 {
+ distance 10
+ }
+ next-hop 172.18.202.254 {
+ distance 20
+ }
+ next-hop 172.18.203.254 {
+ distance 30
+ }
+ next-hop 172.18.204.254 {
+ distance 40
+ }
+ }
+ }
+}
+system {
+ config-management {
+ commit-revisions 200
+ }
+ console {
+ device ttyS0 {
+ speed 115200
+ }
+ }
+ domain-name vyos.net
+ host-name vyos
+ ipv6 {
+ disable
+ }
+ login {
+ user vyos {
+ authentication {
+ encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/
+ plaintext-password ""
+ }
+ level admin
+ }
+ }
+ name-server 172.16.254.20
+ name-server 172.16.254.30
+ ntp {
+ server 172.16.254.20 {
+ }
+ server 172.16.254.30 {
+ }
+ }
+ syslog {
+ global {
+ facility all {
+ level info
+ }
+ facility protocols {
+ level debug
+ }
+ }
+ }
+}
+
+/* Warning: Do not remove the following line. */
+/* === vyatta-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack-sync@1:conntrack@1:dhcp-relay@2:dhcp-server@5:dns-forwarding@1:firewall@5:ipsec@5:l2tp@1:mdns@1:nat@4:ntp@1:pptp@1:qos@1:quagga@6:snmp@1:ssh@1:system@9:vrrp@2:wanloadbalance@3:webgui@1:webproxy@1:webproxy@2:zone-policy@1" === */
+/* Release version: 1.2.6 */
diff --git a/smoketest/scripts/cli/test_system_ipv6.py b/smoketest/scripts/cli/test_system_ipv6.py
index 837d1dc12..c8aea9100 100755
--- a/smoketest/scripts/cli/test_system_ipv6.py
+++ b/smoketest/scripts/cli/test_system_ipv6.py
@@ -20,7 +20,6 @@ from base_vyostest_shim import VyOSUnitTestSHIM
from vyos.template import is_ipv4
from vyos.util import read_file
-from vyos.util import is_ipv6_enabled
from vyos.util import get_interface_config
from vyos.validate import is_intf_addr_assigned
@@ -46,41 +45,6 @@ class TestSystemIPv6(VyOSUnitTestSHIM.TestCase):
self.assertEqual(read_file(file_forwarding), '0')
- def test_system_ipv6_disable(self):
- # Verify previous "enable" state
- self.assertEqual(read_file(file_disable), '0')
- self.assertTrue(is_ipv6_enabled())
-
- loopbacks = ['127.0.0.1', '::1']
- for addr in loopbacks:
- self.assertTrue(is_intf_addr_assigned('lo', addr))
-
- # Do not assign any IPv6 address on interfaces, this requires a reboot
- # which can not be tested, but we can read the config file :)
- self.cli_set(base_path + ['disable'])
- self.cli_commit()
-
- # Verify configuration file
- self.assertEqual(read_file(file_disable), '1')
- self.assertFalse(is_ipv6_enabled())
-
- for addr in loopbacks:
- if is_ipv4(addr):
- self.assertTrue(is_intf_addr_assigned('lo', addr))
- else:
- self.assertFalse(is_intf_addr_assigned('lo', addr))
-
- # T4330: Verify MTU can be changed with IPv6 disabled
- mtu = '1600'
- eth_if = 'eth0'
- self.cli_set(['interfaces', 'ethernet', eth_if, 'mtu', mtu])
- self.cli_commit()
-
- tmp = get_interface_config(eth_if)
- self.assertEqual(tmp['mtu'], int(mtu))
-
- self.cli_delete(['interfaces', 'ethernet', eth_if, 'mtu'])
-
def test_system_ipv6_strict_dad(self):
# This defaults to 1
self.assertEqual(read_file(file_dad), '1')
diff --git a/src/conf_mode/system-ipv6.py b/src/conf_mode/system-ipv6.py
index e6bcc12ad..26aacf46b 100755
--- a/src/conf_mode/system-ipv6.py
+++ b/src/conf_mode/system-ipv6.py
@@ -17,11 +17,8 @@
import os
from sys import exit
-from vyos.base import DeprecationWarning
from vyos.config import Config
from vyos.configdict import dict_merge
-from vyos.configdict import leaf_node_changed
-from vyos.util import call
from vyos.util import dict_search
from vyos.util import sysctl_write
from vyos.util import write_file
@@ -39,9 +36,6 @@ def get_config(config=None):
opt = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
- tmp = leaf_node_changed(conf, base + ['disable'])
- if tmp: opt['reboot_required'] = {}
-
# We have gathered the dict representation of the CLI, but there are default
# options which we need to update into the dictionary retrived.
default_values = defaults(base)
@@ -50,24 +44,12 @@ def get_config(config=None):
return opt
def verify(opt):
- if 'disable' in opt:
- DeprecationWarning('VyOS 1.4 (sagitta) will remove the CLI command to '\
- 'disable IPv6 address family in the Linux Kernel!')
pass
def generate(opt):
pass
def apply(opt):
- # disable IPv6 globally
- tmp = dict_search('disable', opt)
- value = '1' if (tmp != None) else '0'
- sysctl_write('net.ipv6.conf.all.disable_ipv6', value)
-
- if 'reboot_required' in opt:
- print('Changing IPv6 disable parameter will only take affect\n' \
- 'when the system is rebooted.')
-
# configure multipath
tmp = dict_search('multipath.layer4_hashing', opt)
value = '1' if (tmp != None) else '0'
diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py
index c3e2d8efd..f79c8a21e 100755
--- a/src/conf_mode/vrf.py
+++ b/src/conf_mode/vrf.py
@@ -30,7 +30,6 @@ from vyos.util import get_interface_config
from vyos.util import popen
from vyos.util import run
from vyos.util import sysctl_write
-from vyos.util import is_ipv6_enabled
from vyos import ConfigError
from vyos import frr
from vyos import airbag
@@ -219,8 +218,7 @@ def apply(vrf):
# We also should add proper loopback IP addresses to the newly added
# VRF for services bound to the loopback address (SNMP, NTP)
vrf_if.add_addr('127.0.0.1/8')
- if is_ipv6_enabled():
- vrf_if.add_addr('::1/128')
+ vrf_if.add_addr('::1/128')
# add VRF description if available
vrf_if.set_alias(config.get('description', ''))
diff --git a/src/migration-scripts/system/22-to-23 b/src/migration-scripts/system/22-to-23
new file mode 100755
index 000000000..7f832e48a
--- /dev/null
+++ b/src/migration-scripts/system/22-to-23
@@ -0,0 +1,50 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2022 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+import os
+
+from sys import exit, argv
+from vyos.configtree import ConfigTree
+
+if (len(argv) < 1):
+ print("Must specify file name!")
+ exit(1)
+
+file_name = argv[1]
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+base = ['system', 'ipv6']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+ # Nothing to do
+ exit(0)
+
+# T4346: drop support to disbale IPv6 address family within the OS Kernel
+if config.exists(base + ['disable']):
+ config.delete(base + ['disable'])
+ # IPv6 address family disable was the only CLI option set - we can cleanup
+ # the entire tree
+ if len(config.list_nodes(base)) == 0:
+ config.delete(base)
+
+try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+except OSError as e:
+ print(f'Failed to save the modified config: {e}')
+ exit(1)
diff --git a/src/tests/test_util.py b/src/tests/test_util.py
index 91890262c..8ac9a500a 100644
--- a/src/tests/test_util.py
+++ b/src/tests/test_util.py
@@ -26,13 +26,3 @@ class TestVyOSUtil(TestCase):
def test_sysctl_read(self):
self.assertEqual(sysctl_read('net.ipv4.conf.lo.forwarding'), '1')
-
- def test_ipv6_enabled(self):
- tmp = sysctl_read('net.ipv6.conf.all.disable_ipv6')
- # We need to test for both variants as this depends on how the
- # Docker container is started (with or without IPv6 support) - so we
- # will simply check both cases to not make the users life miserable.
- if tmp == '0':
- self.assertTrue(is_ipv6_enabled())
- else:
- self.assertFalse(is_ipv6_enabled())
--
cgit v1.2.3