From c6c562eca6ff469f603697f7f1d9319b2a5504a3 Mon Sep 17 00:00:00 2001 From: Henning Surmeier Date: Fri, 28 Jan 2022 23:55:06 +0100 Subject: policy: T4219: add local-route(6) incoming-interface --- .../include/interface/inbound-interface.xml.i | 10 ++++++++++ interface-definitions/policy-local-route.xml.in | 2 ++ 2 files changed, 12 insertions(+) create mode 100644 interface-definitions/include/interface/inbound-interface.xml.i (limited to 'interface-definitions') diff --git a/interface-definitions/include/interface/inbound-interface.xml.i b/interface-definitions/include/interface/inbound-interface.xml.i new file mode 100644 index 000000000..5a8d47280 --- /dev/null +++ b/interface-definitions/include/interface/inbound-interface.xml.i @@ -0,0 +1,10 @@ + + + + Inbound Interface + + + + + + diff --git a/interface-definitions/policy-local-route.xml.in b/interface-definitions/policy-local-route.xml.in index 11b1e04d9..573a7963f 100644 --- a/interface-definitions/policy-local-route.xml.in +++ b/interface-definitions/policy-local-route.xml.in @@ -88,6 +88,7 @@ + #include @@ -177,6 +178,7 @@ + #include -- cgit v1.2.3 From fafd25143d46220c537de8ef514d5954129528eb Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Sun, 30 Jan 2022 00:39:12 +0100 Subject: firewall: T2199: Add constraint for tagnode names --- interface-definitions/firewall.xml.in | 24 ++++++++++++++++++++++++ interface-definitions/policy-route.xml.in | 6 ++++++ interface-definitions/zone-policy.xml.in | 3 +++ 3 files changed, 33 insertions(+) (limited to 'interface-definitions') diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in index f38bcfd9c..f2aca4b3a 100644 --- a/interface-definitions/firewall.xml.in +++ b/interface-definitions/firewall.xml.in @@ -74,6 +74,9 @@ Firewall address-group + + ^[a-zA-Z0-9][\w\-\.]*$ + @@ -100,6 +103,9 @@ Firewall ipv6-address-group + + ^[a-zA-Z0-9][\w\-\.]*$ + @@ -126,6 +132,9 @@ Firewall ipv6-network-group + + ^[a-zA-Z0-9][\w\-\.]*$ + #include @@ -147,6 +156,9 @@ Firewall mac-group + + ^[a-zA-Z0-9][\w\-\.]*$ + #include @@ -168,6 +180,9 @@ Firewall network-group + + ^[a-zA-Z0-9][\w\-\.]*$ + #include @@ -189,6 +204,9 @@ Firewall port-group + + ^[a-zA-Z0-9][\w\-\.]*$ + #include @@ -240,6 +258,9 @@ IPv6 firewall rule-set name + + ^[a-zA-Z0-9][\w\-\.]*$ + #include @@ -423,6 +444,9 @@ IPv4 firewall rule-set name + + ^[a-zA-Z0-9][\w\-\.]*$ + #include diff --git a/interface-definitions/policy-route.xml.in b/interface-definitions/policy-route.xml.in index 4ce953b52..a1c3b50de 100644 --- a/interface-definitions/policy-route.xml.in +++ b/interface-definitions/policy-route.xml.in @@ -5,6 +5,9 @@ Policy route rule set name for IPv6 + + ^[a-zA-Z0-9][\w\-\.]*$ + 201 @@ -51,6 +54,9 @@ Policy route rule set name for IPv4 + + ^[a-zA-Z0-9][\w\-\.]*$ + 201 diff --git a/interface-definitions/zone-policy.xml.in b/interface-definitions/zone-policy.xml.in index dd64c7c16..69ee031c7 100644 --- a/interface-definitions/zone-policy.xml.in +++ b/interface-definitions/zone-policy.xml.in @@ -13,6 +13,9 @@ txt Zone name + + ^[a-zA-Z0-9][\w\-\.]*$ + #include -- cgit v1.2.3 From 2ac8376ca1b79ba05bcf83d77c8e9d903e9b50f0 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 31 Jan 2022 21:57:08 +0100 Subject: upnpd: T3420: use proper include directives --- interface-definitions/service_upnp.xml.in | 44 ++++++++----------------------- 1 file changed, 11 insertions(+), 33 deletions(-) (limited to 'interface-definitions') diff --git a/interface-definitions/service_upnp.xml.in b/interface-definitions/service_upnp.xml.in index 8d0a14d4e..7cfe1f02e 100644 --- a/interface-definitions/service_upnp.xml.in +++ b/interface-definitions/service_upnp.xml.in @@ -19,7 +19,7 @@ - WAN network interface (REQUIRE) + WAN network interface @@ -139,49 +139,27 @@ txt The STUN server host address - - stun.stunprotocol.org - stunprotocol - - - stun.sipgate.net - sipgate - - - stun.xten.com - xten - - - txt - other STUN Server - - - - - - The STUN server port - - txt - The STUN server port - + + + + #include - + UPnP Rule + + u32:0-65535 + Rule number + - - - Disable Rule - - - + #include Port range (REQUIRE) -- cgit v1.2.3 From b10baca3c8663e7e56eb9abfb3c03ce576c34f1f Mon Sep 17 00:00:00 2001 From: srividya0208 Date: Thu, 3 Feb 2022 12:05:53 -0500 Subject: T4227:Bridge: Typo in completion help of hello-time option There is spelling mistake in "advertisement" of hello-time option's completion help --- interface-definitions/interfaces-bridge.xml.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'interface-definitions') diff --git a/interface-definitions/interfaces-bridge.xml.in b/interface-definitions/interfaces-bridge.xml.in index 0856615be..89a6d2303 100644 --- a/interface-definitions/interfaces-bridge.xml.in +++ b/interface-definitions/interfaces-bridge.xml.in @@ -59,7 +59,7 @@ - Hello packet advertisment interval + Hello packet advertisement interval u32:1-10 Spanning Tree Protocol hello advertisement interval in seconds (default 2) -- cgit v1.2.3 From 22f0794a9f195e69e277d48f031fe934febe9408 Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Thu, 27 Jan 2022 16:58:36 +0100 Subject: firewall: T4209: Fix support for rule `recent` matches --- data/templates/firewall/nftables.tmpl | 22 ++++++++++++++++++++++ .../include/firewall/common-rule.xml.i | 19 +++++++++++++++---- python/vyos/firewall.py | 4 +--- src/conf_mode/firewall.py | 6 +++++- src/migration-scripts/firewall/6-to-7 | 20 ++++++++++++++++++++ 5 files changed, 63 insertions(+), 8 deletions(-) (limited to 'interface-definitions') diff --git a/data/templates/firewall/nftables.tmpl b/data/templates/firewall/nftables.tmpl index 468a5a32f..0cc977cf9 100644 --- a/data/templates/firewall/nftables.tmpl +++ b/data/templates/firewall/nftables.tmpl @@ -31,16 +31,27 @@ table ip filter { } {% endif %} {% if name is defined %} +{% set ns = namespace(sets=[]) %} {% for name_text, conf in name.items() %} chain NAME_{{ name_text }} { {% if conf.rule is defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %} {{ rule_conf | nft_rule(name_text, rule_id) }} +{% if rule_conf.recent is defined %} +{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %} +{% endif %} {% endfor %} {% endif %} {{ conf | nft_default_rule(name_text) }} } {% endfor %} +{% for set_name in ns.sets %} + set RECENT_{{ set_name }} { + type ipv4_addr + size 65535 + flags dynamic + } +{% endfor %} {% endif %} {% if state_policy is defined %} chain VYOS_STATE_POLICY { @@ -81,16 +92,27 @@ table ip6 filter { } {% endif %} {% if ipv6_name is defined %} +{% set ns = namespace(sets=[]) %} {% for name_text, conf in ipv6_name.items() %} chain NAME6_{{ name_text }} { {% if conf.rule is defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %} {{ rule_conf | nft_rule(name_text, rule_id, 'ip6') }} +{% if rule_conf.recent is defined %} +{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %} +{% endif %} {% endfor %} {% endif %} {{ conf | nft_default_rule(name_text) }} } {% endfor %} +{% for set_name in ns.sets %} + set RECENT6_{{ set_name }} { + type ipv6_addr + size 65535 + flags dynamic + } +{% endfor %} {% endif %} {% if state_policy is defined %} chain VYOS_STATE_POLICY6 { diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i index 521fe54f2..353804990 100644 --- a/interface-definitions/include/firewall/common-rule.xml.i +++ b/interface-definitions/include/firewall/common-rule.xml.i @@ -146,13 +146,24 @@ - Source addresses seen in the last N seconds + Source addresses seen in the last second/minute/hour + + second minute hour + - u32:0-4294967295 - Source addresses seen in the last N seconds + second + Source addresses seen COUNT times in the last second + + + minute + Source addresses seen COUNT times in the last minute + + + hour + Source addresses seen COUNT times in the last hour - + ^(second|minute|hour)$ diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index c1217b420..55ce318e7 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -181,9 +181,7 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if 'recent' in rule_conf: count = rule_conf['recent']['count'] time = rule_conf['recent']['time'] - # output.append(f'meter {fw_name}_{rule_id} {{ ip saddr and 255.255.255.255 limit rate over {count}/{time} burst {count} packets }}') - # Waiting on input from nftables developers due to - # bug with above line and atomic chain flushing. + output.append(f'add @RECENT{def_suffix}_{fw_name}_{rule_id} {{ {ip_name} saddr limit rate over {count}/{time} burst {count} packets }}') if 'time' in rule_conf: output.append(parse_time(rule_conf['time'])) diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 9dec2143e..41df1b84a 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -278,6 +278,7 @@ def cleanup_rule(table, jump_chain): def cleanup_commands(firewall): commands = [] + commands_end = [] for table in ['ip filter', 'ip6 filter']: state_chain = 'VYOS_STATE_POLICY' if table == 'ip filter' else 'VYOS_STATE_POLICY6' json_str = cmd(f'nft -j list table {table}') @@ -308,7 +309,10 @@ def cleanup_commands(firewall): chain = rule['chain'] handle = rule['handle'] commands.append(f'delete rule {table} {chain} handle {handle}') - return commands + elif 'set' in item: + set_name = item['set']['name'] + commands_end.append(f'delete set {table} {set_name}') + return commands + commands_end def generate(firewall): if not os.path.exists(nftables_conf): diff --git a/src/migration-scripts/firewall/6-to-7 b/src/migration-scripts/firewall/6-to-7 index efc901530..5f4cff90d 100755 --- a/src/migration-scripts/firewall/6-to-7 +++ b/src/migration-scripts/firewall/6-to-7 @@ -104,6 +104,7 @@ if config.exists(base + ['name']): continue for rule in config.list_nodes(base + ['name', name, 'rule']): + rule_recent = base + ['name', name, 'rule', rule, 'recent'] rule_time = base + ['name', name, 'rule', rule, 'time'] rule_tcp_flags = base + ['name', name, 'rule', rule, 'tcp', 'flags'] rule_icmp = base + ['name', name, 'rule', rule, 'icmp'] @@ -114,6 +115,15 @@ if config.exists(base + ['name']): if config.exists(rule_time + ['utc']): config.delete(rule_time + ['utc']) + if config.exists(rule_recent + ['time']): + tmp = int(config.return_value(rule_recent + ['time'])) + unit = 'minute' + if tmp > 600: + unit = 'hour' + elif tmp < 10: + unit = 'second' + config.set(rule_recent + ['time'], value=unit) + if config.exists(rule_tcp_flags): tmp = config.return_value(rule_tcp_flags) config.delete(rule_tcp_flags) @@ -148,6 +158,7 @@ if config.exists(base + ['ipv6-name']): continue for rule in config.list_nodes(base + ['ipv6-name', name, 'rule']): + rule_recent = base + ['ipv6-name', name, 'rule', rule, 'recent'] rule_time = base + ['ipv6-name', name, 'rule', rule, 'time'] rule_tcp_flags = base + ['ipv6-name', name, 'rule', rule, 'tcp', 'flags'] rule_icmp = base + ['ipv6-name', name, 'rule', rule, 'icmpv6'] @@ -158,6 +169,15 @@ if config.exists(base + ['ipv6-name']): if config.exists(rule_time + ['utc']): config.delete(rule_time + ['utc']) + if config.exists(rule_recent + ['time']): + tmp = int(config.return_value(rule_recent + ['time'])) + unit = 'minute' + if tmp > 600: + unit = 'hour' + elif tmp < 10: + unit = 'second' + config.set(rule_recent + ['time'], value=unit) + if config.exists(rule_tcp_flags): tmp = config.return_value(rule_tcp_flags) config.delete(rule_tcp_flags) -- cgit v1.2.3 From d96bab4e6da517f07133667834cd6f8bcfb5160f Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 7 Feb 2022 22:27:51 +0100 Subject: xml: ssh: T4233: sync regex for allow/deny usernames to "system login" --- interface-definitions/include/ssh-user.xml.i | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'interface-definitions') diff --git a/interface-definitions/include/ssh-user.xml.i b/interface-definitions/include/ssh-user.xml.i index 677602dd8..17ba05a90 100644 --- a/interface-definitions/include/ssh-user.xml.i +++ b/interface-definitions/include/ssh-user.xml.i @@ -3,9 +3,9 @@ Allow specific users to login - [a-z_][a-z0-9_-]{1,31}[$]? + ^[-_a-zA-Z0-9.]{1,100} - illegal characters or more than 32 characters + Illegal characters or more than 100 characters -- cgit v1.2.3 From f076f9f4cf6e6b7d89eada9f5d59bacea0f3af72 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Wed, 16 Feb 2022 22:17:48 +0100 Subject: policy: T2425: add completion helper script when referencing IP addresses --- interface-definitions/policy.xml.in | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'interface-definitions') diff --git a/interface-definitions/policy.xml.in b/interface-definitions/policy.xml.in index 61c5ab90a..9767285dd 100644 --- a/interface-definitions/policy.xml.in +++ b/interface-definitions/policy.xml.in @@ -1113,6 +1113,9 @@ Nexthop IP address + + + ipv4 IP address @@ -1130,6 +1133,9 @@ Nexthop IPv6 global address + + + ipv6 IPv6 address and prefix length @@ -1142,6 +1148,9 @@ Nexthop IPv6 local address + + + ipv6 IPv6 address and prefix length @@ -1268,6 +1277,9 @@ Source address for route + + + ipv4 IPv4 address -- cgit v1.2.3 From 3795fdba8edf8e81298370d6cd8d81a779ae2997 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Wed, 16 Feb 2022 11:31:23 -0600 Subject: xml: T3474: add component version include files Add the include files containing the syntaxVersion element defining the version of the respective component; these files are included by the top level file 'xml-component-versions.xml.in'. Processing of these elements was previously added to the python xml lib in commit 40f5359d. This will replace the use of 'curver_DATA' in vyatta-cfg-system and other legacy packages. --- .../include/version/bgp-version.xml.i | 3 ++ .../include/version/broadcast-relay-version.xml.i | 3 ++ .../include/version/cluster-version.xml.i | 3 ++ .../version/config-management-version.xml.i | 3 ++ .../include/version/conntrack-sync-version.xml.i | 3 ++ .../include/version/conntrack-version.xml.i | 3 ++ .../include/version/dhcp-relay-version.xml.i | 3 ++ .../include/version/dhcp-server-version.xml.i | 3 ++ .../include/version/dhcpv6-server-version.xml.i | 3 ++ .../include/version/dns-forwarding-version.xml.i | 3 ++ .../include/version/firewall-version.xml.i | 3 ++ .../include/version/flow-accounting-version.xml.i | 3 ++ .../include/version/https-version.xml.i | 3 ++ .../include/version/interfaces-version.xml.i | 3 ++ .../include/version/ipoe-server-version.xml.i | 3 ++ .../include/version/ipsec-version.xml.i | 3 ++ .../include/version/isis-version.xml.i | 3 ++ .../include/version/l2tp-version.xml.i | 3 ++ .../include/version/lldp-version.xml.i | 3 ++ .../include/version/mdns-version.xml.i | 3 ++ .../include/version/nat-version.xml.i | 3 ++ .../include/version/nat66-version.xml.i | 3 ++ .../include/version/ntp-version.xml.i | 3 ++ .../include/version/openconnect-version.xml.i | 3 ++ .../include/version/ospf-version.xml.i | 3 ++ .../include/version/policy-version.xml.i | 3 ++ .../include/version/pppoe-server-version.xml.i | 3 ++ .../include/version/pptp-version.xml.i | 3 ++ .../include/version/qos-version.xml.i | 3 ++ .../include/version/quagga-version.xml.i | 3 ++ .../include/version/rpki-version.xml.i | 3 ++ .../include/version/salt-version.xml.i | 3 ++ .../include/version/snmp-version.xml.i | 3 ++ .../include/version/ssh-version.xml.i | 3 ++ .../include/version/sstp-version.xml.i | 3 ++ .../include/version/system-version.xml.i | 3 ++ .../include/version/vrf-version.xml.i | 3 ++ .../include/version/vrrp-version.xml.i | 3 ++ .../include/version/vyos-accel-ppp-version.xml.i | 3 ++ .../include/version/wanloadbalance-version.xml.i | 3 ++ .../include/version/webproxy-version.xml.i | 3 ++ interface-definitions/xml-component-version.xml.in | 44 ++++++++++++++++++++++ python/vyos/xml/__init__.py | 4 +- python/vyos/xml/definition.py | 9 +++-- 44 files changed, 174 insertions(+), 6 deletions(-) create mode 100644 interface-definitions/include/version/bgp-version.xml.i create mode 100644 interface-definitions/include/version/broadcast-relay-version.xml.i create mode 100644 interface-definitions/include/version/cluster-version.xml.i create mode 100644 interface-definitions/include/version/config-management-version.xml.i create mode 100644 interface-definitions/include/version/conntrack-sync-version.xml.i create mode 100644 interface-definitions/include/version/conntrack-version.xml.i create mode 100644 interface-definitions/include/version/dhcp-relay-version.xml.i create mode 100644 interface-definitions/include/version/dhcp-server-version.xml.i create mode 100644 interface-definitions/include/version/dhcpv6-server-version.xml.i create mode 100644 interface-definitions/include/version/dns-forwarding-version.xml.i create mode 100644 interface-definitions/include/version/firewall-version.xml.i create mode 100644 interface-definitions/include/version/flow-accounting-version.xml.i create mode 100644 interface-definitions/include/version/https-version.xml.i create mode 100644 interface-definitions/include/version/interfaces-version.xml.i create mode 100644 interface-definitions/include/version/ipoe-server-version.xml.i create mode 100644 interface-definitions/include/version/ipsec-version.xml.i create mode 100644 interface-definitions/include/version/isis-version.xml.i create mode 100644 interface-definitions/include/version/l2tp-version.xml.i create mode 100644 interface-definitions/include/version/lldp-version.xml.i create mode 100644 interface-definitions/include/version/mdns-version.xml.i create mode 100644 interface-definitions/include/version/nat-version.xml.i create mode 100644 interface-definitions/include/version/nat66-version.xml.i create mode 100644 interface-definitions/include/version/ntp-version.xml.i create mode 100644 interface-definitions/include/version/openconnect-version.xml.i create mode 100644 interface-definitions/include/version/ospf-version.xml.i create mode 100644 interface-definitions/include/version/policy-version.xml.i create mode 100644 interface-definitions/include/version/pppoe-server-version.xml.i create mode 100644 interface-definitions/include/version/pptp-version.xml.i create mode 100644 interface-definitions/include/version/qos-version.xml.i create mode 100644 interface-definitions/include/version/quagga-version.xml.i create mode 100644 interface-definitions/include/version/rpki-version.xml.i create mode 100644 interface-definitions/include/version/salt-version.xml.i create mode 100644 interface-definitions/include/version/snmp-version.xml.i create mode 100644 interface-definitions/include/version/ssh-version.xml.i create mode 100644 interface-definitions/include/version/sstp-version.xml.i create mode 100644 interface-definitions/include/version/system-version.xml.i create mode 100644 interface-definitions/include/version/vrf-version.xml.i create mode 100644 interface-definitions/include/version/vrrp-version.xml.i create mode 100644 interface-definitions/include/version/vyos-accel-ppp-version.xml.i create mode 100644 interface-definitions/include/version/wanloadbalance-version.xml.i create mode 100644 interface-definitions/include/version/webproxy-version.xml.i create mode 100644 interface-definitions/xml-component-version.xml.in (limited to 'interface-definitions') diff --git a/interface-definitions/include/version/bgp-version.xml.i b/interface-definitions/include/version/bgp-version.xml.i new file mode 100644 index 000000000..15bc5abd4 --- /dev/null +++ b/interface-definitions/include/version/bgp-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/broadcast-relay-version.xml.i b/interface-definitions/include/version/broadcast-relay-version.xml.i new file mode 100644 index 000000000..98481f446 --- /dev/null +++ b/interface-definitions/include/version/broadcast-relay-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/cluster-version.xml.i b/interface-definitions/include/version/cluster-version.xml.i new file mode 100644 index 000000000..621996df4 --- /dev/null +++ b/interface-definitions/include/version/cluster-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/config-management-version.xml.i b/interface-definitions/include/version/config-management-version.xml.i new file mode 100644 index 000000000..695ba09ab --- /dev/null +++ b/interface-definitions/include/version/config-management-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/conntrack-sync-version.xml.i b/interface-definitions/include/version/conntrack-sync-version.xml.i new file mode 100644 index 000000000..f040c29f6 --- /dev/null +++ b/interface-definitions/include/version/conntrack-sync-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/conntrack-version.xml.i b/interface-definitions/include/version/conntrack-version.xml.i new file mode 100644 index 000000000..696f76362 --- /dev/null +++ b/interface-definitions/include/version/conntrack-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/dhcp-relay-version.xml.i b/interface-definitions/include/version/dhcp-relay-version.xml.i new file mode 100644 index 000000000..75f5d5486 --- /dev/null +++ b/interface-definitions/include/version/dhcp-relay-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/dhcp-server-version.xml.i b/interface-definitions/include/version/dhcp-server-version.xml.i new file mode 100644 index 000000000..330cb7d1b --- /dev/null +++ b/interface-definitions/include/version/dhcp-server-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/dhcpv6-server-version.xml.i b/interface-definitions/include/version/dhcpv6-server-version.xml.i new file mode 100644 index 000000000..4b2cf40aa --- /dev/null +++ b/interface-definitions/include/version/dhcpv6-server-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/dns-forwarding-version.xml.i b/interface-definitions/include/version/dns-forwarding-version.xml.i new file mode 100644 index 000000000..fe817940a --- /dev/null +++ b/interface-definitions/include/version/dns-forwarding-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/firewall-version.xml.i b/interface-definitions/include/version/firewall-version.xml.i new file mode 100644 index 000000000..059a89f24 --- /dev/null +++ b/interface-definitions/include/version/firewall-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/flow-accounting-version.xml.i b/interface-definitions/include/version/flow-accounting-version.xml.i new file mode 100644 index 000000000..5b01fe4b5 --- /dev/null +++ b/interface-definitions/include/version/flow-accounting-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/https-version.xml.i b/interface-definitions/include/version/https-version.xml.i new file mode 100644 index 000000000..586083649 --- /dev/null +++ b/interface-definitions/include/version/https-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/interfaces-version.xml.i b/interface-definitions/include/version/interfaces-version.xml.i new file mode 100644 index 000000000..b97971531 --- /dev/null +++ b/interface-definitions/include/version/interfaces-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/ipoe-server-version.xml.i b/interface-definitions/include/version/ipoe-server-version.xml.i new file mode 100644 index 000000000..00d2544e6 --- /dev/null +++ b/interface-definitions/include/version/ipoe-server-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/ipsec-version.xml.i b/interface-definitions/include/version/ipsec-version.xml.i new file mode 100644 index 000000000..fcdd6c702 --- /dev/null +++ b/interface-definitions/include/version/ipsec-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/isis-version.xml.i b/interface-definitions/include/version/isis-version.xml.i new file mode 100644 index 000000000..4a8fef39c --- /dev/null +++ b/interface-definitions/include/version/isis-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/l2tp-version.xml.i b/interface-definitions/include/version/l2tp-version.xml.i new file mode 100644 index 000000000..86114d676 --- /dev/null +++ b/interface-definitions/include/version/l2tp-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/lldp-version.xml.i b/interface-definitions/include/version/lldp-version.xml.i new file mode 100644 index 000000000..0deb73279 --- /dev/null +++ b/interface-definitions/include/version/lldp-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/mdns-version.xml.i b/interface-definitions/include/version/mdns-version.xml.i new file mode 100644 index 000000000..b200a68b4 --- /dev/null +++ b/interface-definitions/include/version/mdns-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/nat-version.xml.i b/interface-definitions/include/version/nat-version.xml.i new file mode 100644 index 000000000..027216a07 --- /dev/null +++ b/interface-definitions/include/version/nat-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/nat66-version.xml.i b/interface-definitions/include/version/nat66-version.xml.i new file mode 100644 index 000000000..7b7123dcc --- /dev/null +++ b/interface-definitions/include/version/nat66-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/ntp-version.xml.i b/interface-definitions/include/version/ntp-version.xml.i new file mode 100644 index 000000000..cc4ff9a1c --- /dev/null +++ b/interface-definitions/include/version/ntp-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/openconnect-version.xml.i b/interface-definitions/include/version/openconnect-version.xml.i new file mode 100644 index 000000000..d7d35b321 --- /dev/null +++ b/interface-definitions/include/version/openconnect-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/ospf-version.xml.i b/interface-definitions/include/version/ospf-version.xml.i new file mode 100644 index 000000000..755965daa --- /dev/null +++ b/interface-definitions/include/version/ospf-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/policy-version.xml.i b/interface-definitions/include/version/policy-version.xml.i new file mode 100644 index 000000000..6d0c80518 --- /dev/null +++ b/interface-definitions/include/version/policy-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/pppoe-server-version.xml.i b/interface-definitions/include/version/pppoe-server-version.xml.i new file mode 100644 index 000000000..ec81487f8 --- /dev/null +++ b/interface-definitions/include/version/pppoe-server-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/pptp-version.xml.i b/interface-definitions/include/version/pptp-version.xml.i new file mode 100644 index 000000000..0296c44e9 --- /dev/null +++ b/interface-definitions/include/version/pptp-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/qos-version.xml.i b/interface-definitions/include/version/qos-version.xml.i new file mode 100644 index 000000000..e4d139349 --- /dev/null +++ b/interface-definitions/include/version/qos-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/quagga-version.xml.i b/interface-definitions/include/version/quagga-version.xml.i new file mode 100644 index 000000000..bb8ad7f82 --- /dev/null +++ b/interface-definitions/include/version/quagga-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/rpki-version.xml.i b/interface-definitions/include/version/rpki-version.xml.i new file mode 100644 index 000000000..2fff259a8 --- /dev/null +++ b/interface-definitions/include/version/rpki-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/salt-version.xml.i b/interface-definitions/include/version/salt-version.xml.i new file mode 100644 index 000000000..fe4684050 --- /dev/null +++ b/interface-definitions/include/version/salt-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/snmp-version.xml.i b/interface-definitions/include/version/snmp-version.xml.i new file mode 100644 index 000000000..0416288f0 --- /dev/null +++ b/interface-definitions/include/version/snmp-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/ssh-version.xml.i b/interface-definitions/include/version/ssh-version.xml.i new file mode 100644 index 000000000..0f25caf98 --- /dev/null +++ b/interface-definitions/include/version/ssh-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/sstp-version.xml.i b/interface-definitions/include/version/sstp-version.xml.i new file mode 100644 index 000000000..79b43a3e7 --- /dev/null +++ b/interface-definitions/include/version/sstp-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/system-version.xml.i b/interface-definitions/include/version/system-version.xml.i new file mode 100644 index 000000000..fb4629bf1 --- /dev/null +++ b/interface-definitions/include/version/system-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/vrf-version.xml.i b/interface-definitions/include/version/vrf-version.xml.i new file mode 100644 index 000000000..9d7ff35fe --- /dev/null +++ b/interface-definitions/include/version/vrf-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/vrrp-version.xml.i b/interface-definitions/include/version/vrrp-version.xml.i new file mode 100644 index 000000000..626dd6cbc --- /dev/null +++ b/interface-definitions/include/version/vrrp-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/vyos-accel-ppp-version.xml.i b/interface-definitions/include/version/vyos-accel-ppp-version.xml.i new file mode 100644 index 000000000..e5a4e1613 --- /dev/null +++ b/interface-definitions/include/version/vyos-accel-ppp-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/wanloadbalance-version.xml.i b/interface-definitions/include/version/wanloadbalance-version.xml.i new file mode 100644 index 000000000..59f8729cc --- /dev/null +++ b/interface-definitions/include/version/wanloadbalance-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/include/version/webproxy-version.xml.i b/interface-definitions/include/version/webproxy-version.xml.i new file mode 100644 index 000000000..42dbf3f8b --- /dev/null +++ b/interface-definitions/include/version/webproxy-version.xml.i @@ -0,0 +1,3 @@ + + + diff --git a/interface-definitions/xml-component-version.xml.in b/interface-definitions/xml-component-version.xml.in new file mode 100644 index 000000000..b7f063a6c --- /dev/null +++ b/interface-definitions/xml-component-version.xml.in @@ -0,0 +1,44 @@ + + + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + diff --git a/python/vyos/xml/__init__.py b/python/vyos/xml/__init__.py index e0eacb2d1..6db446a40 100644 --- a/python/vyos/xml/__init__.py +++ b/python/vyos/xml/__init__.py @@ -46,8 +46,8 @@ def is_tag(lpath): def is_leaf(lpath, flat=True): return load_configuration().is_leaf(lpath, flat) -def component_versions(): - return load_configuration().component_versions() +def component_version(): + return load_configuration().component_version() def defaults(lpath, flat=False): return load_configuration().defaults(lpath, flat) diff --git a/python/vyos/xml/definition.py b/python/vyos/xml/definition.py index 5e0d5282c..bc3892b42 100644 --- a/python/vyos/xml/definition.py +++ b/python/vyos/xml/definition.py @@ -249,10 +249,11 @@ class XML(dict): # @lru_cache(maxsize=100) # XXX: need to use cachetool instead - for later - def component_versions(self) -> dict: - sort_component = sorted(self[kw.component_version].items(), - key = lambda kv: kv[0]) - return dict(sort_component) + def component_version(self) -> dict: + d = {} + for k in sorted(self[kw.component_version]): + d[k] = int(self[kw.component_version][k]) + return d def defaults(self, lpath, flat): d = self[kw.default] -- cgit v1.2.3 From f6c2b5e4762e7713c5868bebf8e482ce732e3302 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Thu, 17 Feb 2022 21:18:37 +0000 Subject: vpn: T4254: Add cisco_flexvpn and install_virtual_ip_on options Ability to set Cisco FlexVPN vendor ID payload: charon.cisco_flexvpn charon.install_virtual_ip_on swanctl.connections..vips = x.x.x.x, z.z.z.z set vpn ipsec options flexvpn set vpn ipsec options virtual-ip set vpn ipsec options interface tunX set vpn ipsec site-to-site peer x.x.x.x virtual-address x.x.x.x --- data/templates/ipsec/charon.tmpl | 11 +++++ data/templates/ipsec/swanctl/peer.tmpl | 3 ++ interface-definitions/vpn_ipsec.xml.in | 27 +++++++++++++ smoketest/scripts/cli/test_vpn_ipsec.py | 71 +++++++++++++++++++++++++++++++++ 4 files changed, 112 insertions(+) (limited to 'interface-definitions') diff --git a/data/templates/ipsec/charon.tmpl b/data/templates/ipsec/charon.tmpl index 4d710921e..b9b020dcd 100644 --- a/data/templates/ipsec/charon.tmpl +++ b/data/templates/ipsec/charon.tmpl @@ -20,6 +20,17 @@ charon { # Send Cisco Unity vendor ID payload (IKEv1 only). # cisco_unity = no + # Cisco FlexVPN +{% if options is defined %} + cisco_flexvpn = {{ 'yes' if options.flexvpn is defined else 'no' }} +{% if options.virtual_ip is defined %} + install_virtual_ip = yes +{% endif %} +{% if options.interface is defined and options.interface is not none %} + install_virtual_ip_on = {{ options.interface }} +{% endif %} +{% endif %} + # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. # close_ike_on_child_failure = no diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl index c6b71f2a1..f4e28d818 100644 --- a/data/templates/ipsec/swanctl/peer.tmpl +++ b/data/templates/ipsec/swanctl/peer.tmpl @@ -5,6 +5,9 @@ peer_{{ name }} { proposals = {{ ike | get_esp_ike_cipher | join(',') }} version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} +{% if peer_conf.virtual_address is defined and peer_conf.virtual_address is not none %} + vips = {{ peer_conf.virtual_address | join(', ') }} +{% endif %} local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }} {% if peer_conf.authentication is defined and peer_conf.authentication.mode is defined and peer_conf.authentication.mode == 'x509' %} diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index afa3d52a0..f7297a6e2 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -622,6 +622,19 @@ + + + Allow FlexVPN vendor ID payload (IKEv2 only) + + + + #include + + + Allow install virtual-ip addresses + + + @@ -1087,6 +1100,20 @@ + + + Initiator request virtual-address from peer + + ipv4 + Request IPv4 address from peer + + + ipv6 + Request IPv6 address from peer + + + + Virtual tunnel interface [REQUIRED] diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py index 1433c7329..2c3e55a57 100755 --- a/smoketest/scripts/cli/test_vpn_ipsec.py +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -28,6 +28,7 @@ vti_path = ['interfaces', 'vti'] nhrp_path = ['protocols', 'nhrp'] base_path = ['vpn', 'ipsec'] +charon_file = '/etc/strongswan.d/charon.conf' dhcp_waiting_file = '/tmp/ipsec_dhcp_waiting' swanctl_file = '/etc/swanctl/swanctl.conf' @@ -416,5 +417,75 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): # There is only one VTI test so no need to delete this globally in tearDown() self.cli_delete(vti_path) + + def test_06_flex_vpn_vips(self): + local_address = '192.0.2.5' + local_id = 'vyos-r1' + remote_id = 'vyos-r2' + peer_base_path = base_path + ['site-to-site', 'peer', peer_ip] + + self.cli_set(tunnel_path + ['tun1', 'encapsulation', 'gre']) + self.cli_set(tunnel_path + ['tun1', 'source-address', local_address]) + + self.cli_set(base_path + ['interface', interface]) + self.cli_set(base_path + ['options', 'flexvpn']) + self.cli_set(base_path + ['options', 'interface', 'tun1']) + self.cli_set(base_path + ['ike-group', ike_group, 'ikev2-reauth', 'no']) + self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev2']) + + self.cli_set(peer_base_path + ['authentication', 'id', local_id]) + self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret']) + self.cli_set(peer_base_path + ['authentication', 'pre-shared-secret', secret]) + self.cli_set(peer_base_path + ['authentication', 'remote-id', remote_id]) + self.cli_set(peer_base_path + ['connection-type', 'initiate']) + self.cli_set(peer_base_path + ['ike-group', ike_group]) + self.cli_set(peer_base_path + ['default-esp-group', esp_group]) + self.cli_set(peer_base_path + ['local-address', local_address]) + self.cli_set(peer_base_path + ['tunnel', '1', 'protocol', 'gre']) + + self.cli_set(peer_base_path + ['virtual-address', '203.0.113.55']) + self.cli_set(peer_base_path + ['virtual-address', '203.0.113.56']) + + self.cli_commit() + + # Verify strongSwan configuration + swanctl_conf = read_file(swanctl_file) + swanctl_conf_lines = [ + f'version = 2', + f'vips = 203.0.113.55, 203.0.113.56', + f'life_time = 3600s', # default value + f'local_addrs = {local_address} # dhcp:no', + f'remote_addrs = {peer_ip}', + f'peer_{peer_ip.replace(".","-")}_tunnel_1', + f'mode = tunnel', + ] + + for line in swanctl_conf_lines: + self.assertIn(line, swanctl_conf) + + swanctl_secrets_lines = [ + f'id-local = {local_address} # dhcp:no', + f'id-remote = {peer_ip}', + f'id-localid = {local_id}', + f'id-remoteid = {remote_id}', + f'secret = "{secret}"', + ] + + for line in swanctl_secrets_lines: + self.assertIn(line, swanctl_conf) + + # Verify charon configuration + charon_conf = read_file(charon_file) + charon_conf_lines = [ + f'# Cisco FlexVPN', + f'cisco_flexvpn = yes', + f'install_virtual_ip = yes', + f'install_virtual_ip_on = tun1', + ] + + for line in charon_conf_lines: + self.assertIn(line, charon_conf) + + if __name__ == '__main__': unittest.main(verbosity=2) -- cgit v1.2.3 From cf36ced75094a519682875e0e73571824f34b6ec Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Sat, 19 Feb 2022 18:06:27 +0000 Subject: containers: T4249: Allow to connect host device to the container Ability to attach host devices to the container It can be disk, USB device or any device from the directory /dev set container name alp01 device disk source '/dev/vdb1' set container name alp01 device disk destination '/dev/mydisk' --- interface-definitions/containers.xml.in | 25 +++++++++++++++++++++++++ src/conf_mode/containers.py | 22 +++++++++++++++++++++- 2 files changed, 46 insertions(+), 1 deletion(-) (limited to 'interface-definitions') diff --git a/interface-definitions/containers.xml.in b/interface-definitions/containers.xml.in index 30c7110b8..07686b16e 100644 --- a/interface-definitions/containers.xml.in +++ b/interface-definitions/containers.xml.in @@ -58,6 +58,31 @@ #include + + + Add a host device to the container + + + + + Source device (Example: "/dev/x") + + txt + Source device + + + + + + Destination container device (Example: "/dev/x") + + txt + Destination container device + + + + + #include diff --git a/src/conf_mode/containers.py b/src/conf_mode/containers.py index 26c50cab6..516671844 100755 --- a/src/conf_mode/containers.py +++ b/src/conf_mode/containers.py @@ -122,6 +122,18 @@ def verify(container): raise ConfigError(f'IP address "{address}" can not be used for a container, '\ 'reserved for the container engine!') + if 'device' in container_config: + for dev, dev_config in container_config['device'].items(): + if 'source' not in dev_config: + raise ConfigError(f'Device "{dev}" has no source path configured!') + + if 'destination' not in dev_config: + raise ConfigError(f'Device "{dev}" has no destination path configured!') + + source = dev_config['source'] + if not os.path.exists(source): + raise ConfigError(f'Device "{dev}" source path "{source}" does not exist!') + if 'environment' in container_config: for var, cfg in container_config['environment'].items(): if 'value' not in cfg: @@ -266,6 +278,14 @@ def apply(container): c = c.replace('-', '_') cap_add += f' --cap-add={c}' + # Add a host device to the container /dev/x:/dev/x + device = '' + if 'device' in container_config: + for dev, dev_config in container_config['device'].items(): + source_dev = dev_config['source'] + dest_dev = dev_config['destination'] + device += f' --device={source_dev}:{dest_dev}' + # Check/set environment options "-e foo=bar" env_opt = '' if 'environment' in container_config: @@ -296,7 +316,7 @@ def apply(container): container_base_cmd = f'podman run --detach --interactive --tty --replace {cap_add} ' \ f'--memory {memory}m --memory-swap 0 --restart {restart} ' \ - f'--name {name} {port} {volume} {env_opt}' + f'--name {name} {device} {port} {volume} {env_opt}' if 'allow_host_networks' in container_config: run(f'{container_base_cmd} --net host {image}') else: -- cgit v1.2.3 From b693f929b63c0c847d9a3c6ee9160845ef501be1 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 20 Feb 2022 10:40:38 +0100 Subject: static: T4203: obey interface dhcp default route distance Commit 05aa22dc ("protocols: static: T3680: do not delete DHCP received routes") added a bug whenever a static route is modified - the DHCP interface will always end up with metric 210 - if there was a default route over a DHCP interface. --- data/templates/frr/staticd.frr.tmpl | 4 +- .../include/interface/dhcp-options.xml.i | 3 +- python/vyos/configdict.py | 54 ++++++++++++++++++---- 3 files changed, 48 insertions(+), 13 deletions(-) (limited to 'interface-definitions') diff --git a/data/templates/frr/staticd.frr.tmpl b/data/templates/frr/staticd.frr.tmpl index bfe959c1d..5d833228a 100644 --- a/data/templates/frr/staticd.frr.tmpl +++ b/data/templates/frr/staticd.frr.tmpl @@ -17,10 +17,10 @@ vrf {{ vrf }} {% endif %} {# IPv4 default routes from DHCP interfaces #} {% if dhcp is defined and dhcp is not none %} -{% for interface in dhcp %} +{% for interface, interface_config in dhcp.items() %} {% set next_hop = interface | get_dhcp_router %} {% if next_hop is defined and next_hop is not none %} -{{ ip_prefix }} route 0.0.0.0/0 {{ next_hop }} {{ interface }} tag 210 210 +{{ ip_prefix }} route 0.0.0.0/0 {{ next_hop }} {{ interface }} tag 210 {{ interface_config.distance }} {% endif %} {% endfor %} {% endif %} diff --git a/interface-definitions/include/interface/dhcp-options.xml.i b/interface-definitions/include/interface/dhcp-options.xml.i index b65b0802a..f62b06640 100644 --- a/interface-definitions/include/interface/dhcp-options.xml.i +++ b/interface-definitions/include/interface/dhcp-options.xml.i @@ -30,12 +30,13 @@ Distance for the default route from DHCP server u32:1-255 - Distance for the default route from DHCP server (default 210) + Distance for the default route from DHCP server (default: 210) + 210 diff --git a/python/vyos/configdict.py b/python/vyos/configdict.py index efeb6dc1f..f2ec93520 100644 --- a/python/vyos/configdict.py +++ b/python/vyos/configdict.py @@ -319,34 +319,42 @@ def is_source_interface(conf, interface, intftype=None): def get_dhcp_interfaces(conf, vrf=None): """ Common helper functions to retrieve all interfaces from current CLI sessions that have DHCP configured. """ - dhcp_interfaces = [] + dhcp_interfaces = {} dict = conf.get_config_dict(['interfaces'], get_first_key=True) if not dict: return dhcp_interfaces def check_dhcp(config, ifname): - out = [] + tmp = {} if 'address' in config and 'dhcp' in config['address']: + options = {} + if 'dhcp_options' in config and 'default_route_distance' in config['dhcp_options']: + options.update({'distance' : config['dhcp_options']['default_route_distance']}) if 'vrf' in config: - if vrf is config['vrf']: out.append(ifname) - else: out.append(ifname) - return out + if vrf is config['vrf']: tmp.update({ifname : options}) + else: tmp.update({ifname : options}) + return tmp for section, interface in dict.items(): - for ifname, ifconfig in interface.items(): + for ifname in interface: + # we already have a dict representation of the config from get_config_dict(), + # but with the extended information from get_interface_dict() we also + # get the DHCP client default-route-distance default option if not specified. + ifconfig = get_interface_dict(conf, ['interfaces', section], ifname) + tmp = check_dhcp(ifconfig, ifname) - dhcp_interfaces.extend(tmp) + dhcp_interfaces.update(tmp) # check per VLAN interfaces for vif, vif_config in ifconfig.get('vif', {}).items(): tmp = check_dhcp(vif_config, f'{ifname}.{vif}') - dhcp_interfaces.extend(tmp) + dhcp_interfaces.update(tmp) # check QinQ VLAN interfaces for vif_s, vif_s_config in ifconfig.get('vif-s', {}).items(): tmp = check_dhcp(vif_s_config, f'{ifname}.{vif_s}') - dhcp_interfaces.extend(tmp) + dhcp_interfaces.update(tmp) for vif_c, vif_c_config in vif_s_config.get('vif-c', {}).items(): tmp = check_dhcp(vif_c_config, f'{ifname}.{vif_s}.{vif_c}') - dhcp_interfaces.extend(tmp) + dhcp_interfaces.update(tmp) return dhcp_interfaces @@ -405,6 +413,12 @@ def get_interface_dict(config, base, ifname=''): if 'deleted' not in dict: dict = dict_merge(default_values, dict) + # If interface does not request an IPv4 DHCP address there is no need + # to keep the dhcp-options key + if 'address' not in dict or 'dhcp' not in dict['address']: + if 'dhcp_options' in dict: + del dict['dhcp_options'] + # XXX: T2665: blend in proper DHCPv6-PD default values dict = T2665_set_dhcpv6pd_defaults(dict) @@ -475,6 +489,12 @@ def get_interface_dict(config, base, ifname=''): # XXX: T2665: blend in proper DHCPv6-PD default values dict['vif'][vif] = T2665_set_dhcpv6pd_defaults(dict['vif'][vif]) + # If interface does not request an IPv4 DHCP address there is no need + # to keep the dhcp-options key + if 'address' not in dict['vif'][vif] or 'dhcp' not in dict['vif'][vif]['address']: + if 'dhcp_options' in dict['vif'][vif]: + del dict['vif'][vif]['dhcp_options'] + # Check if we are a member of a bridge device bridge = is_member(config, f'{ifname}.{vif}', 'bridge') if bridge: dict['vif'][vif].update({'is_bridge_member' : bridge}) @@ -509,6 +529,13 @@ def get_interface_dict(config, base, ifname=''): # XXX: T2665: blend in proper DHCPv6-PD default values dict['vif_s'][vif_s] = T2665_set_dhcpv6pd_defaults(dict['vif_s'][vif_s]) + # If interface does not request an IPv4 DHCP address there is no need + # to keep the dhcp-options key + if 'address' not in dict['vif_s'][vif_s] or 'dhcp' not in \ + dict['vif_s'][vif_s]['address']: + if 'dhcp_options' in dict['vif_s'][vif_s]: + del dict['vif_s'][vif_s]['dhcp_options'] + # Check if we are a member of a bridge device bridge = is_member(config, f'{ifname}.{vif_s}', 'bridge') if bridge: dict['vif_s'][vif_s].update({'is_bridge_member' : bridge}) @@ -543,6 +570,13 @@ def get_interface_dict(config, base, ifname=''): dict['vif_s'][vif_s]['vif_c'][vif_c] = T2665_set_dhcpv6pd_defaults( dict['vif_s'][vif_s]['vif_c'][vif_c]) + # If interface does not request an IPv4 DHCP address there is no need + # to keep the dhcp-options key + if 'address' not in dict['vif_s'][vif_s]['vif_c'][vif_c] or 'dhcp' \ + not in dict['vif_s'][vif_s]['vif_c'][vif_c]['address']: + if 'dhcp_options' in dict['vif_s'][vif_s]['vif_c'][vif_c]: + del dict['vif_s'][vif_s]['vif_c'][vif_c]['dhcp_options'] + # Check if we are a member of a bridge device bridge = is_member(config, f'{ifname}.{vif_s}.{vif_c}', 'bridge') if bridge: dict['vif_s'][vif_s]['vif_c'][vif_c].update( -- cgit v1.2.3 From 6bf5a0b0dd489a480dce6030e1c61d29e77fa107 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Sun, 20 Feb 2022 18:30:44 +0000 Subject: ipsec: T1856: Ability to set SA life bytes and packets set vpn ipsec esp-group grp-ESP life-bytes '100000' set vpn ipsec esp-group grp-ESP life-packets '2000000' --- data/templates/ipsec/swanctl/peer.tmpl | 12 ++++++++++++ interface-definitions/vpn_ipsec.xml.in | 24 ++++++++++++++++++++++++ smoketest/scripts/cli/test_vpn_ipsec.py | 7 +++++++ 3 files changed, 43 insertions(+) (limited to 'interface-definitions') diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl index c6b71f2a1..481ea7224 100644 --- a/data/templates/ipsec/swanctl/peer.tmpl +++ b/data/templates/ipsec/swanctl/peer.tmpl @@ -57,6 +57,12 @@ {% set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is defined else esp_group[ peer_conf.default_esp_group ] %} peer_{{ name }}_vti { esp_proposals = {{ vti_esp | get_esp_ike_cipher(ike) | join(',') }} +{% if vti_esp.life_bytes is defined and vti_esp.life_bytes is not none %} + life_bytes = {{ vti_esp.life_bytes }} +{% endif %} +{% if vti_esp.life_packets is defined and vti_esp.life_packets is not none %} + life_packets = {{ vti_esp.life_packets }} +{% endif %} life_time = {{ vti_esp.lifetime }}s local_ts = 0.0.0.0/0,::/0 remote_ts = 0.0.0.0/0,::/0 @@ -91,6 +97,12 @@ {% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %} peer_{{ name }}_tunnel_{{ tunnel_id }} { esp_proposals = {{ tunnel_esp | get_esp_ike_cipher(ike) | join(',') }} +{% if tunnel_esp.life_bytes is defined and tunnel_esp.life_bytes is not none %} + life_bytes = {{ tunnel_esp.life_bytes }} +{% endif %} +{% if tunnel_esp.life_packets is defined and tunnel_esp.life_packets is not none %} + life_packets = {{ tunnel_esp.life_packets }} +{% endif %} life_time = {{ tunnel_esp.lifetime }}s {% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %} {% if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %} diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index afa3d52a0..af92eec31 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -55,6 +55,30 @@ 3600 + + + ESP life in bytes + + u32:1024-26843545600000 + ESP life in bytes + + + + + + + + + ESP life in packets + + u32:1000-26843545600000 + ESP life in packets + + + + + + ESP mode diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py index 1433c7329..14079c905 100755 --- a/smoketest/scripts/cli/test_vpn_ipsec.py +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -171,8 +171,13 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): # Site to site local_address = '192.0.2.10' priority = '20' + life_bytes = '100000' + life_packets = '2000000' peer_base_path = base_path + ['site-to-site', 'peer', peer_ip] + self.cli_set(base_path + ['esp-group', esp_group, 'life-bytes', life_bytes]) + self.cli_set(base_path + ['esp-group', esp_group, 'life-packets', life_packets]) + self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret']) self.cli_set(peer_base_path + ['authentication', 'pre-shared-secret', secret]) self.cli_set(peer_base_path + ['ike-group', ike_group]) @@ -197,6 +202,8 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): swanctl_conf_lines = [ f'version = 2', f'auth = psk', + f'life_bytes = {life_bytes}', + f'life_packets = {life_packets}', f'rekey_time = 28800s', # default value f'proposals = aes128-sha1-modp1024', f'esp_proposals = aes128-sha1-modp1024', -- cgit v1.2.3 From 529af7898d062b42ac33e15bfdc62c14184e098f Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 20 Feb 2022 20:18:02 +0100 Subject: macsec: T4261: add dhcp client support --- interface-definitions/interfaces-macsec.xml.in | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'interface-definitions') diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in index d69a093af..598935e51 100644 --- a/interface-definitions/interfaces-macsec.xml.in +++ b/interface-definitions/interfaces-macsec.xml.in @@ -16,7 +16,9 @@ - #include + #include + #include + #include #include #include #include -- cgit v1.2.3 From 4ec6262629393bd8a88951970c367a5cc3d57a42 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Sun, 20 Feb 2022 20:32:06 +0000 Subject: ipsec: T3948: Add CLI site-to-site peer connection-type none set vpn ipsec site-to-site peer 192.0.2.14 connection-type none --- data/templates/ipsec/swanctl/peer.tmpl | 4 ++++ interface-definitions/vpn_ipsec.xml.in | 8 ++++++-- smoketest/scripts/cli/test_vpn_ipsec.py | 2 ++ 3 files changed, 12 insertions(+), 2 deletions(-) (limited to 'interface-definitions') diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl index f4e28d818..673dc3375 100644 --- a/data/templates/ipsec/swanctl/peer.tmpl +++ b/data/templates/ipsec/swanctl/peer.tmpl @@ -77,6 +77,8 @@ start_action = start {% elif peer_conf.connection_type == 'respond' %} start_action = trap +{% elif peer_conf.connection_type == 'none' %} + start_action = none {% endif %} {% if ike.dead_peer_detection is defined %} {% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %} @@ -119,6 +121,8 @@ start_action = start {% elif peer_conf.connection_type == 'respond' %} start_action = trap +{% elif peer_conf.connection_type == 'none' %} + start_action = none {% endif %} {% if ike.dead_peer_detection is defined %} {% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %} diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index f7297a6e2..7b5074112 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -978,7 +978,7 @@ Connection type - initiate respond + initiate respond none initiate @@ -988,8 +988,12 @@ respond Bring the connection up only if traffic is detected + + none + Load the connection only + - ^(initiate|respond)$ + ^(initiate|respond|none)$ diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py index 2c3e55a57..699d854bb 100755 --- a/smoketest/scripts/cli/test_vpn_ipsec.py +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -238,6 +238,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): peer_base_path = base_path + ['site-to-site', 'peer', peer_ip] self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret']) self.cli_set(peer_base_path + ['authentication', 'pre-shared-secret', secret]) + self.cli_set(peer_base_path + ['connection-type', 'none']) self.cli_set(peer_base_path + ['ike-group', ike_group]) self.cli_set(peer_base_path + ['default-esp-group', esp_group]) self.cli_set(peer_base_path + ['local-address', local_address]) @@ -266,6 +267,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): f'mode = tunnel', f'local_ts = 172.16.10.0/24,172.16.11.0/24', f'remote_ts = 172.17.10.0/24,172.17.11.0/24', + f'start_action = none', f'if_id_in = {if_id}', # will be 11 for vti10 - shifted by one f'if_id_out = {if_id}', f'updown = "/etc/ipsec.d/vti-up-down {vti}"' -- cgit v1.2.3 From 0ecddff7cffa8900d351d5c15e32420f9d780c0b Mon Sep 17 00:00:00 2001 From: Andreas Date: Wed, 29 Dec 2021 18:02:06 +0100 Subject: vxlan: T4120: add ability to set multiple remotes (PR #1127) VXLAN does support using multiple remotes but VyOS does not. Add the ability to set multiple remotes and add their flood lists using "bridge" command. --- .../include/interface/tunnel-remote.xml.i | 2 +- .../include/interface/tunnel-remotes.xml.i | 19 ++++++++++++ interface-definitions/interfaces-vxlan.xml.in | 2 +- python/vyos/ifconfig/vxlan.py | 7 +++++ smoketest/scripts/cli/test_interfaces_vxlan.py | 2 ++ src/conf_mode/interfaces-vxlan.py | 34 ++++++++++++++++++++++ 6 files changed, 64 insertions(+), 2 deletions(-) create mode 100644 interface-definitions/include/interface/tunnel-remotes.xml.i (limited to 'interface-definitions') diff --git a/interface-definitions/include/interface/tunnel-remote.xml.i b/interface-definitions/include/interface/tunnel-remote.xml.i index 1ba9b0382..2a8891b85 100644 --- a/interface-definitions/include/interface/tunnel-remote.xml.i +++ b/interface-definitions/include/interface/tunnel-remote.xml.i @@ -1,4 +1,4 @@ - + Tunnel remote address diff --git a/interface-definitions/include/interface/tunnel-remotes.xml.i b/interface-definitions/include/interface/tunnel-remotes.xml.i new file mode 100644 index 000000000..ae8481898 --- /dev/null +++ b/interface-definitions/include/interface/tunnel-remotes.xml.i @@ -0,0 +1,19 @@ + + + + Tunnel remote address + + ipv4 + Tunnel remote IPv4 address + + + ipv6 + Tunnel remote IPv6 address + + + + + + + + diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in index 4c3c3ac71..559067ea5 100644 --- a/interface-definitions/interfaces-vxlan.xml.in +++ b/interface-definitions/interfaces-vxlan.xml.in @@ -98,7 +98,7 @@ #include #include - #include + #include #include #include diff --git a/python/vyos/ifconfig/vxlan.py b/python/vyos/ifconfig/vxlan.py index 0c5282db4..87b5e40b8 100644 --- a/python/vyos/ifconfig/vxlan.py +++ b/python/vyos/ifconfig/vxlan.py @@ -82,3 +82,10 @@ class VXLANIf(Interface): self._cmd(cmd.format(**self.config)) # interface is always A/D down. It needs to be enabled explicitly self.set_admin_state('down') + + other_remotes = self.config.get('other_remotes') + if other_remotes: + for rem in other_remotes: + self.config['rem'] = rem + cmd2 = 'bridge fdb append to 00:00:00:00:00:00 dst {rem} port {port} dev {ifname}' + self._cmd(cmd2.format(**self.config)) diff --git a/smoketest/scripts/cli/test_interfaces_vxlan.py b/smoketest/scripts/cli/test_interfaces_vxlan.py index 9278adadd..12fc463ba 100755 --- a/smoketest/scripts/cli/test_interfaces_vxlan.py +++ b/smoketest/scripts/cli/test_interfaces_vxlan.py @@ -33,6 +33,8 @@ class VXLANInterfaceTest(BasicInterfaceTest.TestCase): 'vxlan10': ['vni 10', 'remote 127.0.0.2'], 'vxlan20': ['vni 20', 'group 239.1.1.1', 'source-interface eth0'], 'vxlan30': ['vni 30', 'remote 2001:db8:2000::1', 'source-address 2001:db8:1000::1', 'parameters ipv6 flowlabel 0x1000'], + 'vxlan40': ['vni 40', 'remote 127.0.0.2', 'remote 127.0.0.3'], + 'vxlan50': ['vni 50', 'remote 2001:db8:2000::1', 'remote 2001:db8:2000::2', 'parameters ipv6 flowlabel 0x1000'], } cls._interfaces = list(cls._options) # call base-classes classmethod diff --git a/src/conf_mode/interfaces-vxlan.py b/src/conf_mode/interfaces-vxlan.py index 1f097c4e3..092f249df 100755 --- a/src/conf_mode/interfaces-vxlan.py +++ b/src/conf_mode/interfaces-vxlan.py @@ -58,6 +58,13 @@ def get_config(config=None): if len(vxlan['other_tunnels']) == 0: del vxlan['other_tunnels'] + # leave first remote in dict and put the other ones (if they exists) to "other_remotes" + remotes = vxlan.get('remote') + if remotes: + vxlan['remote'] = remotes[0] + if len(remotes) > 1: + del remotes[0] + vxlan['other_remotes'] = remotes return vxlan def verify(vxlan): @@ -108,6 +115,33 @@ def verify(vxlan): raise ConfigError(f'Underlaying device MTU is to small ({lower_mtu} '\ f'bytes) for VXLAN overhead ({vxlan_overhead} bytes!)') + # Check for mixed IPv4 and IPv6 addresses + protocol = None + if 'source_address' in vxlan: + if is_ipv6(vxlan['source_address']): + protocol = 'ipv6' + else: + protocol = 'ipv4' + if 'remote' in vxlan: + if is_ipv6(vxlan['remote']): + if protocol == 'ipv4': + raise ConfigError('IPv4 and IPV6 cannot be mixed') + protocol = 'ipv6' + else: + if protocol == 'ipv6': + raise ConfigError('IPv4 and IPV6 cannot be mixed') + protocol = 'ipv4' + if 'other_remotes' in vxlan: + for rem in vxlan['other_remotes']: + if is_ipv6(rem): + if protocol == 'ipv4': + raise ConfigError('IPv4 and IPV6 cannot be mixed') + protocol = 'ipv6' + else: + if protocol == 'ipv6': + raise ConfigError('IPv4 and IPV6 cannot be mixed') + protocol = 'ipv4' + verify_mtu_ipv6(vxlan) verify_address(vxlan) return None -- cgit v1.2.3 From d418cd36027aef5993122ec62419e8c66fe7a1ed Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 20 Feb 2022 22:06:49 +0100 Subject: vxlan: T4120: rename tunnel-remotes.xml.i -> tunnel-remote-multi.xml.i --- .../include/interface/tunnel-remote-multi.xml.i | 19 +++++++++++++++++++ .../include/interface/tunnel-remotes.xml.i | 19 ------------------- interface-definitions/interfaces-vxlan.xml.in | 2 +- 3 files changed, 20 insertions(+), 20 deletions(-) create mode 100644 interface-definitions/include/interface/tunnel-remote-multi.xml.i delete mode 100644 interface-definitions/include/interface/tunnel-remotes.xml.i (limited to 'interface-definitions') diff --git a/interface-definitions/include/interface/tunnel-remote-multi.xml.i b/interface-definitions/include/interface/tunnel-remote-multi.xml.i new file mode 100644 index 000000000..f672087a4 --- /dev/null +++ b/interface-definitions/include/interface/tunnel-remote-multi.xml.i @@ -0,0 +1,19 @@ + + + + Tunnel remote address + + ipv4 + Tunnel remote IPv4 address + + + ipv6 + Tunnel remote IPv6 address + + + + + + + + diff --git a/interface-definitions/include/interface/tunnel-remotes.xml.i b/interface-definitions/include/interface/tunnel-remotes.xml.i deleted file mode 100644 index ae8481898..000000000 --- a/interface-definitions/include/interface/tunnel-remotes.xml.i +++ /dev/null @@ -1,19 +0,0 @@ - - - - Tunnel remote address - - ipv4 - Tunnel remote IPv4 address - - - ipv6 - Tunnel remote IPv6 address - - - - - - - - diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in index 559067ea5..0546b4199 100644 --- a/interface-definitions/interfaces-vxlan.xml.in +++ b/interface-definitions/interfaces-vxlan.xml.in @@ -98,7 +98,7 @@ #include #include - #include + #include #include #include -- cgit v1.2.3 From 9b7d0744409b4fc9433a1dc1e83e8c984567a2d0 Mon Sep 17 00:00:00 2001 From: srividya0208 Date: Mon, 21 Feb 2022 09:20:23 -0500 Subject: vpn_ipsec: T3656: modified completion help for key-exchange In latest releases, default IKE version is removed, which allows the connection to be IKEv1 or IKEv2. The completion help shows IKEv1 as default so removed it. --- interface-definitions/vpn_ipsec.xml.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'interface-definitions') diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index f7297a6e2..5ec7480cc 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -311,7 +311,7 @@ ikev1 - Use IKEv1 for key exchange [DEFAULT] + Use IKEv1 for key exchange ikev2 -- cgit v1.2.3 From a68c9238111c6caee78bb28f8054b8f0cfa0e374 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 24 Feb 2022 22:47:12 +0100 Subject: scripts: T4269: node.def generator should automatically add default values Since introducing the XML node it was common, but redundant, practice to also add a help string indicating which value would be used as default if the node is unset. This makes no sense b/c it's duplicated code/value/characters and prone to error. The node.def scripts should be extended to automatically render the appropriate default value into the CLI help string. For e.g. SSH the current PoC renders: $ cat templates-cfg/service/ssh/port/node.def multi: type: txt help: Port for SSH service (default: 22) val_help: u32:1-65535; Numeric IP port ... Not all subsystems are already migrated to get_config_dict() and make use of the defaults() call - those subsystems need to be migrated, first before the new default is added to the CLI help. --- interface-definitions/containers.xml.in | 6 ++-- interface-definitions/dhcp-relay.xml.in | 6 ++-- interface-definitions/dhcp-server.xml.in | 2 +- interface-definitions/dhcpv6-relay.xml.in | 2 +- interface-definitions/dns-domain-name.xml.in | 1 + interface-definitions/dns-forwarding.xml.in | 6 ++-- interface-definitions/flow-accounting-conf.xml.in | 26 +++++++++--------- interface-definitions/high-availability.xml.in | 16 +++++------ interface-definitions/igmp-proxy.xml.in | 8 +++--- .../include/accel-ppp/client-ipv6-pool.xml.i | 2 +- .../include/accel-ppp/radius-additions.xml.i | 6 ++-- interface-definitions/include/bfd/common.xml.i | 6 ++-- .../include/bgp/protocol-common-config.xml.i | 2 +- .../include/bgp/timers-keepalive.xml.i | 2 +- .../include/firewall/name-default-action.xml.i | 2 +- .../include/interface/arp-cache-timeout.xml.i | 2 +- .../include/interface/dhcp-options.xml.i | 2 +- .../include/interface/dhcpv6-options.xml.i | 4 +-- .../include/nat-translation-options.xml.i | 4 +-- interface-definitions/include/ospf/auto-cost.xml.i | 2 +- .../include/ospf/interface-common.xml.i | 2 +- interface-definitions/include/ospf/intervals.xml.i | 8 +++--- .../include/ospf/metric-type.xml.i | 2 +- .../include/ospf/protocol-common-config.xml.i | 18 ++++++------ .../include/ospfv3/protocol-common-config.xml.i | 2 +- .../include/radius-server-port.xml.i | 2 +- interface-definitions/include/rip/rip-timers.xml.i | 6 ++-- .../include/snmp/access-mode.xml.i | 2 +- .../include/snmp/authentication-type.xml.i | 2 +- .../include/snmp/privacy-type.xml.i | 2 +- interface-definitions/include/snmp/protocol.xml.i | 2 +- .../include/vpn-ipsec-encryption.xml.i | 2 +- interface-definitions/include/vpn-ipsec-hash.xml.i | 2 +- interface-definitions/interfaces-bonding.xml.in | 6 ++-- interface-definitions/interfaces-bridge.xml.in | 10 +++---- interface-definitions/interfaces-ethernet.xml.in | 4 +-- interface-definitions/interfaces-l2tpv3.xml.in | 6 ++-- interface-definitions/interfaces-macsec.xml.in | 4 +-- interface-definitions/interfaces-openvpn.xml.in | 22 +++++++-------- interface-definitions/interfaces-pppoe.xml.in | 2 +- interface-definitions/interfaces-tunnel.xml.in | 4 +-- interface-definitions/interfaces-wireless.xml.in | 10 +++---- interface-definitions/protocols-rpki.xml.in | 2 +- .../service_console-server.xml.in | 6 ++-- .../service_monitoring_telegraf.xml.in | 6 ++-- interface-definitions/service_router-advert.xml.in | 14 +++++----- interface-definitions/service_webproxy.xml.in | 26 ++++++++++-------- interface-definitions/snmp.xml.in | 6 ++-- interface-definitions/ssh.xml.in | 2 +- interface-definitions/system-ip.xml.in | 2 +- interface-definitions/system-login.xml.in | 4 +-- interface-definitions/system-logs.xml.in | 8 +++--- interface-definitions/vpn_ipsec.xml.in | 32 +++++++++++----------- interface-definitions/vpn_l2tp.xml.in | 10 +++---- interface-definitions/vpn_openconnect.xml.in | 12 ++++---- interface-definitions/zone-policy.xml.in | 6 ++-- scripts/build-command-templates | 17 +++++++++--- 57 files changed, 197 insertions(+), 183 deletions(-) (limited to 'interface-definitions') diff --git a/interface-definitions/containers.xml.in b/interface-definitions/containers.xml.in index 07686b16e..9cd2b0902 100644 --- a/interface-definitions/containers.xml.in +++ b/interface-definitions/containers.xml.in @@ -111,7 +111,7 @@ - Constrain the memory available to a container (default: 512MB) + Constrain the memory available to a container u32:0 Unlimited @@ -212,7 +212,7 @@ on-failure - Restart containers when they exit with a non-zero exit code, retrying indefinitely (default) + Restart containers when they exit with a non-zero exit code, retrying indefinitely always @@ -283,7 +283,7 @@ - Add registry (default docker.io) + Add registry docker.io diff --git a/interface-definitions/dhcp-relay.xml.in b/interface-definitions/dhcp-relay.xml.in index 483e776a7..a5643add6 100644 --- a/interface-definitions/dhcp-relay.xml.in +++ b/interface-definitions/dhcp-relay.xml.in @@ -20,7 +20,7 @@ Policy to discard packets that have reached specified hop-count u32:1-255 - Hop count (default: 10) + Hop count @@ -34,7 +34,7 @@ Maximum packet size to send to a DHCPv4/BOOTP server u32:64-1400 - Maximum packet size (default: 576) + Maximum packet size @@ -44,7 +44,7 @@ - Policy to handle incoming DHCPv4 packets which already contain relay agent options (default: forward) + Policy to handle incoming DHCPv4 packets which already contain relay agent options append replace forward discard diff --git a/interface-definitions/dhcp-server.xml.in b/interface-definitions/dhcp-server.xml.in index d1ed579e9..312dcd2a0 100644 --- a/interface-definitions/dhcp-server.xml.in +++ b/interface-definitions/dhcp-server.xml.in @@ -198,7 +198,7 @@ - Lease timeout in seconds (default: 86400) + Lease timeout in seconds u32 DHCP lease time in seconds diff --git a/interface-definitions/dhcpv6-relay.xml.in b/interface-definitions/dhcpv6-relay.xml.in index 7162cf353..5abcbe804 100644 --- a/interface-definitions/dhcpv6-relay.xml.in +++ b/interface-definitions/dhcpv6-relay.xml.in @@ -36,7 +36,7 @@ Maximum hop count for which requests will be processed u32:1-255 - Hop count (default: 10) + Hop count diff --git a/interface-definitions/dns-domain-name.xml.in b/interface-definitions/dns-domain-name.xml.in index 005a55ab3..7ae537d00 100644 --- a/interface-definitions/dns-domain-name.xml.in +++ b/interface-definitions/dns-domain-name.xml.in @@ -29,6 +29,7 @@ + System host name (default: vyos) diff --git a/interface-definitions/dns-forwarding.xml.in b/interface-definitions/dns-forwarding.xml.in index 4faf604ad..a2e809da8 100644 --- a/interface-definitions/dns-forwarding.xml.in +++ b/interface-definitions/dns-forwarding.xml.in @@ -16,7 +16,7 @@ - DNS forwarding cache size (default: 10000) + DNS forwarding cache size u32:0-2147483647 DNS forwarding cache size @@ -38,7 +38,7 @@ - DNSSEC mode (default: process-no-validate) + DNSSEC mode off process-no-validate process log-fail validate @@ -587,7 +587,7 @@ #include - Maximum amount of time negative entries are cached (default: 3600) + Maximum amount of time negative entries are cached u32:0-7200 Seconds to cache NXDOMAIN entries diff --git a/interface-definitions/flow-accounting-conf.xml.in b/interface-definitions/flow-accounting-conf.xml.in index 1b57d706c..05cf5e170 100644 --- a/interface-definitions/flow-accounting-conf.xml.in +++ b/interface-definitions/flow-accounting-conf.xml.in @@ -14,7 +14,7 @@ Buffer size u32 - Buffer size in MiB (default: 10) + Buffer size in MiB @@ -27,7 +27,7 @@ Specifies the maximum number of bytes to capture for each packet u32:128-750 - Packet length in bytes (default: 128) + Packet length in bytes @@ -209,7 +209,7 @@ 9 - NetFlow version 9 (default) + NetFlow version 9 10 @@ -240,7 +240,7 @@ NetFlow port number u32:1025-65535 - NetFlow port number (default: 2055) + NetFlow port number @@ -260,7 +260,7 @@ Expiry scan interval u32:0-2147483647 - Expiry scan interval (default: 60) + Expiry scan interval @@ -273,7 +273,7 @@ Generic flow timeout value u32:0-2147483647 - Generic flow timeout in seconds (default: 3600) + Generic flow timeout in seconds @@ -286,7 +286,7 @@ ICMP timeout value u32:0-2147483647 - ICMP timeout in seconds (default: 300) + ICMP timeout in seconds @@ -299,7 +299,7 @@ Max active timeout value u32:0-2147483647 - Max active timeout in seconds (default: 604800) + Max active timeout in seconds @@ -312,7 +312,7 @@ TCP finish timeout value u32:0-2147483647 - TCP FIN timeout in seconds (default: 300) + TCP FIN timeout in seconds @@ -325,7 +325,7 @@ TCP generic timeout value u32:0-2147483647 - TCP generic timeout in seconds (default: 3600) + TCP generic timeout in seconds @@ -338,7 +338,7 @@ TCP reset timeout value u32:0-2147483647 - TCP RST timeout in seconds (default: 120) + TCP RST timeout in seconds @@ -351,7 +351,7 @@ UDP timeout value u32:0-2147483647 - UDP timeout in seconds (default: 300) + UDP timeout in seconds @@ -418,7 +418,7 @@ sFlow port number u32:1025-65535 - sFlow port number (default: 6343) + sFlow port number diff --git a/interface-definitions/high-availability.xml.in b/interface-definitions/high-availability.xml.in index ee1d70484..662052e12 100644 --- a/interface-definitions/high-availability.xml.in +++ b/interface-definitions/high-availability.xml.in @@ -22,7 +22,7 @@ Advertise interval u32:1-255 - Advertise interval in seconds (default: 1) + Advertise interval in seconds @@ -79,7 +79,7 @@ - Health check failure count required for transition to fault (default: 3) + Health check failure count required for transition to fault @@ -88,7 +88,7 @@ - Health check execution interval in seconds (default: 60) + Health check execution interval in seconds @@ -160,7 +160,7 @@ - Router priority (default: 100) + Router priority u32:1-255 Router priority @@ -333,7 +333,7 @@ Interval between health-checks (in seconds) u32:1-600 - Interval in seconds (default: 10) + Interval in seconds @@ -343,7 +343,7 @@ - Forwarding method (default: NAT) + Forwarding method direct nat tunnel @@ -371,7 +371,7 @@ Timeout for persistent connections u32:1-86400 - Timeout for persistent connections (default: 300) + Timeout for persistent connections @@ -381,7 +381,7 @@ - Protocol for port checks (default: TCP) + Protocol for port checks tcp udp diff --git a/interface-definitions/igmp-proxy.xml.in b/interface-definitions/igmp-proxy.xml.in index 91c912d8b..c7ab60929 100644 --- a/interface-definitions/igmp-proxy.xml.in +++ b/interface-definitions/igmp-proxy.xml.in @@ -39,7 +39,7 @@ - IGMP interface role (default: downstream) + IGMP interface role upstream downstream disabled @@ -49,7 +49,7 @@ downstream - Downstream interface(s) (default) + Downstream interface(s) disabled @@ -63,10 +63,10 @@ - TTL threshold (default: 1) + TTL threshold u32:1-255 - TTL threshold for the interfaces (default: 1) + TTL threshold for the interfaces diff --git a/interface-definitions/include/accel-ppp/client-ipv6-pool.xml.i b/interface-definitions/include/accel-ppp/client-ipv6-pool.xml.i index a692f2335..01cf0e040 100644 --- a/interface-definitions/include/accel-ppp/client-ipv6-pool.xml.i +++ b/interface-definitions/include/accel-ppp/client-ipv6-pool.xml.i @@ -21,7 +21,7 @@ Prefix length used for individual client u32:48-128 - Client prefix length (default: 64) + Client prefix length diff --git a/interface-definitions/include/accel-ppp/radius-additions.xml.i b/interface-definitions/include/accel-ppp/radius-additions.xml.i index 258ece2b5..441c9dda5 100644 --- a/interface-definitions/include/accel-ppp/radius-additions.xml.i +++ b/interface-definitions/include/accel-ppp/radius-additions.xml.i @@ -21,7 +21,7 @@ Accounting port u32:1-65535 - Numeric IP port (default: 1813) + Numeric IP port @@ -62,7 +62,7 @@ - Timeout for Interim-Update packets, terminate session afterwards (default 3 seconds) + Timeout for Interim-Update packets, terminate session afterwards u32:0-60 Timeout in seconds, 0 to keep active @@ -126,7 +126,7 @@ - Port for Dynamic Authorization Extension server (DM/CoA) (default: 1700) + Port for Dynamic Authorization Extension server (DM/CoA) u32:1-65535 TCP port diff --git a/interface-definitions/include/bfd/common.xml.i b/interface-definitions/include/bfd/common.xml.i index e52221441..126ab9b9a 100644 --- a/interface-definitions/include/bfd/common.xml.i +++ b/interface-definitions/include/bfd/common.xml.i @@ -15,7 +15,7 @@ Minimum interval of receiving control packets u32:10-60000 - Interval in milliseconds (default: 300) + Interval in milliseconds @@ -28,7 +28,7 @@ Minimum interval of transmitting control packets u32:10-60000 - Interval in milliseconds (default: 300) + Interval in milliseconds @@ -41,7 +41,7 @@ Multiplier to determine packet loss u32:2-255 - Remote transmission interval will be multiplied by this value (default: 3) + Remote transmission interval will be multiplied by this value diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i index 8214d0779..38337b032 100644 --- a/interface-definitions/include/bgp/protocol-common-config.xml.i +++ b/interface-definitions/include/bgp/protocol-common-config.xml.i @@ -1191,7 +1191,7 @@ Set period to rescan BGP table to check if condition is met u32:5-240 - Period to rerun the conditional advertisement scanner process (default: 60) + Period to rerun the conditional advertisement scanner process diff --git a/interface-definitions/include/bgp/timers-keepalive.xml.i b/interface-definitions/include/bgp/timers-keepalive.xml.i index b2771e326..b23f96ec8 100644 --- a/interface-definitions/include/bgp/timers-keepalive.xml.i +++ b/interface-definitions/include/bgp/timers-keepalive.xml.i @@ -4,7 +4,7 @@ BGP keepalive interval for this neighbor u32:1-65535 - Keepalive interval in seconds (default 60) + Keepalive interval in seconds diff --git a/interface-definitions/include/firewall/name-default-action.xml.i b/interface-definitions/include/firewall/name-default-action.xml.i index 1b61b076f..8470a29a9 100644 --- a/interface-definitions/include/firewall/name-default-action.xml.i +++ b/interface-definitions/include/firewall/name-default-action.xml.i @@ -7,7 +7,7 @@ drop - Drop if no prior rules are hit (default) + Drop if no prior rules are hit reject diff --git a/interface-definitions/include/interface/arp-cache-timeout.xml.i b/interface-definitions/include/interface/arp-cache-timeout.xml.i index cb01d0525..06d7ffe96 100644 --- a/interface-definitions/include/interface/arp-cache-timeout.xml.i +++ b/interface-definitions/include/interface/arp-cache-timeout.xml.i @@ -4,7 +4,7 @@ ARP cache entry timeout in seconds u32:1-86400 - ARP cache entry timout in seconds (default 30) + ARP cache entry timout in seconds diff --git a/interface-definitions/include/interface/dhcp-options.xml.i b/interface-definitions/include/interface/dhcp-options.xml.i index f62b06640..098d02919 100644 --- a/interface-definitions/include/interface/dhcp-options.xml.i +++ b/interface-definitions/include/interface/dhcp-options.xml.i @@ -30,7 +30,7 @@ Distance for the default route from DHCP server u32:1-255 - Distance for the default route from DHCP server (default: 210) + Distance for the default route from DHCP server diff --git a/interface-definitions/include/interface/dhcpv6-options.xml.i b/interface-definitions/include/interface/dhcpv6-options.xml.i index d1abf4a90..08e4f5e0a 100644 --- a/interface-definitions/include/interface/dhcpv6-options.xml.i +++ b/interface-definitions/include/interface/dhcpv6-options.xml.i @@ -57,10 +57,10 @@ - Local interface address assigned to interface + Local interface address assigned to interface (default: EUI-64) >0 - Used to form IPv6 interface address (default: EUI-64) + Used to form IPv6 interface address diff --git a/interface-definitions/include/nat-translation-options.xml.i b/interface-definitions/include/nat-translation-options.xml.i index df2f76397..f1539757b 100644 --- a/interface-definitions/include/nat-translation-options.xml.i +++ b/interface-definitions/include/nat-translation-options.xml.i @@ -16,7 +16,7 @@ random - Random source or destination address allocation for each connection (default) + Random source or destination address allocation for each connection ^(persistent|random)$ @@ -39,7 +39,7 @@ none - Do not apply port randomization (default) + Do not apply port randomization ^(random|fully-random|none)$ diff --git a/interface-definitions/include/ospf/auto-cost.xml.i b/interface-definitions/include/ospf/auto-cost.xml.i index 3e6cc8232..da6483a00 100644 --- a/interface-definitions/include/ospf/auto-cost.xml.i +++ b/interface-definitions/include/ospf/auto-cost.xml.i @@ -6,7 +6,7 @@ - Reference bandwidth method to assign cost (default: 100) + Reference bandwidth method to assign cost u32:1-4294967 Reference bandwidth cost in Mbits/sec diff --git a/interface-definitions/include/ospf/interface-common.xml.i b/interface-definitions/include/ospf/interface-common.xml.i index 738651594..9c8b94f0b 100644 --- a/interface-definitions/include/ospf/interface-common.xml.i +++ b/interface-definitions/include/ospf/interface-common.xml.i @@ -20,7 +20,7 @@ - Router priority (default: 1) + Router priority u32:0-255 OSPF router priority cost diff --git a/interface-definitions/include/ospf/intervals.xml.i b/interface-definitions/include/ospf/intervals.xml.i index fad1a6305..9f6e5df69 100644 --- a/interface-definitions/include/ospf/intervals.xml.i +++ b/interface-definitions/include/ospf/intervals.xml.i @@ -1,7 +1,7 @@ - Interval after which a neighbor is declared dead (default: 40) + Interval after which a neighbor is declared dead u32:1-65535 Neighbor dead interval (seconds) @@ -14,7 +14,7 @@ - Interval between hello packets (default: 10) + Interval between hello packets u32:1-65535 Hello interval (seconds) @@ -27,7 +27,7 @@ - Interval between retransmitting lost link state advertisements (default: 5) + Interval between retransmitting lost link state advertisements u32:1-65535 Retransmit interval (seconds) @@ -40,7 +40,7 @@ - Link state transmit delay (default: 1) + Link state transmit delay u32:1-65535 Link state transmit delay (seconds) diff --git a/interface-definitions/include/ospf/metric-type.xml.i b/interface-definitions/include/ospf/metric-type.xml.i index ef9fd8ac0..de55c7645 100644 --- a/interface-definitions/include/ospf/metric-type.xml.i +++ b/interface-definitions/include/ospf/metric-type.xml.i @@ -1,7 +1,7 @@ - OSPF metric type for default routes (default: 2) + OSPF metric type for default routes u32:1-2 Set OSPF External Type 1/2 metrics diff --git a/interface-definitions/include/ospf/protocol-common-config.xml.i b/interface-definitions/include/ospf/protocol-common-config.xml.i index e783f4bec..088bee2de 100644 --- a/interface-definitions/include/ospf/protocol-common-config.xml.i +++ b/interface-definitions/include/ospf/protocol-common-config.xml.i @@ -106,7 +106,7 @@ - Configure NSSA-ABR (default: candidate) + Configure NSSA-ABR always candidate never @@ -116,7 +116,7 @@ candidate - Translate for election (default) + Translate for election never @@ -502,7 +502,7 @@ - Dead neighbor polling interval (default: 60) + Dead neighbor polling interval u32:1-65535 Seconds between dead neighbor polling interval @@ -515,7 +515,7 @@ - Neighbor priority in seconds (default: 0) + Neighbor priority in seconds u32:0-255 Neighbor priority @@ -535,13 +535,13 @@ - OSPF ABR type (default: cisco) + OSPF ABR type cisco ibm shortcut standard cisco - Cisco ABR type (default) + Cisco ABR type ibm @@ -712,7 +712,7 @@ - Delay from the first change received to SPF calculation (default: 200) + Delay from the first change received to SPF calculation u32:0-600000 Delay in milliseconds @@ -725,7 +725,7 @@ - Initial hold time between consecutive SPF calculations (default: 1000) + Initial hold time between consecutive SPF calculations u32:0-600000 Initial hold time in milliseconds @@ -738,7 +738,7 @@ - Maximum hold time (default: 10000) + Maximum hold time u32:0-600000 Max hold time in milliseconds diff --git a/interface-definitions/include/ospfv3/protocol-common-config.xml.i b/interface-definitions/include/ospfv3/protocol-common-config.xml.i index 5d08debda..792c873c8 100644 --- a/interface-definitions/include/ospfv3/protocol-common-config.xml.i +++ b/interface-definitions/include/ospfv3/protocol-common-config.xml.i @@ -158,7 +158,7 @@ - Instance Id (default: 0) + Instance ID u32:0-255 Instance Id diff --git a/interface-definitions/include/radius-server-port.xml.i b/interface-definitions/include/radius-server-port.xml.i index 4e5d906bc..c6b691a0f 100644 --- a/interface-definitions/include/radius-server-port.xml.i +++ b/interface-definitions/include/radius-server-port.xml.i @@ -4,7 +4,7 @@ Authentication port u32:1-65535 - Numeric IP port (default: 1812) + Numeric IP port diff --git a/interface-definitions/include/rip/rip-timers.xml.i b/interface-definitions/include/rip/rip-timers.xml.i index 3aaaf8e65..129d9ed23 100644 --- a/interface-definitions/include/rip/rip-timers.xml.i +++ b/interface-definitions/include/rip/rip-timers.xml.i @@ -9,7 +9,7 @@ Garbage collection timer u32:5-2147483647 - Garbage colletion time (default 120) + Garbage colletion time @@ -22,7 +22,7 @@ Routing information timeout timer u32:5-2147483647 - Routing information timeout timer (default 180) + Routing information timeout timer @@ -35,7 +35,7 @@ Routing table update timer u32:5-2147483647 - Routing table update timer in seconds (default 30) + Routing table update timer in seconds diff --git a/interface-definitions/include/snmp/access-mode.xml.i b/interface-definitions/include/snmp/access-mode.xml.i index 1fce2364e..71c766774 100644 --- a/interface-definitions/include/snmp/access-mode.xml.i +++ b/interface-definitions/include/snmp/access-mode.xml.i @@ -7,7 +7,7 @@ ro - Read-Only (default) + Read-Only rw diff --git a/interface-definitions/include/snmp/authentication-type.xml.i b/interface-definitions/include/snmp/authentication-type.xml.i index 2a545864a..ca0bb10a6 100644 --- a/interface-definitions/include/snmp/authentication-type.xml.i +++ b/interface-definitions/include/snmp/authentication-type.xml.i @@ -7,7 +7,7 @@ md5 - Message Digest 5 (default) + Message Digest 5 sha diff --git a/interface-definitions/include/snmp/privacy-type.xml.i b/interface-definitions/include/snmp/privacy-type.xml.i index 47a1e632e..94029a6c6 100644 --- a/interface-definitions/include/snmp/privacy-type.xml.i +++ b/interface-definitions/include/snmp/privacy-type.xml.i @@ -7,7 +7,7 @@ des - Data Encryption Standard (default) + Data Encryption Standard aes diff --git a/interface-definitions/include/snmp/protocol.xml.i b/interface-definitions/include/snmp/protocol.xml.i index 335736724..ebdeef87e 100644 --- a/interface-definitions/include/snmp/protocol.xml.i +++ b/interface-definitions/include/snmp/protocol.xml.i @@ -7,7 +7,7 @@ udp - Listen protocol UDP (default) + Listen protocol UDP tcp diff --git a/interface-definitions/include/vpn-ipsec-encryption.xml.i b/interface-definitions/include/vpn-ipsec-encryption.xml.i index 9ef2f7c90..faa264d2f 100644 --- a/interface-definitions/include/vpn-ipsec-encryption.xml.i +++ b/interface-definitions/include/vpn-ipsec-encryption.xml.i @@ -11,7 +11,7 @@ aes128 - 128 bit AES-CBC (default) + 128 bit AES-CBC aes192 diff --git a/interface-definitions/include/vpn-ipsec-hash.xml.i b/interface-definitions/include/vpn-ipsec-hash.xml.i index 5a06b290e..b3ef4fb7a 100644 --- a/interface-definitions/include/vpn-ipsec-hash.xml.i +++ b/interface-definitions/include/vpn-ipsec-hash.xml.i @@ -15,7 +15,7 @@ sha1 - SHA1 HMAC (default) + SHA1 HMAC sha1_160 diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in index 723041ca5..b98f4b960 100644 --- a/interface-definitions/interfaces-bonding.xml.in +++ b/interface-definitions/interfaces-bonding.xml.in @@ -66,7 +66,7 @@ layer2 - use MAC addresses to generate the hash (802.3ad, default) + use MAC addresses to generate the hash layer2+3 @@ -115,7 +115,7 @@ slow - Request partner to transmit LACPDUs every 30 seconds (default) + Request partner to transmit LACPDUs every 30 seconds fast @@ -135,7 +135,7 @@ 802.3ad - IEEE 802.3ad Dynamic link aggregation (Default) + IEEE 802.3ad Dynamic link aggregation active-backup diff --git a/interface-definitions/interfaces-bridge.xml.in b/interface-definitions/interfaces-bridge.xml.in index 89a6d2303..fabfb917a 100644 --- a/interface-definitions/interfaces-bridge.xml.in +++ b/interface-definitions/interfaces-bridge.xml.in @@ -26,7 +26,7 @@ u32:10-1000000 - MAC address aging time in seconds (default: 300) + MAC address aging time in seconds @@ -48,7 +48,7 @@ Forwarding delay u32:0-200 - Spanning Tree Protocol forwarding delay in seconds (default 15) + Spanning Tree Protocol forwarding delay in seconds @@ -62,7 +62,7 @@ Hello packet advertisement interval u32:1-10 - Spanning Tree Protocol hello advertisement interval in seconds (default 2) + Spanning Tree Protocol hello advertisement interval in seconds @@ -99,7 +99,7 @@ Interval at which neighbor bridges are removed u32:1-40 - Bridge maximum aging time in seconds (default 20) + Bridge maximum aging time in seconds @@ -195,7 +195,7 @@ Priority for this bridge u32:0-65535 - Bridge priority (default 32768) + Bridge priority diff --git a/interface-definitions/interfaces-ethernet.xml.in b/interface-definitions/interfaces-ethernet.xml.in index 9e113cb71..be7bddfa4 100644 --- a/interface-definitions/interfaces-ethernet.xml.in +++ b/interface-definitions/interfaces-ethernet.xml.in @@ -41,7 +41,7 @@ auto - Auto negotiation (default) + Auto negotiation half @@ -110,7 +110,7 @@ - Link speed (default: auto) + Link speed auto 10 100 1000 2500 5000 10000 25000 40000 50000 100000 diff --git a/interface-definitions/interfaces-l2tpv3.xml.in b/interface-definitions/interfaces-l2tpv3.xml.in index 85d4ab992..ba9bcb0a2 100644 --- a/interface-definitions/interfaces-l2tpv3.xml.in +++ b/interface-definitions/interfaces-l2tpv3.xml.in @@ -20,7 +20,7 @@ #include - UDP destination port for L2TPv3 tunnel (default: 5000) + UDP destination port for L2TPv3 tunnel u32:1-65535 Numeric IP port @@ -36,7 +36,7 @@ #include - Encapsulation type (default: UDP) + Encapsulation type udp ip @@ -102,7 +102,7 @@ - UDP source port for L2TPv3 tunnel (default: 5000) + UDP source port for L2TPv3 tunnel u32:1-65535 Numeric IP port diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in index 598935e51..7206e57b1 100644 --- a/interface-definitions/interfaces-macsec.xml.in +++ b/interface-definitions/interfaces-macsec.xml.in @@ -36,7 +36,7 @@ gcm-aes-128 - Galois/Counter Mode of AES cipher with 128-bit key (default) + Galois/Counter Mode of AES cipher with 128-bit key gcm-aes-256 @@ -84,7 +84,7 @@ - Priority of MACsec Key Agreement protocol (MKA) actor (default: 255) + Priority of MACsec Key Agreement protocol (MKA) actor u32:0-255 MACsec Key Agreement protocol (MKA) priority diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index 16d91145f..eb574eb52 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -38,7 +38,7 @@ #include - OpenVPN interface device-type (default: tun) + OpenVPN interface device-type tun tap @@ -206,7 +206,7 @@ - Maximum number of keepalive packet failures (default: 60) + Maximum number of keepalive packet failures u32:0-1000 Maximum number of keepalive packet failures @@ -219,7 +219,7 @@ - Keepalive packet interval in seconds (default: 10) + Keepalive packet interval in seconds u32:0-600 Keepalive packet interval (seconds) @@ -613,13 +613,13 @@ - Topology for clients (default: net30) + Topology for clients net30 point-to-point subnet net30 - net30 topology (default) + net30 topology point-to-point @@ -647,7 +647,7 @@ - Maximum allowed clock slop in seconds (default: 180) + Maximum allowed clock slop in seconds 1-65535 Seconds @@ -660,7 +660,7 @@ - Time drift in seconds (default: 0) + Time drift in seconds 1-65535 Seconds @@ -673,7 +673,7 @@ - Step value for totp in seconds (default: 30) + Step value for totp in seconds 1-65535 Seconds @@ -686,7 +686,7 @@ - Number of digits to use for totp hash (default: 6) + Number of digits to use for totp hash 1-65535 Seconds @@ -699,7 +699,7 @@ - Expect password as result of a challenge response protocol (default: enabled) + Expect password as result of a challenge response protocol disable enable @@ -709,7 +709,7 @@ enable - Enable chalenge-response (default) + Enable chalenge-response ^(disable|enable)$ diff --git a/interface-definitions/interfaces-pppoe.xml.in b/interface-definitions/interfaces-pppoe.xml.in index 80a890940..ed0e45840 100644 --- a/interface-definitions/interfaces-pppoe.xml.in +++ b/interface-definitions/interfaces-pppoe.xml.in @@ -23,7 +23,7 @@ #include - Default route insertion behaviour (default: auto) + Default route insertion behaviour auto none force diff --git a/interface-definitions/interfaces-tunnel.xml.in b/interface-definitions/interfaces-tunnel.xml.in index fd69fd177..eb1708aaa 100644 --- a/interface-definitions/interfaces-tunnel.xml.in +++ b/interface-definitions/interfaces-tunnel.xml.in @@ -241,7 +241,7 @@ u32:0-255 - Encapsulation limit (default: 4) + Encapsulation limit none @@ -261,7 +261,7 @@ Hoplimit u32:0-255 - Hop limit (default: 64) + Hop limit diff --git a/interface-definitions/interfaces-wireless.xml.in b/interface-definitions/interfaces-wireless.xml.in index a2d1439a3..5b79ac671 100644 --- a/interface-definitions/interfaces-wireless.xml.in +++ b/interface-definitions/interfaces-wireless.xml.in @@ -291,7 +291,7 @@ 0 - 20 or 40 MHz channel width (default) + 20 or 40 MHz channel width 1 @@ -431,7 +431,7 @@ - Wireless radio channel (default: 0) + Wireless radio channel 0 Automatic Channel Selection (ACS) @@ -515,7 +515,7 @@ disabled - no MFP (hostapd default) + no MFP optional @@ -546,7 +546,7 @@ g - 802.11g - 54 Mbits/sec (default) + 802.11g - 54 Mbits/sec n @@ -564,7 +564,7 @@ - Wireless physical device (default: phy0) + Wireless physical device diff --git a/interface-definitions/protocols-rpki.xml.in b/interface-definitions/protocols-rpki.xml.in index a73d0aae4..68762ff9a 100644 --- a/interface-definitions/protocols-rpki.xml.in +++ b/interface-definitions/protocols-rpki.xml.in @@ -82,7 +82,7 @@ - RPKI cache polling period (default: 300) + RPKI cache polling period u32:1-86400 Polling period in seconds diff --git a/interface-definitions/service_console-server.xml.in b/interface-definitions/service_console-server.xml.in index 28aa7ea71..549edb813 100644 --- a/interface-definitions/service_console-server.xml.in +++ b/interface-definitions/service_console-server.xml.in @@ -41,7 +41,7 @@ - Serial port data bits (default: 8) + Serial port data bits 7 8 @@ -53,7 +53,7 @@ - Serial port stop bits (default: 1) + Serial port stop bits 1 2 @@ -65,7 +65,7 @@ - Parity setting (default: none) + Parity setting even odd none diff --git a/interface-definitions/service_monitoring_telegraf.xml.in b/interface-definitions/service_monitoring_telegraf.xml.in index 0db9052ff..f0a94d6a9 100644 --- a/interface-definitions/service_monitoring_telegraf.xml.in +++ b/interface-definitions/service_monitoring_telegraf.xml.in @@ -44,19 +44,19 @@ - Remote bucket, by default (main) + Remote bucket main - Source parameters for monitoring (default: all) + Source parameters for monitoring all hardware-utilization logs network system telegraf all - All parameters (default) + All parameters hardware-utilization diff --git a/interface-definitions/service_router-advert.xml.in b/interface-definitions/service_router-advert.xml.in index 0f4009f5c..ce1da85aa 100644 --- a/interface-definitions/service_router-advert.xml.in +++ b/interface-definitions/service_router-advert.xml.in @@ -18,7 +18,7 @@ - Set Hop Count field of the IP header for outgoing packets (default: 64) + Set Hop Count field of the IP header for outgoing packets u32:0 Unspecified (by this router) @@ -63,7 +63,7 @@ medium - Default router has medium preference (default) + Default router has medium preference high @@ -108,7 +108,7 @@ - Maximum interval between unsolicited multicast RAs (default: 600) + Maximum interval between unsolicited multicast RAs u32:4-1800 Maximum interval in seconds @@ -156,7 +156,7 @@ - Time in seconds that the route will remain valid (default: 1800 seconds) + Time in seconds that the route will remain valid infinity @@ -187,7 +187,7 @@ medium - Route has medium preference (default) + Route has medium preference high @@ -234,7 +234,7 @@ - Time in seconds that the prefix will remain preferred (default 4 hours) + Time in seconds that the prefix will remain preferred infinity @@ -255,7 +255,7 @@ - Time in seconds that the prefix will remain valid (default: 30 days) + Time in seconds that the prefix will remain valid infinity diff --git a/interface-definitions/service_webproxy.xml.in b/interface-definitions/service_webproxy.xml.in index 03f504ac7..92e5ca37b 100644 --- a/interface-definitions/service_webproxy.xml.in +++ b/interface-definitions/service_webproxy.xml.in @@ -28,7 +28,7 @@ - Number of authentication helper processes (default: 5) + Number of authentication helper processes n Number of authentication helper processes @@ -41,7 +41,7 @@ - Authenticated session time to live in minutes (default: 60) + Authenticated session time to live in minutes n Authenticated session timeout @@ -105,7 +105,7 @@ - LDAP protocol version (default: 3) + LDAP protocol version 2 3 @@ -177,7 +177,7 @@ - Default Proxy Port (default: 3128) + Default Proxy Port u32:1025-65535 Default port number @@ -190,7 +190,11 @@ - Cache peer ICP port (default: disabled) + Cache peer ICP port + + u32:0 + Cache peer disabled + u32:1-65535 Cache peer ICP port @@ -203,7 +207,7 @@ - Cache peer options (default: "no-query default") + Cache peer options txt Cache peer options @@ -239,7 +243,7 @@ - Disk cache size in MB (default: 100) + Disk cache size in MB u32 Disk cache size in MB @@ -253,7 +257,7 @@ - Default Proxy Port (default: 3128) + Default Proxy Port u32:1025-65535 Default port number @@ -296,7 +300,7 @@ - Default Proxy Port (default: 3128) + Default Proxy Port u32:1025-65535 Default port number @@ -399,7 +403,7 @@ - Hour of day for database update [REQUIRED] + Hour of day for database update u32:0-23 Hour for database update @@ -414,7 +418,7 @@ - Redirect URL for filtered websites (default: block.vyos.net) + Redirect URL for filtered websites url URL for redirect diff --git a/interface-definitions/snmp.xml.in b/interface-definitions/snmp.xml.in index 67d3aef9a..b9e0f4cc5 100644 --- a/interface-definitions/snmp.xml.in +++ b/interface-definitions/snmp.xml.in @@ -26,7 +26,7 @@ ro - Read-Only (default) + Read-Only rw @@ -226,7 +226,7 @@ auth - Messages are authenticated but not encrypted (authNoPriv, default) + Messages are authenticated but not encrypted (authNoPriv) priv @@ -329,7 +329,7 @@ inform trap - inform (default) + inform Use INFORM diff --git a/interface-definitions/ssh.xml.in b/interface-definitions/ssh.xml.in index e3b9d16e1..187e5f8e8 100644 --- a/interface-definitions/ssh.xml.in +++ b/interface-definitions/ssh.xml.in @@ -105,7 +105,7 @@ ^(quiet|fatal|error|info|verbose)$ - INFO + info diff --git a/interface-definitions/system-ip.xml.in b/interface-definitions/system-ip.xml.in index 86fbe5701..1fa63d517 100644 --- a/interface-definitions/system-ip.xml.in +++ b/interface-definitions/system-ip.xml.in @@ -15,7 +15,7 @@ - Maximum number of entries to keep in the ARP cache (default: 8192) + Maximum number of entries to keep in the ARP cache 1024 2048 4096 8192 16384 32768 diff --git a/interface-definitions/system-login.xml.in b/interface-definitions/system-login.xml.in index 4bfe82268..a5519ee88 100644 --- a/interface-definitions/system-login.xml.in +++ b/interface-definitions/system-login.xml.in @@ -124,7 +124,7 @@ Session timeout u32:1-30 - Session timeout in seconds (default: 2) + Session timeout in seconds @@ -138,7 +138,7 @@ Server priority u32:1-255 - Server priority (default: 255) + Server priority diff --git a/interface-definitions/system-logs.xml.in b/interface-definitions/system-logs.xml.in index 8b6c7c399..1caa7abb6 100644 --- a/interface-definitions/system-logs.xml.in +++ b/interface-definitions/system-logs.xml.in @@ -23,7 +23,7 @@ Size of a single log file that triggers rotation u32:1-1024 - Size in MB (default: 10) + Size in MB @@ -37,7 +37,7 @@ Count of rotations before old logs will be deleted u32:1-100 - Rotations (default: 10) + Rotations @@ -58,7 +58,7 @@ Size of a single log file that triggers rotation u32:1-1024 - Size in MB (default: 1) + Size in MB @@ -72,7 +72,7 @@ Count of rotations before old logs will be deleted u32:1-100 - Rotations (default: 10) + Rotations diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index dae76218f..147bb99ba 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -30,7 +30,7 @@ disable - Disable ESP compression (default) + Disable ESP compression enable @@ -47,7 +47,7 @@ ESP lifetime u32:30-86400 - ESP lifetime in seconds (default: 3600) + ESP lifetime in seconds @@ -87,7 +87,7 @@ tunnel - Tunnel mode (default) + Tunnel mode transport @@ -107,7 +107,7 @@ enable - Inherit Diffie-Hellman group from the IKE group (default) + Inherit Diffie-Hellman group from the IKE group dh-group1 @@ -235,7 +235,7 @@ none - Do nothing (default) + Do nothing hold @@ -267,7 +267,7 @@ hold - Attempt to re-negotiate the connection when matching traffic is seen (default) + Attempt to re-negotiate the connection when matching traffic is seen clear @@ -287,7 +287,7 @@ Keep-alive interval u32:2-86400 - Keep-alive interval in seconds (default: 30) + Keep-alive interval in seconds @@ -299,7 +299,7 @@ Dead Peer Detection keep-alive timeout (IKEv1 only) u32:2-86400 - Keep-alive timeout in seconds (default 120) + Keep-alive timeout in seconds @@ -310,7 +310,7 @@ - Re-authentication of the remote peer during an IKE re-key. IKEv2 option only + Re-authentication of the remote peer during an IKE re-key - IKEv2 only yes no @@ -320,7 +320,7 @@ no - Disable remote host re-authenticaton during an IKE rekey. (default) + Disable remote host re-authenticaton during an IKE rekey ^(yes|no)$ @@ -351,7 +351,7 @@ IKE lifetime u32:30-86400 - IKE lifetime in seconds (default: 28800) + IKE lifetime in seconds @@ -367,7 +367,7 @@ enable - Enable MOBIKE (default for IKEv2) + Enable MOBIKE disable @@ -386,7 +386,7 @@ main - Use the main mode (recommended, default) + Use the main mode (recommended) aggressive @@ -533,7 +533,7 @@ strongSwan logging Level 0 - Very basic auditing logs e.g. SA up/SA down (default) + Very basic auditing logs e.g. SA up/SA down 1 @@ -791,7 +791,7 @@ u32:1-86400 - Timeout in seconds (default: 28800) + Timeout in seconds @@ -1067,7 +1067,7 @@ inherit - Inherit the reauth configuration form your IKE-group (default) + Inherit the reauth configuration form your IKE-group ^(yes|no|inherit)$ diff --git a/interface-definitions/vpn_l2tp.xml.in b/interface-definitions/vpn_l2tp.xml.in index 6a88756a7..9ca7b1fad 100644 --- a/interface-definitions/vpn_l2tp.xml.in +++ b/interface-definitions/vpn_l2tp.xml.in @@ -88,7 +88,7 @@ IKE lifetime u32:30-86400 - IKE lifetime in seconds (default 3600) + IKE lifetime in seconds @@ -101,7 +101,7 @@ ESP lifetime u32:30-86400 - IKE lifetime in seconds (default 3600) + IKE lifetime in seconds @@ -135,7 +135,7 @@ PPP idle timeout u32:30-86400 - PPP idle timeout in seconds (default 1800) + PPP idle timeout in seconds @@ -206,7 +206,7 @@ - Timeout to wait reply for Interim-Update packets. (default 3 seconds) + Timeout to wait reply for Interim-Update packets @@ -244,7 +244,7 @@ - Specifies which radius attribute contains rate information. (default is Filter-Id) + Specifies which radius attribute contains rate information diff --git a/interface-definitions/vpn_openconnect.xml.in b/interface-definitions/vpn_openconnect.xml.in index 0db5e79d0..3fc34bacc 100644 --- a/interface-definitions/vpn_openconnect.xml.in +++ b/interface-definitions/vpn_openconnect.xml.in @@ -41,7 +41,7 @@ Session timeout u32:1-30 - Session timeout in seconds (default: 2) + Session timeout in seconds @@ -61,10 +61,10 @@ - tcp port number to accept connections (default: 443) + tcp port number to accept connections u32:1-65535 - Numeric IP port (default: 443) + Numeric IP port @@ -74,10 +74,10 @@ - udp port number to accept connections (default: 443) + udp port number to accept connections u32:1-65535 - Numeric IP port (default: 443) + Numeric IP port @@ -160,7 +160,7 @@ Prefix length used for individual client u32:48-128 - Client prefix length (default: 64) + Client prefix length diff --git a/interface-definitions/zone-policy.xml.in b/interface-definitions/zone-policy.xml.in index 69ee031c7..b898c3ecd 100644 --- a/interface-definitions/zone-policy.xml.in +++ b/interface-definitions/zone-policy.xml.in @@ -27,7 +27,7 @@ drop - Drop silently (default) + Drop silently reject @@ -97,7 +97,7 @@ accept - Accept traffic (default) + Accept traffic drop @@ -138,7 +138,7 @@ Zone to be local-zone - + diff --git a/scripts/build-command-templates b/scripts/build-command-templates index d8abb0a13..876f5877c 100755 --- a/scripts/build-command-templates +++ b/scripts/build-command-templates @@ -117,7 +117,7 @@ def collect_validators(ve): return regex_args + " " + validator_args -def get_properties(p): +def get_properties(p, default=None): props = {} if p is None: @@ -125,7 +125,12 @@ def get_properties(p): # Get the help string try: - props["help"] = p.find("help").text + help = p.find("help").text + if default != None: + # DNS forwarding for instance has multiple defaults - specified as whitespace separated list + tmp = ', '.join(default.text.split()) + help += f' (default: {tmp})' + props["help"] = help except: pass @@ -134,7 +139,11 @@ def get_properties(p): vhe = p.findall("valueHelp") vh = [] for v in vhe: - vh.append( (v.find("format").text, v.find("description").text) ) + format = v.find("format").text + description = v.find("description").text + if default != None and default.text == format: + description += f' (default)' + vh.append( (format, description) ) props["val_help"] = vh except: props["val_help"] = [] @@ -271,7 +280,7 @@ def process_node(n, tmpl_dir): print("Name of the node: {0}. Created directory: {1}\n".format(name, "/".join(my_tmpl_dir)), end="") os.makedirs(make_path(my_tmpl_dir), exist_ok=True) - props = get_properties(props_elem) + props = get_properties(props_elem, n.find("defaultValue")) if owner: props["owner"] = owner # Type should not be set for non-tag, non-leaf nodes -- cgit v1.2.3 From faa63999ca1fe11cc25e8a241e75a451a53ffa26 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 25 Feb 2022 21:46:18 +0100 Subject: dhcp-relay: T3095: add missing max-size default value --- interface-definitions/dhcp-relay.xml.in | 1 + 1 file changed, 1 insertion(+) (limited to 'interface-definitions') diff --git a/interface-definitions/dhcp-relay.xml.in b/interface-definitions/dhcp-relay.xml.in index a5643add6..339941e65 100644 --- a/interface-definitions/dhcp-relay.xml.in +++ b/interface-definitions/dhcp-relay.xml.in @@ -41,6 +41,7 @@ max-size must be a value between 64 and 1400 + 576 -- cgit v1.2.3 From be60d39332b753f5fe35101efe3463eebea2cb9d Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 25 Feb 2022 21:50:09 +0100 Subject: wireless: ifconfig: T2653: add missing defaultValue for mgmt-frame-protection --- interface-definitions/interfaces-wireless.xml.in | 1 + 1 file changed, 1 insertion(+) (limited to 'interface-definitions') diff --git a/interface-definitions/interfaces-wireless.xml.in b/interface-definitions/interfaces-wireless.xml.in index 5b79ac671..9db9fd757 100644 --- a/interface-definitions/interfaces-wireless.xml.in +++ b/interface-definitions/interfaces-wireless.xml.in @@ -529,6 +529,7 @@ ^(disabled|optional|required)$ + disabled -- cgit v1.2.3 From 8cb7c2288585b81f29111e7fdc36c34e62b7db13 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 25 Feb 2022 21:52:57 +0100 Subject: xml: webproxy: add comment about explicitly not set defaultValue --- interface-definitions/service_webproxy.xml.in | 1 + 1 file changed, 1 insertion(+) (limited to 'interface-definitions') diff --git a/interface-definitions/service_webproxy.xml.in b/interface-definitions/service_webproxy.xml.in index 92e5ca37b..89c4c3910 100644 --- a/interface-definitions/service_webproxy.xml.in +++ b/interface-definitions/service_webproxy.xml.in @@ -309,6 +309,7 @@ + -- cgit v1.2.3 From 0ec8927476e7d654d52df4c803a6694be0b1e9e2 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 25 Feb 2022 21:54:25 +0100 Subject: monitoring: T3872: re-use "port" building block from port-number.xml.i --- interface-definitions/service_monitoring_telegraf.xml.in | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'interface-definitions') diff --git a/interface-definitions/service_monitoring_telegraf.xml.in b/interface-definitions/service_monitoring_telegraf.xml.in index f0a94d6a9..7db9de9f8 100644 --- a/interface-definitions/service_monitoring_telegraf.xml.in +++ b/interface-definitions/service_monitoring_telegraf.xml.in @@ -98,10 +98,8 @@ Incorrect URL format. + #include - - Remote port (default: 8086) - 8086 -- cgit v1.2.3 From ae51162283826e1a510aed1609778eb0223c8462 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 25 Feb 2022 21:57:09 +0100 Subject: vpn: ipsec: T3093: add missing defaultValue entries --- interface-definitions/include/vpn-ipsec-encryption.xml.i | 1 + interface-definitions/include/vpn-ipsec-hash.xml.i | 1 + interface-definitions/vpn_ipsec.xml.in | 4 ++++ 3 files changed, 6 insertions(+) (limited to 'interface-definitions') diff --git a/interface-definitions/include/vpn-ipsec-encryption.xml.i b/interface-definitions/include/vpn-ipsec-encryption.xml.i index faa264d2f..eb0678aa9 100644 --- a/interface-definitions/include/vpn-ipsec-encryption.xml.i +++ b/interface-definitions/include/vpn-ipsec-encryption.xml.i @@ -229,5 +229,6 @@ ^(null|aes128|aes192|aes256|aes128ctr|aes192ctr|aes256ctr|aes128ccm64|aes192ccm64|aes256ccm64|aes128ccm96|aes192ccm96|aes256ccm96|aes128ccm128|aes192ccm128|aes256ccm128|aes128gcm64|aes192gcm64|aes256gcm64|aes128gcm96|aes192gcm96|aes256gcm96|aes128gcm128|aes192gcm128|aes256gcm128|aes128gmac|aes192gmac|aes256gmac|3des|blowfish128|blowfish192|blowfish256|camellia128|camellia192|camellia256|camellia128ctr|camellia192ctr|camellia256ctr|camellia128ccm64|camellia192ccm64|camellia256ccm64|camellia128ccm96|camellia192ccm96|camellia256ccm96|camellia128ccm128|camellia192ccm128|camellia256ccm128|serpent128|serpent192|serpent256|twofish128|twofish192|twofish256|cast128|chacha20poly1305)$ + aes128 diff --git a/interface-definitions/include/vpn-ipsec-hash.xml.i b/interface-definitions/include/vpn-ipsec-hash.xml.i index b3ef4fb7a..d6259574a 100644 --- a/interface-definitions/include/vpn-ipsec-hash.xml.i +++ b/interface-definitions/include/vpn-ipsec-hash.xml.i @@ -61,5 +61,6 @@ ^(md5|md5_128|sha1|sha1_160|sha256|sha256_96|sha384|sha512|aesxcbc|aescmac|aes128gmac|aes192gmac|aes256gmac)$ + sha1 diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 147bb99ba..885bac979 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -293,6 +293,7 @@ + 30 @@ -305,6 +306,7 @@ + 120 @@ -377,6 +379,7 @@ ^(enable|disable)$ + enable @@ -396,6 +399,7 @@ ^(main|aggressive)$ + main -- cgit v1.2.3 From 0daf168d3d7583984431de2ef97682ff4c986f74 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 25 Feb 2022 22:30:34 +0100 Subject: zone-policy: T2199: bugfix defaultValue usage Instead of hardcoding the default behavior inside the Jinaj2 template, all defaults are required to be specified inside teh XML definition. This is required to automatically render the appropriate CLI tab completion commands. --- data/templates/zone_policy/nftables.tmpl | 12 ++++++------ interface-definitions/zone-policy.xml.in | 1 + src/conf_mode/zone_policy.py | 24 ++++++++++++++++++------ 3 files changed, 25 insertions(+), 12 deletions(-) (limited to 'interface-definitions') diff --git a/data/templates/zone_policy/nftables.tmpl b/data/templates/zone_policy/nftables.tmpl index 093da6bd8..4a6bd2772 100644 --- a/data/templates/zone_policy/nftables.tmpl +++ b/data/templates/zone_policy/nftables.tmpl @@ -16,7 +16,7 @@ table ip filter { iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }} iifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} - counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }} + counter {{ zone_conf.default_action }} } chain VZONE_{{ zone_name }}_OUT { oifname lo counter return @@ -24,7 +24,7 @@ table ip filter { oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }} oifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} - counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }} + counter {{ zone_conf.default_action }} } {% else %} chain VZONE_{{ zone_name }} { @@ -38,7 +38,7 @@ table ip filter { iifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endif %} {% endfor %} - counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }} + counter {{ zone_conf.default_action }} } {% endif %} {% endfor %} @@ -53,7 +53,7 @@ table ip6 filter { iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }} iifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} - counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }} + counter {{ zone_conf.default_action }} } chain VZONE6_{{ zone_name }}_OUT { oifname lo counter return @@ -61,7 +61,7 @@ table ip6 filter { oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }} oifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} - counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }} + counter {{ zone_conf.default_action }} } {% else %} chain VZONE6_{{ zone_name }} { @@ -75,7 +75,7 @@ table ip6 filter { iifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endif %} {% endfor %} - counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }} + counter {{ zone_conf.default_action }} } {% endif %} {% endfor %} diff --git a/interface-definitions/zone-policy.xml.in b/interface-definitions/zone-policy.xml.in index b898c3ecd..eac63fa6b 100644 --- a/interface-definitions/zone-policy.xml.in +++ b/interface-definitions/zone-policy.xml.in @@ -37,6 +37,7 @@ ^(drop|reject)$ + drop diff --git a/src/conf_mode/zone_policy.py b/src/conf_mode/zone_policy.py index 683f8f034..dc0617353 100755 --- a/src/conf_mode/zone_policy.py +++ b/src/conf_mode/zone_policy.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021 VyOS maintainers and contributors +# Copyright (C) 2021-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -20,10 +20,12 @@ from json import loads from sys import exit from vyos.config import Config +from vyos.configdict import dict_merge from vyos.template import render from vyos.util import cmd from vyos.util import dict_search_args from vyos.util import run +from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -36,12 +38,22 @@ def get_config(config=None): else: conf = Config() base = ['zone-policy'] - zone_policy = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, - no_tag_node_value_mangle=True) + zone_policy = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) - if zone_policy: - zone_policy['firewall'] = conf.get_config_dict(['firewall'], key_mangling=('-', '_'), get_first_key=True, - no_tag_node_value_mangle=True) + zone_policy['firewall'] = conf.get_config_dict(['firewall'], + key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) + + if 'zone' in zone_policy: + # We have gathered the dict representation of the CLI, but there are default + # options which we need to update into the dictionary retrived. + default_values = defaults(base + ['zone']) + for zone in zone_policy['zone']: + zone_policy['zone'][zone] = dict_merge(default_values, + zone_policy['zone'][zone]) return zone_policy -- cgit v1.2.3 From e1c5f629fa310251e0516ac59fb5429b9e83d7fa Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 25 Feb 2022 22:33:16 +0100 Subject: nat: T1083: use defaultValue from XML when handling translations --- interface-definitions/include/nat-translation-options.xml.i | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'interface-definitions') diff --git a/interface-definitions/include/nat-translation-options.xml.i b/interface-definitions/include/nat-translation-options.xml.i index f1539757b..925f90106 100644 --- a/interface-definitions/include/nat-translation-options.xml.i +++ b/interface-definitions/include/nat-translation-options.xml.i @@ -22,7 +22,8 @@ ^(persistent|random)$ - + random + Port mapping options @@ -45,7 +46,8 @@ ^(random|fully-random|none)$ - + none + -- cgit v1.2.3 From 291558023bbd1bdbef6e00c4eec173cf5c9575d8 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 26 Feb 2022 16:30:10 +0100 Subject: lldp: T4272: migrate to get_config_dict() --- data/templates/lldp/lldpd.tmpl | 3 +- data/templates/lldp/vyos.conf.tmpl | 35 +++--- interface-definitions/lldp.xml.in | 22 ++-- src/conf_mode/lldp.py | 235 ++++++++++--------------------------- 4 files changed, 94 insertions(+), 201 deletions(-) (limited to 'interface-definitions') diff --git a/data/templates/lldp/lldpd.tmpl b/data/templates/lldp/lldpd.tmpl index 3db955b48..819e70c84 100644 --- a/data/templates/lldp/lldpd.tmpl +++ b/data/templates/lldp/lldpd.tmpl @@ -1,3 +1,2 @@ ### Autogenerated by lldp.py ### -DAEMON_ARGS="-M 4{% if options.snmp %} -x{% endif %}{% if options.cdp %} -c{% endif %}{% if options.edp %} -e{% endif %}{% if options.fdp %} -f{% endif %}{% if options.sonmp %} -s{% endif %}" - +DAEMON_ARGS="-M 4{% if snmp is defined and snmp.enable is defined %} -x{% endif %}{% if legacy_protocols is defined and legacy_protocols.cdp is defined %} -c{% endif %}{% if legacy_protocols is defined and legacy_protocols.edp is defined %} -e{% endif %}{% if legacy_protocols is defined and legacy_protocols.fdp is defined %} -f{% endif %}{% if legacy_protocols is defined and legacy_protocols.sonmp is defined %} -s{% endif %}" diff --git a/data/templates/lldp/vyos.conf.tmpl b/data/templates/lldp/vyos.conf.tmpl index 07bbaf604..592dcf61f 100644 --- a/data/templates/lldp/vyos.conf.tmpl +++ b/data/templates/lldp/vyos.conf.tmpl @@ -1,20 +1,25 @@ ### Autogenerated by lldp.py ### configure system platform VyOS -configure system description "VyOS {{ options.description }}" -{% if options.listen_on %} -configure system interface pattern "{{ ( options.listen_on | select('equalto','all') | map('replace','all','*') | list + options.listen_on | select('equalto','!all') | map('replace','!all','!*') | list + options.listen_on | reject('equalto','all') | reject('equalto','!all') | list ) | unique | join(",") }}" +configure system description "VyOS {{ version }}" +{% if interface is defined and interface is not none %} +{% set tmp = [] %} +{% for iface, iface_options in interface.items() if not iface_options.disable %} +{% if iface == 'all' %} +{% set iface = '*' %} +{% endif %} +{% set _ = tmp.append(iface) %} +{% if iface_options.location is defined and iface_options.location is not none %} +{% if iface_options.location.elin is defined and iface_options.location.elin is not none %} +configure ports {{ iface }} med location elin "{{ iface_options.location.elin }}" +{% endif %} +{% if iface_options.location is defined and iface_options.location.coordinate_based is not none and iface_options.location.coordinate_based is not none %} +configure ports {{ iface }} med location coordinate latitude "{{ iface_options.location.coordinate_based.latitude }}" longitude "{{ iface_options.location.coordinate_based.longitude }}" altitude "{{ iface_options.location.coordinate_based.altitude }}m" datum "{{ iface_options.location.coordinate_based.datum }}" +{% endif %} +{% endif %} +{% endfor %} +configure system interface pattern "{{ tmp | join(",") }}" {% endif %} -{% if options.mgmt_addr %} -configure system ip management pattern {{ options.mgmt_addr | join(",") }} +{% if management_address is defined and management_address is not none %} +configure system ip management pattern {{ management_address | join(",") }} {% endif %} -{% for loc in location %} -{% if loc.elin %} -configure ports {{ loc.name }} med location elin "{{ loc.elin }}" -{% endif %} -{% if loc.coordinate_based %} -configure ports {{ loc.name }} med location coordinate {% if loc.coordinate_based.latitude %}latitude {{ loc.coordinate_based.latitude }}{% endif %} {% if loc.coordinate_based.longitude %}longitude {{ loc.coordinate_based.longitude }}{% endif %} {% if loc.coordinate_based.altitude %}altitude {{ loc.coordinate_based.altitude }} m{% endif %} {% if loc.coordinate_based.datum %}datum {{ loc.coordinate_based.datum }}{% endif %} -{% endif %} - - -{% endfor %} diff --git a/interface-definitions/lldp.xml.in b/interface-definitions/lldp.xml.in index 32ef0ad14..b9ffe234c 100644 --- a/interface-definitions/lldp.xml.in +++ b/interface-definitions/lldp.xml.in @@ -28,7 +28,7 @@ #include - LLDP-MED location data [REQUIRED] + LLDP-MED location data @@ -39,6 +39,10 @@ Altitude in meters + + 0 + No altitude + [+-]<meters> Altitude in meters @@ -48,13 +52,14 @@ + 0 Coordinate datum type WGS84 - WGS84 (default) + WGS84 NAD83 @@ -69,33 +74,34 @@ Datum should be WGS84, NAD83, or MLLW - ^(WGS84|NAD83|MLLW)$ + (WGS84|NAD83|MLLW) + WGS84 - Latitude [REQUIRED] + Latitude <latitude> Latitude (example "37.524449N") Latitude should be a number followed by S or N - (\d+)(\.\d+)?[nNsS]$ + (\d+)(\.\d+)?[nNsS] - Longitude [REQUIRED] + Longitude <longitude> Longitude (example "122.267255W") Longiture should be a number followed by E or W - (\d+)(\.\d+)?[eEwW]$ + (\d+)(\.\d+)?[eEwW] @@ -109,7 +115,7 @@ Emergency Call Service ELIN number (between 10-25 numbers) - [0-9]{10,25}$ + [0-9]{10,25} ELIN number must be between 10-25 numbers diff --git a/src/conf_mode/lldp.py b/src/conf_mode/lldp.py index 082c3e128..db8328259 100755 --- a/src/conf_mode/lldp.py +++ b/src/conf_mode/lldp.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2017-2020 VyOS maintainers and contributors +# Copyright (C) 2017-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -15,19 +15,19 @@ # along with this program. If not, see . import os -import re -from copy import deepcopy from sys import exit from vyos.config import Config +from vyos.configdict import dict_merge from vyos.validate import is_addr_assigned from vyos.validate import is_loopback_addr from vyos.version import get_version_data -from vyos import ConfigError from vyos.util import call +from vyos.util import dict_search +from vyos.xml import defaults from vyos.template import render - +from vyos import ConfigError from vyos import airbag airbag.enable() @@ -35,178 +35,73 @@ config_file = "/etc/default/lldpd" vyos_config_file = "/etc/lldpd.d/01-vyos.conf" base = ['service', 'lldp'] -default_config_data = { - "options": '', - "interface_list": '', - "location": '' -} - -def get_options(config): - options = {} - config.set_level(base) - - options['listen_vlan'] = config.exists('listen-vlan') - options['mgmt_addr'] = [] - for addr in config.return_values('management-address'): - if is_addr_assigned(addr) and not is_loopback_addr(addr): - options['mgmt_addr'].append(addr) - else: - message = 'WARNING: LLDP management address {0} invalid - '.format(addr) - if is_loopback_addr(addr): - message += '(loopback address).' - else: - message += 'address not found.' - print(message) - - snmp = config.exists('snmp enable') - options["snmp"] = snmp - if snmp: - config.set_level('') - options["sys_snmp"] = config.exists('service snmp') - config.set_level(base) - - config.set_level(base + ['legacy-protocols']) - options['cdp'] = config.exists('cdp') - options['edp'] = config.exists('edp') - options['fdp'] = config.exists('fdp') - options['sonmp'] = config.exists('sonmp') - - # start with an unknown version information - version_data = get_version_data() - options['description'] = version_data['version'] - options['listen_on'] = [] - - return options - -def get_interface_list(config): - config.set_level(base) - intfs_names = config.list_nodes(['interface']) - if len(intfs_names) < 0: - return 0 - - interface_list = [] - for name in intfs_names: - config.set_level(base + ['interface', name]) - disable = config.exists(['disable']) - intf = { - 'name': name, - 'disable': disable - } - interface_list.append(intf) - return interface_list - - -def get_location_intf(config, name): - path = base + ['interface', name] - config.set_level(path) - - config.set_level(path + ['location']) - elin = '' - coordinate_based = {} - - if config.exists('elin'): - elin = config.return_value('elin') - - if config.exists('coordinate-based'): - config.set_level(path + ['location', 'coordinate-based']) - - coordinate_based['latitude'] = config.return_value(['latitude']) - coordinate_based['longitude'] = config.return_value(['longitude']) - - coordinate_based['altitude'] = '0' - if config.exists(['altitude']): - coordinate_based['altitude'] = config.return_value(['altitude']) - - coordinate_based['datum'] = 'WGS84' - if config.exists(['datum']): - coordinate_based['datum'] = config.return_value(['datum']) - - intf = { - 'name': name, - 'elin': elin, - 'coordinate_based': coordinate_based - - } - return intf - - -def get_location(config): - config.set_level(base) - intfs_names = config.list_nodes(['interface']) - if len(intfs_names) < 0: - return 0 - - if config.exists('disable'): - return 0 - - intfs_location = [] - for name in intfs_names: - intf = get_location_intf(config, name) - intfs_location.append(intf) - - return intfs_location - - def get_config(config=None): - lldp = deepcopy(default_config_data) if config: conf = config else: conf = Config() + if not conf.exists(base): - return None - else: - lldp['options'] = get_options(conf) - lldp['interface_list'] = get_interface_list(conf) - lldp['location'] = get_location(conf) + return {} - return lldp + lldp = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + if conf.exists(['service', 'snmp']): + lldp['system_snmp_enabled'] = '' + + version_data = get_version_data() + lldp['version'] = version_data['version'] + + # We have gathered the dict representation of the CLI, but there are default + # options which we need to update into the dictionary retrived. + # location coordinates have a default value + if 'interface' in lldp: + for interface, interface_config in lldp['interface'].items(): + default_values = defaults(base + ['interface']) + if dict_search('location.coordinate_based', interface_config) == None: + # no location specified - no need to add defaults + del default_values['location']['coordinate_based']['datum'] + del default_values['location']['coordinate_based']['altitude'] + + # cleanup default_values dictionary from inner to outer + # this might feel overkill here, but it does support easy extension + # in the future with additional default values + if len(default_values['location']['coordinate_based']) == 0: + del default_values['location']['coordinate_based'] + if len(default_values['location']) == 0: + del default_values['location'] + + lldp['interface'][interface] = dict_merge(default_values, + lldp['interface'][interface]) + + return lldp def verify(lldp): # bail out early - looks like removal from running config if lldp is None: return - # check location - for location in lldp['location']: - # check coordinate-based - if len(location['coordinate_based']) > 0: - # check longitude and latitude - if not location['coordinate_based']['longitude']: - raise ConfigError('Must define longitude for interface {0}'.format(location['name'])) - - if not location['coordinate_based']['latitude']: - raise ConfigError('Must define latitude for interface {0}'.format(location['name'])) - - if not re.match(r'^(\d+)(\.\d+)?[nNsS]$', location['coordinate_based']['latitude']): - raise ConfigError('Invalid location for interface {0}:\n' \ - 'latitude should be a number followed by S or N'.format(location['name'])) - - if not re.match(r'^(\d+)(\.\d+)?[eEwW]$', location['coordinate_based']['longitude']): - raise ConfigError('Invalid location for interface {0}:\n' \ - 'longitude should be a number followed by E or W'.format(location['name'])) - - # check altitude and datum if exist - if location['coordinate_based']['altitude']: - if not re.match(r'^[-+0-9\.]+$', location['coordinate_based']['altitude']): - raise ConfigError('Invalid location for interface {0}:\n' \ - 'altitude should be a positive or negative number'.format(location['name'])) - - if location['coordinate_based']['datum']: - if not re.match(r'^(WGS84|NAD83|MLLW)$', location['coordinate_based']['datum']): - raise ConfigError("Invalid location for interface {0}:\n' \ - 'datum should be WGS84, NAD83, or MLLW".format(location['name'])) - - # check elin - elif location['elin']: - if not re.match(r'^[0-9]{10,25}$', location['elin']): - raise ConfigError('Invalid location for interface {0}:\n' \ - 'ELIN number must be between 10-25 numbers'.format(location['name'])) + if 'management_address' in lldp: + for address in lldp['management_address']: + message = f'WARNING: LLDP management address "{address}" is invalid' + if is_loopback_addr(address): + print(f'{message} - loopback address') + elif not is_addr_assigned(address): + print(f'{message} - not assigned to any interface') + + if 'interface' in lldp: + for interface, interface_config in lldp['interface'].items(): + # bail out early if no location info present in interface config + if 'location' not in interface_config: + continue + if 'coordinate_based' in interface_config['location']: + if not {'latitude', 'latitude'} <= set(interface_config['location']['coordinate_based']): + raise ConfigError(f'Must define both longitude and latitude for "{interface}" location!') # check options - if lldp['options']['snmp']: - if not lldp['options']['sys_snmp']: + if 'snmp' in lldp and 'enable' in lldp['snmp']: + if 'system_snmp_enabled' not in lldp: raise ConfigError('SNMP must be configured to enable LLDP SNMP') @@ -215,29 +110,17 @@ def generate(lldp): if lldp is None: return - # generate listen on interfaces - for intf in lldp['interface_list']: - tmp = '' - # add exclamation mark if interface is disabled - if intf['disable']: - tmp = '!' - - tmp += intf['name'] - lldp['options']['listen_on'].append(tmp) - - # generate /etc/default/lldpd render(config_file, 'lldp/lldpd.tmpl', lldp) - # generate /etc/lldpd.d/01-vyos.conf render(vyos_config_file, 'lldp/vyos.conf.tmpl', lldp) - def apply(lldp): + systemd_service = 'lldpd.service' if lldp: # start/restart lldp service - call('systemctl restart lldpd.service') + call(f'systemctl restart {systemd_service}') else: # LLDP service has been terminated - call('systemctl stop lldpd.service') + call(f'systemctl stop {systemd_service}') if os.path.isfile(config_file): os.unlink(config_file) if os.path.isfile(vyos_config_file): -- cgit v1.2.3 From 61fa1c95164e4222e79b078b1a796f41397e0ee3 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 28 Feb 2022 14:28:55 +0100 Subject: ssh: T4273: bugfix cipher and key-exchange multi nodes After hardning the regex validator to be preceeded with ^ and ending with $ it was no longer possible to have a comma separated list as SSH ciphers. The migrations cript is altered to migrate the previous comma separated list to individual multi node entries - cipher and key-exchange always had been multinodes - so this just re-arranges some values and does not break CLI compatibility --- interface-definitions/ssh.xml.in | 8 ++-- smoketest/configs/basic-vyos | 88 ++++++++++++++++++++++++++++++++++++++++ src/migration-scripts/ssh/1-to-2 | 50 +++++++++++++++++------ 3 files changed, 130 insertions(+), 16 deletions(-) create mode 100644 smoketest/configs/basic-vyos (limited to 'interface-definitions') diff --git a/interface-definitions/ssh.xml.in b/interface-definitions/ssh.xml.in index 187e5f8e8..8edbad110 100644 --- a/interface-definitions/ssh.xml.in +++ b/interface-definitions/ssh.xml.in @@ -44,7 +44,7 @@ 3des-cbc aes128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com - ^(3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.se|aes128-ctr|aes192-ctr|aes256-ctr|aes128-gcm@openssh.com|aes256-gcm@openssh.com|chacha20-poly1305@openssh.com)$ + (3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.se|aes128-ctr|aes192-ctr|aes256-ctr|aes128-gcm@openssh.com|aes256-gcm@openssh.com|chacha20-poly1305@openssh.com) @@ -70,7 +70,7 @@ - ^(diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group14-sha256|diffie-hellman-group16-sha512|diffie-hellman-group18-sha512|diffie-hellman-group-exchange-sha1|diffie-hellman-group-exchange-sha256|ecdh-sha2-nistp256|ecdh-sha2-nistp384|ecdh-sha2-nistp521|curve25519-sha256|curve25519-sha256@libssh.org)$ + (diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group14-sha256|diffie-hellman-group16-sha512|diffie-hellman-group18-sha512|diffie-hellman-group-exchange-sha1|diffie-hellman-group-exchange-sha256|ecdh-sha2-nistp256|ecdh-sha2-nistp384|ecdh-sha2-nistp521|curve25519-sha256|curve25519-sha256@libssh.org) @@ -102,7 +102,7 @@ enable logging of failed login attempts - ^(quiet|fatal|error|info|verbose)$ + (quiet|fatal|error|info|verbose) info @@ -115,7 +115,7 @@ hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 hmac-md5 hmac-md5-96 umac-64@openssh.com umac-128@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com - ^(hmac-sha1|hmac-sha1-96|hmac-sha2-256|hmac-sha2-512|hmac-md5|hmac-md5-96|umac-64@openssh.com|umac-128@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|hmac-sha2-256-etm@openssh.com|hmac-sha2-512-etm@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com)$ + (hmac-sha1|hmac-sha1-96|hmac-sha2-256|hmac-sha2-512|hmac-md5|hmac-md5-96|umac-64@openssh.com|umac-128@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|hmac-sha2-256-etm@openssh.com|hmac-sha2-512-etm@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com) diff --git a/smoketest/configs/basic-vyos b/smoketest/configs/basic-vyos new file mode 100644 index 000000000..493feed5b --- /dev/null +++ b/smoketest/configs/basic-vyos @@ -0,0 +1,88 @@ +interfaces { + ethernet eth0 { + address 192.168.0.1/24 + duplex auto + smp-affinity auto + speed auto + } + ethernet eth1 { + address 100.64.0.0/31 + duplex auto + smp-affinity auto + speed auto + } + loopback lo { + } +} +protocols { + static { + route 0.0.0.0/0 { + next-hop 100.64.0.1 { + } + } + } +} +service { + dhcp-server { + shared-network-name LAN { + authoritative + subnet 192.168.0.0/24 { + default-router 192.168.0.1 + dns-server 192.168.0.1 + domain-name vyos.net + domain-search vyos.net + range LANDynamic { + start 192.168.0.20 + stop 192.168.0.240 + } + } + } + } + dns { + forwarding { + allow-from 192.168.0.0/16 + cache-size 10000 + dnssec off + listen-address 192.168.0.1 + } + } + ssh { + ciphers aes128-ctr,aes192-ctr,aes256-ctr + ciphers chacha20-poly1305@openssh.com,rijndael-cbc@lysator.liu.se + listen-address 192.168.0.1 + key-exchange curve25519-sha256@libssh.org + key-exchange diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256 + port 22 + } +} +system { + config-management { + commit-revisions 100 + } + console { + device ttyS0 { + speed 115200 + } + } + host-name vyos + login { + user vyos { + authentication { + encrypted-password $6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0 + plaintext-password "" + } + } + } + name-server 192.168.0.1 + syslog { + global { + facility all { + level info + } + } + } + time-zone Europe/Berlin +} +/* Warning: Do not remove the following line. */ +/* === vyatta-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack-sync@1:conntrack@1:dhcp-relay@2:dhcp-server@5:dns-forwarding@1:firewall@5:ipsec@5:l2tp@1:mdns@1:nat@4:ntp@1:pptp@1:qos@1:quagga@6:snmp@1:ssh@1:system@9:vrrp@2:wanloadbalance@3:webgui@1:webproxy@1:webproxy@2:zone-policy@1" === */ +/* Release version: 1.2.6 */ diff --git a/src/migration-scripts/ssh/1-to-2 b/src/migration-scripts/ssh/1-to-2 index bc8815753..31c40df16 100755 --- a/src/migration-scripts/ssh/1-to-2 +++ b/src/migration-scripts/ssh/1-to-2 @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2020 VyOS maintainers and contributors +# Copyright (C) 2020-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -30,26 +30,52 @@ file_name = argv[1] with open(file_name, 'r') as f: config_file = f.read() -base = ['service', 'ssh', 'loglevel'] +base = ['service', 'ssh'] config = ConfigTree(config_file) if not config.exists(base): # Nothing to do exit(0) -else: - # red in configured loglevel and convert it to lower case - tmp = config.return_value(base).lower() +path_loglevel = base + ['loglevel'] +if config.exists(path_loglevel): + # red in configured loglevel and convert it to lower case + tmp = config.return_value(path_loglevel).lower() # VyOS 1.2 had no proper value validation on the CLI thus the # user could use any arbitrary values - sanitize them if tmp not in ['quiet', 'fatal', 'error', 'info', 'verbose']: tmp = 'info' + config.set(path_loglevel, value=tmp) + +# T4273: migrate ssh cipher list to multi node +path_ciphers = base + ['ciphers'] +if config.exists(path_ciphers): + tmp = [] + # get curtrent cipher list - comma delimited + for cipher in config.return_values(path_ciphers): + tmp.extend(cipher.split(',')) + # delete old cipher suite representation + config.delete(path_ciphers) - config.set(base, value=tmp) + for cipher in tmp: + config.set(path_ciphers, value=cipher, replace=False) - try: - with open(file_name, 'w') as f: - f.write(config.to_string()) - except OSError as e: - print("Failed to save the modified config: {}".format(e)) - exit(1) +# T4273: migrate ssh key-exchange list to multi node +path_kex = base + ['key-exchange'] +if config.exists(path_kex): + tmp = [] + # get curtrent cipher list - comma delimited + for kex in config.return_values(path_kex): + tmp.extend(kex.split(',')) + # delete old cipher suite representation + config.delete(path_kex) + + for kex in tmp: + config.set(path_kex, value=kex, replace=False) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) -- cgit v1.2.3 From 257345cd152c23a465332dea4af034244007aaa7 Mon Sep 17 00:00:00 2001 From: RageLtMan Date: Mon, 28 Feb 2022 08:32:30 -0500 Subject: open-connect: T4274: extend RADIUS authentication timeout RADIUS authentication can be handled by a variety of mechanisms, including proxy for 2FA systems requiring user interaction with a separate device, token acquisition, or other time-consuming action. Given the delays required for certain 2FA implementations, a thirty second timeout can range from onerous to untenable. Accomodate the 2FA time requirements by extending the hard-coded RADIUS time limit from 30 seconds to 240. Co-authored-by: RageLtMan --- interface-definitions/vpn_openconnect.xml.in | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'interface-definitions') diff --git a/interface-definitions/vpn_openconnect.xml.in b/interface-definitions/vpn_openconnect.xml.in index 3fc34bacc..f418f5d75 100644 --- a/interface-definitions/vpn_openconnect.xml.in +++ b/interface-definitions/vpn_openconnect.xml.in @@ -40,13 +40,13 @@ Session timeout - u32:1-30 - Session timeout in seconds + u32:1-240 + Session timeout in seconds (default: 2) - + - Timeout must be between 1 and 30 seconds + Timeout must be between 1 and 240 seconds 2 -- cgit v1.2.3 From a37f0db280ffc662e1b51ec2ae479ff6318b0b3c Mon Sep 17 00:00:00 2001 From: srividya0208 Date: Mon, 28 Feb 2022 12:04:31 -0500 Subject: ipsec prefix: T4275: Incorrect val_help for local/remote prefix It accepts network as the input value but the completion help is showing ip address --- interface-definitions/vpn_ipsec.xml.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'interface-definitions') diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 885bac979..0ad69c637 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -879,11 +879,11 @@ Local IPv4 or IPv6 pool prefix exclusions - ipv4 + ipv4net Local IPv4 pool prefix exclusion - ipv6 + ipv6net Local IPv6 pool prefix exclusion -- cgit v1.2.3 From 42c011224e5aef3c27f9de6b5a74e594a404131e Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Tue, 1 Mar 2022 19:09:12 +0100 Subject: flow-accounting: T4277: support sending flow-data via VRF interface It should be possible to send the gathered data via a VRF bound interface to the collector. This is somehow related to T3981 but it's the opposite side of the netflow process. set system flow-accounting vrf --- data/templates/netflow/uacctd.conf.tmpl | 74 ---------------------- data/templates/pmacct/override.conf.tmpl | 17 +++++ data/templates/pmacct/uacctd.conf.tmpl | 74 ++++++++++++++++++++++ interface-definitions/flow-accounting-conf.xml.in | 1 + .../scripts/cli/test_system_flow-accounting.py | 5 +- src/conf_mode/flow_accounting_conf.py | 14 ++-- .../systemd/system/uacctd.service.d/override.conf | 14 ---- 7 files changed, 106 insertions(+), 93 deletions(-) delete mode 100644 data/templates/netflow/uacctd.conf.tmpl create mode 100644 data/templates/pmacct/override.conf.tmpl create mode 100644 data/templates/pmacct/uacctd.conf.tmpl delete mode 100644 src/etc/systemd/system/uacctd.service.d/override.conf (limited to 'interface-definitions') diff --git a/data/templates/netflow/uacctd.conf.tmpl b/data/templates/netflow/uacctd.conf.tmpl deleted file mode 100644 index f81002dc1..000000000 --- a/data/templates/netflow/uacctd.conf.tmpl +++ /dev/null @@ -1,74 +0,0 @@ -# Genereated from VyOS configuration -daemonize: true -promisc: false -pidfile: /run/pmacct/uacctd.pid -uacctd_group: 2 -uacctd_nl_size: 2097152 -snaplen: {{ packet_length }} -aggregate: in_iface{{ ',out_iface' if enable_egress is defined }},src_mac,dst_mac,vlan,src_host,dst_host,src_port,dst_port,proto,tos,flows -{% set pipe_size = buffer_size | int *1024 *1024 %} -plugin_pipe_size: {{ pipe_size }} -{# We need an integer division (//) without any remainder or fraction #} -plugin_buffer_size: {{ pipe_size // 1000 }} -{% if syslog_facility is defined and syslog_facility is not none %} -syslog: {{ syslog_facility }} -{% endif %} -{% if disable_imt is not defined %} -imt_path: /tmp/uacctd.pipe -imt_mem_pools_number: 169 -{% endif %} - -{% set plugin = [] %} -{% if disable_imt is not defined %} -{% set plugin = ['memory'] %} -{% endif %} -{% if netflow is defined and netflow.server is defined and netflow.server is not none %} -{% for server in netflow.server %} -{% set plugin = plugin.append('nfprobe[nf_' ~ server ~ ']') %} -{% endfor %} -{% endif %} -{% if sflow is defined and sflow.server is defined and sflow.server is not none %} -{% for server in sflow.server %} -{% set plugin = plugin.append('sfprobe[sf_' ~ server ~ ']') %} -{% endfor %} -{% endif %} -plugins: {{ plugin | join(',') }} - -{% if netflow is defined and netflow.server is defined and netflow.server is not none %} -# NetFlow servers -{% for server, server_config in netflow.server.items() %} -nfprobe_receiver[nf_{{ server }}]: {{ server }}:{{ server_config.port }} -nfprobe_version[nf_{{ server }}]: {{ netflow.version }} -{% if netflow.engine_id is defined and netflow.engine_id is not none %} -nfprobe_engine[nf_{{ server }}]: {{ netflow.engine_id }} -{% endif %} -{% if netflow.max_flows is defined and netflow.max_flows is not none %} -nfprobe_maxflows[nf_{{ server }}]: {{ netflow.max_flows }} -{% endif %} -{% if netflow.sampling_rate is defined and netflow.sampling_rate is not none %} -sampling_rate[nf_{{ server }}]: {{ netflow.sampling_rate }} -{% endif %} -{% if netflow.source_address is defined and netflow.source_address is not none %} -nfprobe_source_ip[nf_{{ server }}]: {{ netflow.source_address }} -{% endif %} -{% if netflow.timeout is defined and netflow.timeout is not none %} -nfprobe_timeouts[nf_{{ server }}]: expint={{ netflow.timeout.expiry_interval }}:general={{ netflow.timeout.flow_generic }}:icmp={{ netflow.timeout.icmp }}:maxlife={{ netflow.timeout.max_active_life }}:tcp.fin={{ netflow.timeout.tcp_fin }}:tcp={{ netflow.timeout.tcp_generic }}:tcp.rst={{ netflow.timeout.tcp_rst }}:udp={{ netflow.timeout.udp }} -{% endif %} - -{% endfor %} -{% endif %} - -{% if sflow is defined and sflow.server is defined and sflow.server is not none %} -# sFlow servers -{% for server, server_config in sflow.server.items() %} -sfprobe_receiver[sf_{{ server }}]: {{ server }}:{{ server_config.port }} -sfprobe_agentip[sf_{{ server }}]: {{ sflow.agent_address }} -{% if sflow.sampling_rate is defined and sflow.sampling_rate is not none %} -sampling_rate[sf_{{ server }}]: {{ sflow.sampling_rate }} -{% endif %} -{% if sflow.source_address is defined and sflow.source_address is not none %} -sfprobe_source_ip[sf_{{ server }}]: {{ sflow.source_address }} -{% endif %} - -{% endfor %} -{% endif %} diff --git a/data/templates/pmacct/override.conf.tmpl b/data/templates/pmacct/override.conf.tmpl new file mode 100644 index 000000000..216927666 --- /dev/null +++ b/data/templates/pmacct/override.conf.tmpl @@ -0,0 +1,17 @@ +{% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} +[Unit] +After= +After=vyos-router.service +ConditionPathExists= +ConditionPathExists=/run/pmacct/uacctd.conf + +[Service] +EnvironmentFile= +ExecStart= +ExecStart={{vrf_command}}/usr/sbin/uacctd -f /run/pmacct/uacctd.conf +WorkingDirectory= +WorkingDirectory=/run/pmacct +PIDFile= +PIDFile=/run/pmacct/uacctd.pid +Restart=always +RestartSec=10 diff --git a/data/templates/pmacct/uacctd.conf.tmpl b/data/templates/pmacct/uacctd.conf.tmpl new file mode 100644 index 000000000..b58f7c796 --- /dev/null +++ b/data/templates/pmacct/uacctd.conf.tmpl @@ -0,0 +1,74 @@ +# Genereated from VyOS configuration +daemonize: true +promisc: false +pidfile: /run/pmacct/uacctd.pid +uacctd_group: 2 +uacctd_nl_size: 2097152 +snaplen: {{ packet_length }} +aggregate: in_iface{{ ',out_iface' if enable_egress is defined }},src_mac,dst_mac,vlan,src_host,dst_host,src_port,dst_port,proto,tos,flows +{% set pipe_size = buffer_size | int *1024 *1024 %} +plugin_pipe_size: {{ pipe_size }} +{# We need an integer division (//) without any remainder or fraction #} +plugin_buffer_size: {{ pipe_size // 1000 }} +{% if syslog_facility is defined and syslog_facility is not none %} +syslog: {{ syslog_facility }} +{% endif %} +{% if disable_imt is not defined %} +imt_path: /tmp/uacctd.pipe +imt_mem_pools_number: 169 +{% endif %} + +{% set plugin = [] %} +{% if netflow is defined and netflow.server is defined and netflow.server is not none %} +{% for server in netflow.server %} +{% set _ = plugin.append('nfprobe[nf_' ~ server ~ ']') %} +{% endfor %} +{% endif %} +{% if sflow is defined and sflow.server is defined and sflow.server is not none %} +{% for server in sflow.server %} +{% set _ = plugin.append('sfprobe[sf_' ~ server ~ ']') %} +{% endfor %} +{% endif %} +{% if disable_imt is not defined %} +{% set _ = plugin.append('memory') %} +{% endif %} +plugins: {{ plugin | join(',') }} + +{% if netflow is defined and netflow.server is defined and netflow.server is not none %} +# NetFlow servers +{% for server, server_config in netflow.server.items() %} +nfprobe_receiver[nf_{{ server }}]: {{ server }}:{{ server_config.port }} +nfprobe_version[nf_{{ server }}]: {{ netflow.version }} +{% if netflow.engine_id is defined and netflow.engine_id is not none %} +nfprobe_engine[nf_{{ server }}]: {{ netflow.engine_id }} +{% endif %} +{% if netflow.max_flows is defined and netflow.max_flows is not none %} +nfprobe_maxflows[nf_{{ server }}]: {{ netflow.max_flows }} +{% endif %} +{% if netflow.sampling_rate is defined and netflow.sampling_rate is not none %} +sampling_rate[nf_{{ server }}]: {{ netflow.sampling_rate }} +{% endif %} +{% if netflow.source_address is defined and netflow.source_address is not none %} +nfprobe_source_ip[nf_{{ server }}]: {{ netflow.source_address }} +{% endif %} +{% if netflow.timeout is defined and netflow.timeout is not none %} +nfprobe_timeouts[nf_{{ server }}]: expint={{ netflow.timeout.expiry_interval }}:general={{ netflow.timeout.flow_generic }}:icmp={{ netflow.timeout.icmp }}:maxlife={{ netflow.timeout.max_active_life }}:tcp.fin={{ netflow.timeout.tcp_fin }}:tcp={{ netflow.timeout.tcp_generic }}:tcp.rst={{ netflow.timeout.tcp_rst }}:udp={{ netflow.timeout.udp }} +{% endif %} + +{% endfor %} +{% endif %} + +{% if sflow is defined and sflow.server is defined and sflow.server is not none %} +# sFlow servers +{% for server, server_config in sflow.server.items() %} +sfprobe_receiver[sf_{{ server }}]: {{ server }}:{{ server_config.port }} +sfprobe_agentip[sf_{{ server }}]: {{ sflow.agent_address }} +{% if sflow.sampling_rate is defined and sflow.sampling_rate is not none %} +sampling_rate[sf_{{ server }}]: {{ sflow.sampling_rate }} +{% endif %} +{% if sflow.source_address is defined and sflow.source_address is not none %} +sfprobe_source_ip[sf_{{ server }}]: {{ sflow.source_address }} +{% endif %} + +{% endfor %} +{% endif %} diff --git a/interface-definitions/flow-accounting-conf.xml.in b/interface-definitions/flow-accounting-conf.xml.in index 05cf5e170..133e45c72 100644 --- a/interface-definitions/flow-accounting-conf.xml.in +++ b/interface-definitions/flow-accounting-conf.xml.in @@ -431,6 +431,7 @@ #include + #include diff --git a/smoketest/scripts/cli/test_system_flow-accounting.py b/smoketest/scripts/cli/test_system_flow-accounting.py index 857df1be6..84f17bcb0 100755 --- a/smoketest/scripts/cli/test_system_flow-accounting.py +++ b/smoketest/scripts/cli/test_system_flow-accounting.py @@ -39,6 +39,9 @@ class TestSystemFlowAccounting(VyOSUnitTestSHIM.TestCase): cls.cli_delete(cls, base_path) def tearDown(self): + # after service removal process must no longer run + self.assertTrue(process_named_running(PROCESS_NAME)) + self.cli_delete(base_path) self.cli_commit() @@ -213,9 +216,9 @@ class TestSystemFlowAccounting(VyOSUnitTestSHIM.TestCase): uacctd = read_file(uacctd_conf) tmp = [] - tmp.append('memory') for server, server_config in netflow_server.items(): tmp.append(f'nfprobe[nf_{server}]') + tmp.append('memory') self.assertIn('plugins: ' + ','.join(tmp), uacctd) for server, server_config in netflow_server.items(): diff --git a/src/conf_mode/flow_accounting_conf.py b/src/conf_mode/flow_accounting_conf.py index 975f19acf..25bf54790 100755 --- a/src/conf_mode/flow_accounting_conf.py +++ b/src/conf_mode/flow_accounting_conf.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2021 VyOS maintainers and contributors +# Copyright (C) 2018-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -27,6 +27,7 @@ from vyos.configdict import dict_merge from vyos.ifconfig import Section from vyos.ifconfig import Interface from vyos.template import render +from vyos.util import call from vyos.util import cmd from vyos.validate import is_addr_assigned from vyos.xml import defaults @@ -35,6 +36,8 @@ from vyos import airbag airbag.enable() uacctd_conf_path = '/run/pmacct/uacctd.conf' +systemd_service = 'uacctd.service' +systemd_override = f'/etc/systemd/system/{systemd_service}.d/override.conf' nftables_nflog_table = 'raw' nftables_nflog_chain = 'VYOS_CT_PREROUTING_HOOK' egress_nftables_nflog_table = 'inet mangle' @@ -236,7 +239,10 @@ def generate(flow_config): if not flow_config: return None - render(uacctd_conf_path, 'netflow/uacctd.conf.tmpl', flow_config) + render(uacctd_conf_path, 'pmacct/uacctd.conf.tmpl', flow_config) + render(systemd_override, 'pmacct/override.conf.tmpl', flow_config) + # Reload systemd manager configuration + call('systemctl daemon-reload') def apply(flow_config): action = 'restart' @@ -246,13 +252,13 @@ def apply(flow_config): _nftables_config([], 'egress') # Stop flow-accounting daemon and remove configuration file - cmd('systemctl stop uacctd.service') + call(f'systemctl stop {systemd_service}') if os.path.exists(uacctd_conf_path): os.unlink(uacctd_conf_path) return # Start/reload flow-accounting daemon - cmd(f'systemctl restart uacctd.service') + call(f'systemctl restart {systemd_service}') # configure nftables rules for defined interfaces if 'interface' in flow_config: diff --git a/src/etc/systemd/system/uacctd.service.d/override.conf b/src/etc/systemd/system/uacctd.service.d/override.conf deleted file mode 100644 index 38bcce515..000000000 --- a/src/etc/systemd/system/uacctd.service.d/override.conf +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -After= -After=vyos-router.service -ConditionPathExists= -ConditionPathExists=/run/pmacct/uacctd.conf - -[Service] -EnvironmentFile= -ExecStart= -ExecStart=/usr/sbin/uacctd -f /run/pmacct/uacctd.conf -WorkingDirectory= -WorkingDirectory=/run/pmacct -PIDFile= -PIDFile=/run/pmacct/uacctd.pid -- cgit v1.2.3 From 9d2fa6f85847bbb59af42809c50e4547542e4845 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 3 Mar 2022 19:10:07 +0100 Subject: static: T4283: fix help string for route/route6 --- interface-definitions/include/static/static-route.xml.i | 2 +- interface-definitions/include/static/static-route6.xml.i | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'interface-definitions') diff --git a/interface-definitions/include/static/static-route.xml.i b/interface-definitions/include/static/static-route.xml.i index 21babc015..903915066 100644 --- a/interface-definitions/include/static/static-route.xml.i +++ b/interface-definitions/include/static/static-route.xml.i @@ -1,7 +1,7 @@ - VRF static IPv4 route + Static IPv4 route ipv4net IPv4 static route diff --git a/interface-definitions/include/static/static-route6.xml.i b/interface-definitions/include/static/static-route6.xml.i index 0ea995588..e705c45fa 100644 --- a/interface-definitions/include/static/static-route6.xml.i +++ b/interface-definitions/include/static/static-route6.xml.i @@ -1,7 +1,7 @@ - VRF static IPv6 route + Static IPv6 route ipv6net IPv6 static route -- cgit v1.2.3 From e3f86ce0d65fe8fe0c5eebebdfd3ab3723e2e539 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 3 Mar 2022 19:10:38 +0100 Subject: static: T4283: create re-usable XML interface definitions for blackhole --- .../include/static/static-route-blackhole.xml.i | 3 ++- .../include/static/static-route-tag.xml.i | 14 ++++++++++++++ .../include/static/static-route.xml.i | 21 +-------------------- .../include/static/static-route6.xml.i | 21 +-------------------- 4 files changed, 18 insertions(+), 41 deletions(-) create mode 100644 interface-definitions/include/static/static-route-tag.xml.i (limited to 'interface-definitions') diff --git a/interface-definitions/include/static/static-route-blackhole.xml.i b/interface-definitions/include/static/static-route-blackhole.xml.i index f2ad23e69..487f775f5 100644 --- a/interface-definitions/include/static/static-route-blackhole.xml.i +++ b/interface-definitions/include/static/static-route-blackhole.xml.i @@ -1,10 +1,11 @@ - Silently discard packets when matched + Silently discard pkts when matched #include + #include diff --git a/interface-definitions/include/static/static-route-tag.xml.i b/interface-definitions/include/static/static-route-tag.xml.i new file mode 100644 index 000000000..24bfa732e --- /dev/null +++ b/interface-definitions/include/static/static-route-tag.xml.i @@ -0,0 +1,14 @@ + + + + Tag value for this route + + u32:1-4294967295 + Tag value for this route + + + + + + + diff --git a/interface-definitions/include/static/static-route.xml.i b/interface-definitions/include/static/static-route.xml.i index 903915066..8433703a5 100644 --- a/interface-definitions/include/static/static-route.xml.i +++ b/interface-definitions/include/static/static-route.xml.i @@ -11,26 +11,7 @@ - - - Silently discard pkts when matched - - - #include - - - Tag value for this route - - u32:1-4294967295 - Tag value for this route - - - - - - - - + #include #include diff --git a/interface-definitions/include/static/static-route6.xml.i b/interface-definitions/include/static/static-route6.xml.i index e705c45fa..124b2b062 100644 --- a/interface-definitions/include/static/static-route6.xml.i +++ b/interface-definitions/include/static/static-route6.xml.i @@ -11,26 +11,7 @@ - - - Silently discard pkts when matched - - - #include - - - Tag value for this route - - u32:1-4294967295 - Tag value for this route - - - - - - - - + #include IPv6 gateway interface name -- cgit v1.2.3 From bb78f3a9ad28f62896a536719783011794deb64c Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 3 Mar 2022 20:23:09 +0100 Subject: static: T4283: support "reject" routes - emit an ICMP unreachable when matched --- data/templates/frr/static_routes_macro.j2 | 3 ++ .../include/static/static-route-reject.xml.i | 12 +++++ .../include/static/static-route.xml.i | 1 + .../include/static/static-route6.xml.i | 1 + smoketest/scripts/cli/test_protocols_static.py | 57 +++++++++++++++++++--- src/conf_mode/protocols_static.py | 4 ++ 6 files changed, 70 insertions(+), 8 deletions(-) create mode 100644 interface-definitions/include/static/static-route-reject.xml.i (limited to 'interface-definitions') diff --git a/data/templates/frr/static_routes_macro.j2 b/data/templates/frr/static_routes_macro.j2 index 86c7470ca..8359357b7 100644 --- a/data/templates/frr/static_routes_macro.j2 +++ b/data/templates/frr/static_routes_macro.j2 @@ -2,6 +2,9 @@ {% if prefix_config.blackhole is defined %} {{ ip_ipv6 }} route {{ prefix }} blackhole {{ prefix_config.blackhole.distance if prefix_config.blackhole.distance is defined }} {{ 'tag ' + prefix_config.blackhole.tag if prefix_config.blackhole.tag is defined }} {{ 'table ' + table if table is defined and table is not none }} {% endif %} +{% if prefix_config.reject is defined %} +{{ ip_ipv6 }} route {{ prefix }} reject {{ prefix_config.reject.distance if prefix_config.reject.distance is defined }} {{ 'tag ' + prefix_config.reject.tag if prefix_config.reject.tag is defined }} {{ 'table ' + table if table is defined and table is not none }} +{% endif %} {% if prefix_config.dhcp_interface is defined and prefix_config.dhcp_interface is not none %} {% set next_hop = prefix_config.dhcp_interface | get_dhcp_router %} {% if next_hop is defined and next_hop is not none %} diff --git a/interface-definitions/include/static/static-route-reject.xml.i b/interface-definitions/include/static/static-route-reject.xml.i new file mode 100644 index 000000000..81d4f9afd --- /dev/null +++ b/interface-definitions/include/static/static-route-reject.xml.i @@ -0,0 +1,12 @@ + + + + Emit an ICMP unreachable when matched + + + #include + #include + + + + diff --git a/interface-definitions/include/static/static-route.xml.i b/interface-definitions/include/static/static-route.xml.i index 8433703a5..2de5dc58f 100644 --- a/interface-definitions/include/static/static-route.xml.i +++ b/interface-definitions/include/static/static-route.xml.i @@ -12,6 +12,7 @@ #include + #include #include diff --git a/interface-definitions/include/static/static-route6.xml.i b/interface-definitions/include/static/static-route6.xml.i index 124b2b062..35feef41c 100644 --- a/interface-definitions/include/static/static-route6.xml.i +++ b/interface-definitions/include/static/static-route6.xml.i @@ -12,6 +12,7 @@ #include + #include IPv6 gateway interface name diff --git a/smoketest/scripts/cli/test_protocols_static.py b/smoketest/scripts/cli/test_protocols_static.py index 4c4eb5a7c..3ef9c76d8 100755 --- a/smoketest/scripts/cli/test_protocols_static.py +++ b/smoketest/scripts/cli/test_protocols_static.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021 VyOS maintainers and contributors +# Copyright (C) 2021-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -52,9 +52,16 @@ routes = { }, 'blackhole' : { 'distance' : '90' }, }, - '100.64.0.0/10' : { + '100.64.0.0/16' : { 'blackhole' : { }, }, + '100.65.0.0/16' : { + 'reject' : { 'distance' : '10', 'tag' : '200' }, + }, + '100.66.0.0/16' : { + 'blackhole' : { }, + 'reject' : { 'distance' : '10', 'tag' : '200' }, + }, '2001:db8:100::/40' : { 'next_hop' : { '2001:db8::1' : { 'distance' : '10' }, @@ -74,6 +81,9 @@ routes = { }, 'blackhole' : { 'distance' : '250', 'tag' : '500' }, }, + '2001:db8:300::/40' : { + 'reject' : { 'distance' : '250', 'tag' : '500' }, + }, '2001:db8::/32' : { 'blackhole' : { 'distance' : '200', 'tag' : '600' }, }, @@ -82,9 +92,15 @@ routes = { tables = ['80', '81', '82'] class TestProtocolsStatic(VyOSUnitTestSHIM.TestCase): - def setUp(self): - # This is our "target" VRF when leaking routes: - self.cli_set(['vrf', 'name', 'black', 'table', '43210']) + @classmethod + def setUpClass(cls): + super(cls, cls).setUpClass() + cls.cli_set(cls, ['vrf', 'name', 'black', 'table', '43210']) + + @classmethod + def tearDownClass(cls): + cls.cli_delete(cls, ['vrf']) + super(cls, cls).tearDownClass() def tearDown(self): for route, route_config in routes.items(): @@ -135,6 +151,20 @@ class TestProtocolsStatic(VyOSUnitTestSHIM.TestCase): if 'tag' in route_config['blackhole']: self.cli_set(base + ['blackhole', 'tag', route_config['blackhole']['tag']]) + if 'reject' in route_config: + self.cli_set(base + ['reject']) + if 'distance' in route_config['reject']: + self.cli_set(base + ['reject', 'distance', route_config['reject']['distance']]) + if 'tag' in route_config['reject']: + self.cli_set(base + ['reject', 'tag', route_config['reject']['tag']]) + + if {'blackhole', 'reject'} <= set(route_config): + # Can not use blackhole and reject at the same time + with self.assertRaises(ConfigSessionError): + self.cli_commit() + self.cli_delete(base + ['blackhole']) + self.cli_delete(base + ['reject']) + # commit changes self.cli_commit() @@ -177,6 +207,11 @@ class TestProtocolsStatic(VyOSUnitTestSHIM.TestCase): else: self.assertIn(tmp, frrconfig) + if {'blackhole', 'reject'} <= set(route_config): + # Can not use blackhole and reject at the same time + # Config error validated above - skip this route + continue + if 'blackhole' in route_config: tmp = f'{ip_ipv6} route {route} blackhole' if 'tag' in route_config['blackhole']: @@ -186,6 +221,15 @@ class TestProtocolsStatic(VyOSUnitTestSHIM.TestCase): self.assertIn(tmp, frrconfig) + if 'reject' in route_config: + tmp = f'{ip_ipv6} route {route} reject' + if 'tag' in route_config['reject']: + tmp += ' tag ' + route_config['reject']['tag'] + if 'distance' in route_config['reject']: + tmp += ' ' + route_config['reject']['distance'] + + self.assertIn(tmp, frrconfig) + def test_02_static_table(self): for table in tables: for route, route_config in routes.items(): @@ -389,11 +433,8 @@ class TestProtocolsStatic(VyOSUnitTestSHIM.TestCase): self.assertIn(tmp, frrconfig) - self.cli_delete(['vrf']) - def test_04_static_zebra_route_map(self): # Implemented because of T3328 - self.debug = True route_map = 'foo-static-in' self.cli_set(['policy', 'route-map', route_map, 'rule', '10', 'action', 'permit']) diff --git a/src/conf_mode/protocols_static.py b/src/conf_mode/protocols_static.py index c1e427b16..f0ec48de4 100755 --- a/src/conf_mode/protocols_static.py +++ b/src/conf_mode/protocols_static.py @@ -82,6 +82,10 @@ def verify(static): for interface, interface_config in prefix_options[type].items(): verify_vrf(interface_config) + if {'blackhole', 'reject'} <= set(prefix_options): + raise ConfigError(f'Can not use both blackhole and reject for '\ + 'prefix "{prefix}"!') + return None def generate(static): -- cgit v1.2.3 From 27404f71c85187403b3ae1b73b95e6347e07ea97 Mon Sep 17 00:00:00 2001 From: srividya0208 Date: Mon, 7 Mar 2022 04:44:08 -0500 Subject: ipsec prefix: T4275: Fix for prefix val_help of remote-access and s2s vpn It accepts network as the input value but the completion help is showing ip address, continuation of previous commit --- interface-definitions/include/ipsec/local-traffic-selector.xml.i | 4 ++-- interface-definitions/vpn_ipsec.xml.in | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'interface-definitions') diff --git a/interface-definitions/include/ipsec/local-traffic-selector.xml.i b/interface-definitions/include/ipsec/local-traffic-selector.xml.i index d30a6d11a..9ae67f583 100644 --- a/interface-definitions/include/ipsec/local-traffic-selector.xml.i +++ b/interface-definitions/include/ipsec/local-traffic-selector.xml.i @@ -9,11 +9,11 @@ Local IPv4 or IPv6 prefix - ipv4 + ipv4net Local IPv4 prefix - ipv6 + ipv6net Local IPv6 prefix diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 0ad69c637..d8c06a310 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -897,11 +897,11 @@ Local IPv4 or IPv6 pool prefix - ipv4 + ipv4net Local IPv4 pool prefix - ipv6 + ipv6net Local IPv6 pool prefix @@ -1114,11 +1114,11 @@ Remote IPv4 or IPv6 prefix - ipv4 + ipv4net Remote IPv4 prefix - ipv6 + ipv6net Remote IPv6 prefix -- cgit v1.2.3 From 7549c847c3df9155c4315efcccfaf798af9fb402 Mon Sep 17 00:00:00 2001 From: Paul Lettington Date: Wed, 9 Mar 2022 14:24:16 +0000 Subject: policy: T2493 ip-next-hop unchanged & peer-address Also add ipv6-next-hop peer-address --- data/templates/frr/policy.frr.tmpl | 3 +++ interface-definitions/policy.xml.in | 16 ++++++++++++++++ 2 files changed, 19 insertions(+) (limited to 'interface-definitions') diff --git a/data/templates/frr/policy.frr.tmpl b/data/templates/frr/policy.frr.tmpl index d3d3957a5..97eb15331 100644 --- a/data/templates/frr/policy.frr.tmpl +++ b/data/templates/frr/policy.frr.tmpl @@ -276,6 +276,9 @@ route-map {{ route_map }} {{ rule_config.action }} {{ rule }} {% if rule_config.set.ipv6_next_hop is defined and rule_config.set.ipv6_next_hop.local is defined and rule_config.set.ipv6_next_hop.local is not none %} set ipv6 next-hop local {{ rule_config.set.ipv6_next_hop.local }} {% endif %} +{% if rule_config.set.ipv6_next_hop is defined and rule_config.set.ipv6_next_hop.peer_address is defined %} + set ipv6 next-hop peer-address +{% endif %} {% if rule_config.set.ipv6_next_hop is defined and rule_config.set.ipv6_next_hop.prefer_global is defined %} set ipv6 next-hop prefer-global {% endif %} diff --git a/interface-definitions/policy.xml.in b/interface-definitions/policy.xml.in index 9767285dd..5e037b558 100644 --- a/interface-definitions/policy.xml.in +++ b/interface-definitions/policy.xml.in @@ -1115,13 +1115,23 @@ Nexthop IP address + unchanged peer-address ipv4 IP address + + unchanged + Set the BGP nexthop address as unchanged + + + peer-address + Set the BGP nexthop address to the address of the peer + + ^(unchanged|peer-address)$ @@ -1160,6 +1170,12 @@ + + + Use peer address (for BGP only) + + + Prefer global address as the nexthop -- cgit v1.2.3 From c29c6d3d654c7280fdd4ea9fa66b5e84ef267285 Mon Sep 17 00:00:00 2001 From: fett0 Date: Thu, 17 Mar 2022 17:35:02 +0000 Subject: OSPF : T4304: Set import/export filter inter-area prefix --- data/templates/frr/ospfd.frr.tmpl | 6 +++++ .../include/ospf/protocol-common-config.xml.i | 30 ++++++++++++++++++++++ 2 files changed, 36 insertions(+) (limited to 'interface-definitions') diff --git a/data/templates/frr/ospfd.frr.tmpl b/data/templates/frr/ospfd.frr.tmpl index 12213f162..59d936b55 100644 --- a/data/templates/frr/ospfd.frr.tmpl +++ b/data/templates/frr/ospfd.frr.tmpl @@ -97,6 +97,12 @@ router ospf {{ 'vrf ' + vrf if vrf is defined and vrf is not none }} {% endif %} {% endfor %} {% endif %} +{% if area_config.export_list is defined and area_config.export_list is not none %} + area {{ area_id }} export-list {{ area_config.export_list }} +{% endif %} +{% if area_config.import_list is defined and area_config.import_list is not none %} + area {{ area_id }} import-list {{ area_config.import_list }} +{% endif %} {% if area_config.shortcut is defined and area_config.shortcut is not none %} area {{ area_id }} shortcut {{ area_config.shortcut }} {% endif %} diff --git a/interface-definitions/include/ospf/protocol-common-config.xml.i b/interface-definitions/include/ospf/protocol-common-config.xml.i index 088bee2de..3a3372e47 100644 --- a/interface-definitions/include/ospf/protocol-common-config.xml.i +++ b/interface-definitions/include/ospf/protocol-common-config.xml.i @@ -256,6 +256,36 @@ + + + Set the filter for networks announced to other areas + + policy access-list + + + u32 + Access-list number + + + + + + + + + Set the filter for networks from other areas announced + + policy access-list + + + u32 + Access-list number + + + + + + Virtual link -- cgit v1.2.3 From 3584691b35f35e40a1bfc22c34da031141fd0dfa Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 21 Mar 2022 21:41:41 +0100 Subject: qos: T4284: initial XML interface definitions for rewrite --- Makefile | 6 + data/configd-include.json | 1 + .../include/interface/redirect.xml.i | 17 + .../include/interface/traffic-policy.xml.i | 43 ++ .../include/interface/vif-s.xml.i | 4 + interface-definitions/include/interface/vif.xml.i | 4 +- interface-definitions/include/qos/bandwidth.xml.i | 15 + interface-definitions/include/qos/burst.xml.i | 16 + .../include/qos/codel-quantum.xml.i | 16 + interface-definitions/include/qos/dscp.xml.i | 143 ++++ interface-definitions/include/qos/flows.xml.i | 16 + interface-definitions/include/qos/hfsc-d.xml.i | 15 + interface-definitions/include/qos/hfsc-m1.xml.i | 32 + interface-definitions/include/qos/hfsc-m2.xml.i | 32 + interface-definitions/include/qos/interval.xml.i | 16 + interface-definitions/include/qos/match.xml.i | 221 +++++++ interface-definitions/include/qos/max-length.xml.i | 15 + .../include/qos/queue-limit-1-4294967295.xml.i | 15 + .../include/qos/queue-limit-2-10999.xml.i | 16 + interface-definitions/include/qos/queue-type.xml.i | 30 + interface-definitions/include/qos/set-dscp.xml.i | 63 ++ interface-definitions/include/qos/target.xml.i | 16 + interface-definitions/include/qos/tcp-flags.xml.i | 21 + interface-definitions/interfaces-bonding.xml.in | 2 + interface-definitions/interfaces-bridge.xml.in | 2 + interface-definitions/interfaces-dummy.xml.in | 2 + interface-definitions/interfaces-ethernet.xml.in | 2 + interface-definitions/interfaces-geneve.xml.in | 2 + interface-definitions/interfaces-input.xml.in | 30 + interface-definitions/interfaces-l2tpv3.xml.in | 1 + interface-definitions/interfaces-loopback.xml.in | 2 + interface-definitions/interfaces-macsec.xml.in | 2 + interface-definitions/interfaces-openvpn.xml.in | 2 + interface-definitions/interfaces-pppoe.xml.in | 4 +- .../interfaces-pseudo-ethernet.xml.in | 2 + interface-definitions/interfaces-tunnel.xml.in | 4 +- interface-definitions/interfaces-vti.xml.in | 2 + interface-definitions/interfaces-vxlan.xml.in | 2 + interface-definitions/interfaces-wireguard.xml.in | 4 +- interface-definitions/interfaces-wireless.xml.in | 2 + interface-definitions/interfaces-wwan.xml.in | 4 +- interface-definitions/qos.xml.in | 721 +++++++++++++++++++++ python/vyos/configverify.py | 16 + src/conf_mode/interfaces-bonding.py | 4 +- src/conf_mode/interfaces-bridge.py | 2 + src/conf_mode/interfaces-dummy.py | 2 + src/conf_mode/interfaces-ethernet.py | 2 + src/conf_mode/interfaces-geneve.py | 2 + src/conf_mode/interfaces-l2tpv3.py | 2 + src/conf_mode/interfaces-loopback.py | 2 + src/conf_mode/interfaces-macsec.py | 2 + src/conf_mode/interfaces-pppoe.py | 2 + src/conf_mode/interfaces-pseudo-ethernet.py | 2 + src/conf_mode/interfaces-tunnel.py | 2 + src/conf_mode/interfaces-vti.py | 2 + src/conf_mode/interfaces-vxlan.py | 2 + src/conf_mode/interfaces-wireguard.py | 2 + src/conf_mode/interfaces-wireless.py | 2 + src/conf_mode/interfaces-wwan.py | 2 + src/conf_mode/qos.py | 90 +++ 60 files changed, 1699 insertions(+), 6 deletions(-) create mode 100644 interface-definitions/include/interface/redirect.xml.i create mode 100644 interface-definitions/include/interface/traffic-policy.xml.i create mode 100644 interface-definitions/include/qos/bandwidth.xml.i create mode 100644 interface-definitions/include/qos/burst.xml.i create mode 100644 interface-definitions/include/qos/codel-quantum.xml.i create mode 100644 interface-definitions/include/qos/dscp.xml.i create mode 100644 interface-definitions/include/qos/flows.xml.i create mode 100644 interface-definitions/include/qos/hfsc-d.xml.i create mode 100644 interface-definitions/include/qos/hfsc-m1.xml.i create mode 100644 interface-definitions/include/qos/hfsc-m2.xml.i create mode 100644 interface-definitions/include/qos/interval.xml.i create mode 100644 interface-definitions/include/qos/match.xml.i create mode 100644 interface-definitions/include/qos/max-length.xml.i create mode 100644 interface-definitions/include/qos/queue-limit-1-4294967295.xml.i create mode 100644 interface-definitions/include/qos/queue-limit-2-10999.xml.i create mode 100644 interface-definitions/include/qos/queue-type.xml.i create mode 100644 interface-definitions/include/qos/set-dscp.xml.i create mode 100644 interface-definitions/include/qos/target.xml.i create mode 100644 interface-definitions/include/qos/tcp-flags.xml.i create mode 100644 interface-definitions/interfaces-input.xml.in create mode 100644 interface-definitions/qos.xml.in create mode 100755 src/conf_mode/qos.py (limited to 'interface-definitions') diff --git a/Makefile b/Makefile index 29744b323..431f3a8c2 100644 --- a/Makefile +++ b/Makefile @@ -29,6 +29,12 @@ interface_definitions: $(config_xml_obj) # XXX: delete top level node.def's that now live in other packages # IPSec VPN EAP-RADIUS does not support source-address rm -rf $(TMPL_DIR)/vpn/ipsec/remote-access/radius/source-address + + # T4284 neq QoS implementation is not yet live + find $(TMPL_DIR)/interfaces -name traffic-policy -type d -exec rm -rf {} \; + find $(TMPL_DIR)/interfaces -name redirect -type d -exec rm -rf {} \; + rm -rf $(TMPL_DIR)/interfaces/input + # XXX: test if there are empty node.def files - this is not allowed as these # could mask help strings or mandatory priority statements find $(TMPL_DIR) -name node.def -type f -empty -exec false {} + || sh -c 'echo "There are empty node.def files! Check your interface definitions." && exit 1' diff --git a/data/configd-include.json b/data/configd-include.json index c85ab0725..b77d48001 100644 --- a/data/configd-include.json +++ b/data/configd-include.json @@ -48,6 +48,7 @@ "protocols_ripng.py", "protocols_static.py", "protocols_static_multicast.py", +"qos.py", "salt-minion.py", "service_console-server.py", "service_ids_fastnetmon.py", diff --git a/interface-definitions/include/interface/redirect.xml.i b/interface-definitions/include/interface/redirect.xml.i new file mode 100644 index 000000000..3be9ee16b --- /dev/null +++ b/interface-definitions/include/interface/redirect.xml.i @@ -0,0 +1,17 @@ + + + + Incoming packet redirection destination + + + + + txt + Interface name + + + + + + + diff --git a/interface-definitions/include/interface/traffic-policy.xml.i b/interface-definitions/include/interface/traffic-policy.xml.i new file mode 100644 index 000000000..cd60b62a5 --- /dev/null +++ b/interface-definitions/include/interface/traffic-policy.xml.i @@ -0,0 +1,43 @@ + + + + Traffic-policy for interface + + + + + Ingress traffic policy for interface + + traffic-policy drop-tail + traffic-policy fair-queue + traffic-policy fq-codel + traffic-policy limiter + traffic-policy network-emulator + traffic-policy priority-queue + traffic-policy random-detect + traffic-policy rate-control + traffic-policy round-robin + traffic-policy shaper + traffic-policy shaper-hfsc + + + txt + Policy name + + + + + + Egress traffic policy for interface + + traffic-policy + + + txt + Policy name + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/interface/vif-s.xml.i b/interface-definitions/include/interface/vif-s.xml.i index f1a61ff64..59a47b5ff 100644 --- a/interface-definitions/include/interface/vif-s.xml.i +++ b/interface-definitions/include/interface/vif-s.xml.i @@ -64,11 +64,15 @@ #include #include #include + #include + #include #include #include #include + #include + #include #include diff --git a/interface-definitions/include/interface/vif.xml.i b/interface-definitions/include/interface/vif.xml.i index 11ba7e2f8..8a1475711 100644 --- a/interface-definitions/include/interface/vif.xml.i +++ b/interface-definitions/include/interface/vif.xml.i @@ -18,7 +18,6 @@ #include #include #include - #include #include #include @@ -51,6 +50,9 @@ #include #include #include + #include + #include + #include diff --git a/interface-definitions/include/qos/bandwidth.xml.i b/interface-definitions/include/qos/bandwidth.xml.i new file mode 100644 index 000000000..82af22f42 --- /dev/null +++ b/interface-definitions/include/qos/bandwidth.xml.i @@ -0,0 +1,15 @@ + + + + Traffic-limit used for this class + + <number> + Rate in kbit (kilobit per second) + + + <number><suffix> + Rate with scaling suffix (mbit, mbps, ...) + + + + diff --git a/interface-definitions/include/qos/burst.xml.i b/interface-definitions/include/qos/burst.xml.i new file mode 100644 index 000000000..761618027 --- /dev/null +++ b/interface-definitions/include/qos/burst.xml.i @@ -0,0 +1,16 @@ + + + + Burst size for this class + + <number> + Bytes + + + <number><suffix> + Bytes with scaling suffix (kb, mb, gb) + + + 15k + + diff --git a/interface-definitions/include/qos/codel-quantum.xml.i b/interface-definitions/include/qos/codel-quantum.xml.i new file mode 100644 index 000000000..bc24630b6 --- /dev/null +++ b/interface-definitions/include/qos/codel-quantum.xml.i @@ -0,0 +1,16 @@ + + + + Deficit in the fair queuing algorithm + + u32:0-1048576 + Number of bytes used as 'deficit' + + + + + Interval must be in range 0 to 1048576 + + 1514 + + diff --git a/interface-definitions/include/qos/dscp.xml.i b/interface-definitions/include/qos/dscp.xml.i new file mode 100644 index 000000000..bb90850ac --- /dev/null +++ b/interface-definitions/include/qos/dscp.xml.i @@ -0,0 +1,143 @@ + + + + Match on Differentiated Services Codepoint (DSCP) + + default reliability throughput lowdelay priority immediate flash flash-override critical internet network AF11 AF12 AF13 AF21 AF22 AF23 AF31 AF32 AF33 AF41 AF42 AF43 CS1 CS2 CS3 CS4 CS5 CS6 CS7 EF + + + u32:0-63 + Differentiated Services Codepoint (DSCP) value + + + default + match DSCP (000000) + + + reliability + match DSCP (000001) + + + throughput + match DSCP (000010) + + + lowdelay + match DSCP (000100) + + + priority + match DSCP (001000) + + + immediate + match DSCP (010000) + + + flash + match DSCP (011000) + + + flash-override + match DSCP (100000) + + + critical + match DSCP (101000) + + + internet + match DSCP (110000) + + + network + match DSCP (111000) + + + AF11 + High-throughput data + + + AF12 + High-throughput data + + + AF13 + High-throughput data + + + AF21 + Low-latency data + + + AF22 + Low-latency data + + + AF23 + Low-latency data + + + AF31 + Multimedia streaming + + + AF32 + Multimedia streaming + + + AF33 + Multimedia streaming + + + AF41 + Multimedia conferencing + + + AF42 + Multimedia conferencing + + + AF43 + Multimedia conferencing + + + CS1 + Low-priority data + + + CS2 + OAM + + + CS3 + Broadcast video + + + CS4 + Real-time interactive + + + CS5 + Signaling + + + CS6 + Network control + + + CS7 + + + + EF + Expedited Forwarding + + + + (default|reliability|throughput|lowdelay|priority|immediate|flash|flash-override|critical|internet|network|AF11|AF12|AF13|AF21|AF22|AF23|AF31|AF32|AF33|AF41|AF42|AF43|CS1|CS2|CS3|CS4|CS5|CS6|CS7|EF) + + Priority must be between 0 and 63 + + + diff --git a/interface-definitions/include/qos/flows.xml.i b/interface-definitions/include/qos/flows.xml.i new file mode 100644 index 000000000..a7d7c6422 --- /dev/null +++ b/interface-definitions/include/qos/flows.xml.i @@ -0,0 +1,16 @@ + + + + Number of flows into which the incoming packets are classified + + u32:1-65536 + Number of flows + + + + + Interval must be in range 1 to 65536 + + 1024 + + diff --git a/interface-definitions/include/qos/hfsc-d.xml.i b/interface-definitions/include/qos/hfsc-d.xml.i new file mode 100644 index 000000000..2a513509c --- /dev/null +++ b/interface-definitions/include/qos/hfsc-d.xml.i @@ -0,0 +1,15 @@ + + + + Service curve delay + + <number> + Time in milliseconds + + + + + Priority must be between 0 and 65535 + + + diff --git a/interface-definitions/include/qos/hfsc-m1.xml.i b/interface-definitions/include/qos/hfsc-m1.xml.i new file mode 100644 index 000000000..749d01f57 --- /dev/null +++ b/interface-definitions/include/qos/hfsc-m1.xml.i @@ -0,0 +1,32 @@ + + + + Linkshare m1 parameter for class traffic + + <number> + Rate in kbit (kilobit per second) + + + <number>%% + Percentage of overall rate + + + <number>bit + bit(1), kbit(10^3), mbit(10^6), gbit, tbit + + + <number>ibit + kibit(1024), mibit(1024^2), gibit(1024^3), tbit(1024^4) + + + <number>ibps + kibps(1024*8), mibps(1024^2*8), gibps, tibps - Byte/sec + + + <number>bps + bps(8),kbps(8*10^3),mbps(8*10^6), gbps, tbps - Byte/sec + + + 100% + + diff --git a/interface-definitions/include/qos/hfsc-m2.xml.i b/interface-definitions/include/qos/hfsc-m2.xml.i new file mode 100644 index 000000000..24e8f5d63 --- /dev/null +++ b/interface-definitions/include/qos/hfsc-m2.xml.i @@ -0,0 +1,32 @@ + + + + Linkshare m2 parameter for class traffic + + <number> + Rate in kbit (kilobit per second) + + + <number>%% + Percentage of overall rate + + + <number>bit + bit(1), kbit(10^3), mbit(10^6), gbit, tbit + + + <number>ibit + kibit(1024), mibit(1024^2), gibit(1024^3), tbit(1024^4) + + + <number>ibps + kibps(1024*8), mibps(1024^2*8), gibps, tibps - Byte/sec + + + <number>bps + bps(8),kbps(8*10^3),mbps(8*10^6), gbps, tbps - Byte/sec + + + 100% + + diff --git a/interface-definitions/include/qos/interval.xml.i b/interface-definitions/include/qos/interval.xml.i new file mode 100644 index 000000000..41896ac9c --- /dev/null +++ b/interface-definitions/include/qos/interval.xml.i @@ -0,0 +1,16 @@ + + + + Interval used to measure the delay + + u32 + Interval in milliseconds + + + + + Interval must be in range 0 to 4294967295 + + 100 + + diff --git a/interface-definitions/include/qos/match.xml.i b/interface-definitions/include/qos/match.xml.i new file mode 100644 index 000000000..7d89e4460 --- /dev/null +++ b/interface-definitions/include/qos/match.xml.i @@ -0,0 +1,221 @@ + + + + Class matching rule name + + [^-].* + + Match queue name cannot start with hyphen (-) + + + #include + + + Ethernet header match + + + + + Ethernet destination address for this match + + macaddr + MAC address to match + + + + + + + + + Ethernet protocol for this match + + + all 802.1Q 802_2 802_3 aarp aoe arp atalk dec ip ipv6 ipx lat localtalk rarp snap x25 + + + u32:0-65535 + Ethernet protocol number + + + txt + Ethernet protocol name + + + all + Any protocol + + + ip + Internet IP (IPv4) + + + ipv6 + Internet IP (IPv6) + + + arp + Address Resolution Protocol + + + atalk + Appletalk + + + ipx + Novell Internet Packet Exchange + + + 802.1Q + 802.1Q VLAN tag + + + + + + + + + Ethernet source address for this match + + macaddr + MAC address to match + + + + + + + + + #include + + + Match IP protocol header + + + + + Match on destination port or address + + + + + IPv4 destination address for this match + + ipv4net + IPv4 address and prefix length + + + + + + + #include + + + #include + #include + #include + + + Match on source port or address + + + + + IPv4 source address for this match + + ipv4net + IPv4 address and prefix length + + + + + + + #include + + + #include + + + + + Match IPv6 protocol header + + + + + Match on destination port or address + + + + + IPv6 destination address for this match + + ipv6net + IPv6 address and prefix length + + + + + + + #include + + + #include + #include + #include + + + Match on source port or address + + + + + IPv6 source address for this match + + ipv6net + IPv6 address and prefix length + + + + + + + #include + + + #include + + + + + Match on mark applied by firewall + + txt + FW mark to match + + + + + + + + + Virtual Local Area Network (VLAN) ID for this match + + u32:0-4095 + Virtual Local Area Network (VLAN) tag + + + + + VLAN ID must be between 0 and 4095 + + + + + diff --git a/interface-definitions/include/qos/max-length.xml.i b/interface-definitions/include/qos/max-length.xml.i new file mode 100644 index 000000000..4cc20f8c4 --- /dev/null +++ b/interface-definitions/include/qos/max-length.xml.i @@ -0,0 +1,15 @@ + + + + Maximum packet length (ipv4) + + u32:0-65535 + Maximum packet/payload length + + + + + Maximum IPv4 total packet length is 65535 + + + diff --git a/interface-definitions/include/qos/queue-limit-1-4294967295.xml.i b/interface-definitions/include/qos/queue-limit-1-4294967295.xml.i new file mode 100644 index 000000000..2f2d44631 --- /dev/null +++ b/interface-definitions/include/qos/queue-limit-1-4294967295.xml.i @@ -0,0 +1,15 @@ + + + + Maximum queue size + + u32:1-4294967295 + Queue size in packets + + + + + Queue limit must be greater than zero + + + diff --git a/interface-definitions/include/qos/queue-limit-2-10999.xml.i b/interface-definitions/include/qos/queue-limit-2-10999.xml.i new file mode 100644 index 000000000..7a9c8266b --- /dev/null +++ b/interface-definitions/include/qos/queue-limit-2-10999.xml.i @@ -0,0 +1,16 @@ + + + + Upper limit of the queue + + u32:2-10999 + Queue size in packets + + + + + Queue limit must greater than 1 and less than 11000 + + 10240 + + diff --git a/interface-definitions/include/qos/queue-type.xml.i b/interface-definitions/include/qos/queue-type.xml.i new file mode 100644 index 000000000..634f61024 --- /dev/null +++ b/interface-definitions/include/qos/queue-type.xml.i @@ -0,0 +1,30 @@ + + + + Queue type for default traffic + + fq-codel fair-queue drop-tail random-detect + + + fq-codel + Fair Queue Codel + + + fair-queue + Stochastic Fair Queue (SFQ) + + + drop-tail + First-In-First-Out (FIFO) + + + random-detect + Random Early Detection (RED) + + + (fq-codel|fair-queue|drop-tail|random-detect) + + + drop-tail + + diff --git a/interface-definitions/include/qos/set-dscp.xml.i b/interface-definitions/include/qos/set-dscp.xml.i new file mode 100644 index 000000000..55c0ea44d --- /dev/null +++ b/interface-definitions/include/qos/set-dscp.xml.i @@ -0,0 +1,63 @@ + + + + Change the Differentiated Services (DiffServ) field in the IP header + + default reliability throughput lowdelay priority immediate flash flash-override critical internet network + + + u32:0-63 + Priority order for bandwidth pool + + + default + match DSCP (000000) + + + reliability + match DSCP (000001) + + + throughput + match DSCP (000010) + + + lowdelay + match DSCP (000100) + + + priority + match DSCP (001000) + + + immediate + match DSCP (010000) + + + flash + match DSCP (011000) + + + flash-override + match DSCP (100000) + + + critical + match DSCP (101000) + + + internet + match DSCP (110000) + + + network + match DSCP (111000) + + + + (default|reliability|throughput|lowdelay|priority|immediate|flash|flash-override|critical|internet|network) + + Priority must be between 0 and 63 + + + diff --git a/interface-definitions/include/qos/target.xml.i b/interface-definitions/include/qos/target.xml.i new file mode 100644 index 000000000..bf6342ac9 --- /dev/null +++ b/interface-definitions/include/qos/target.xml.i @@ -0,0 +1,16 @@ + + + + Acceptable minimum standing/persistent queue delay + + u32 + Queue delay in milliseconds + + + + + Delay must be in range 0 to 4294967295 + + 5 + + diff --git a/interface-definitions/include/qos/tcp-flags.xml.i b/interface-definitions/include/qos/tcp-flags.xml.i new file mode 100644 index 000000000..81d70d1f3 --- /dev/null +++ b/interface-definitions/include/qos/tcp-flags.xml.i @@ -0,0 +1,21 @@ + + + + TCP Flags matching + + + + + Match TCP ACK + + + + + + Match TCP SYN + + + + + + diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in index b98f4b960..20ece5137 100644 --- a/interface-definitions/interfaces-bonding.xml.in +++ b/interface-definitions/interfaces-bonding.xml.in @@ -207,6 +207,8 @@ + #include + #include #include #include #include diff --git a/interface-definitions/interfaces-bridge.xml.in b/interface-definitions/interfaces-bridge.xml.in index fabfb917a..6957067cd 100644 --- a/interface-definitions/interfaces-bridge.xml.in +++ b/interface-definitions/interfaces-bridge.xml.in @@ -210,6 +210,8 @@ + #include + #include #include diff --git a/interface-definitions/interfaces-dummy.xml.in b/interface-definitions/interfaces-dummy.xml.in index 3bca8b950..109ed1b50 100644 --- a/interface-definitions/interfaces-dummy.xml.in +++ b/interface-definitions/interfaces-dummy.xml.in @@ -30,6 +30,8 @@ #include + #include + #include #include diff --git a/interface-definitions/interfaces-ethernet.xml.in b/interface-definitions/interfaces-ethernet.xml.in index be7bddfa4..7d28912c0 100644 --- a/interface-definitions/interfaces-ethernet.xml.in +++ b/interface-definitions/interfaces-ethernet.xml.in @@ -196,6 +196,8 @@ + #include + #include #include #include #include diff --git a/interface-definitions/interfaces-geneve.xml.in b/interface-definitions/interfaces-geneve.xml.in index dd4d324d4..aa5809e60 100644 --- a/interface-definitions/interfaces-geneve.xml.in +++ b/interface-definitions/interfaces-geneve.xml.in @@ -50,6 +50,8 @@ + #include + #include #include #include diff --git a/interface-definitions/interfaces-input.xml.in b/interface-definitions/interfaces-input.xml.in new file mode 100644 index 000000000..f2eb01c58 --- /dev/null +++ b/interface-definitions/interfaces-input.xml.in @@ -0,0 +1,30 @@ + + + + + + + Input Functional Block (IFB) interface name + + 310 + + ifb[0-9]+ + + Input interface must be named ifbN + + ifbN + Input interface name + + + + #include + #include + #include + #include + #include + #include + + + + + diff --git a/interface-definitions/interfaces-l2tpv3.xml.in b/interface-definitions/interfaces-l2tpv3.xml.in index ba9bcb0a2..124863653 100644 --- a/interface-definitions/interfaces-l2tpv3.xml.in +++ b/interface-definitions/interfaces-l2tpv3.xml.in @@ -125,6 +125,7 @@ + #include #include diff --git a/interface-definitions/interfaces-loopback.xml.in b/interface-definitions/interfaces-loopback.xml.in index 7be15ab89..ffffc0220 100644 --- a/interface-definitions/interfaces-loopback.xml.in +++ b/interface-definitions/interfaces-loopback.xml.in @@ -26,6 +26,8 @@ #include + #include + #include diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in index 7206e57b1..311e95c2f 100644 --- a/interface-definitions/interfaces-macsec.xml.in +++ b/interface-definitions/interfaces-macsec.xml.in @@ -122,6 +122,8 @@ 1460 #include + #include + #include #include diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index eb574eb52..73e30e590 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -816,6 +816,8 @@ + #include + #include #include diff --git a/interface-definitions/interfaces-pppoe.xml.in b/interface-definitions/interfaces-pppoe.xml.in index ed0e45840..1d888236e 100644 --- a/interface-definitions/interfaces-pppoe.xml.in +++ b/interface-definitions/interfaces-pppoe.xml.in @@ -49,7 +49,6 @@ #include #include #include - #include Delay before disconnecting idle session (in seconds) @@ -134,6 +133,9 @@ Service name must be alphanumeric only + #include + #include + #include diff --git a/interface-definitions/interfaces-pseudo-ethernet.xml.in b/interface-definitions/interfaces-pseudo-ethernet.xml.in index bf7055f8d..7baeac537 100644 --- a/interface-definitions/interfaces-pseudo-ethernet.xml.in +++ b/interface-definitions/interfaces-pseudo-ethernet.xml.in @@ -59,6 +59,8 @@ private #include + #include + #include #include #include diff --git a/interface-definitions/interfaces-tunnel.xml.in b/interface-definitions/interfaces-tunnel.xml.in index eb1708aaa..bc9297c86 100644 --- a/interface-definitions/interfaces-tunnel.xml.in +++ b/interface-definitions/interfaces-tunnel.xml.in @@ -20,7 +20,6 @@ #include #include #include - #include #include 1476 @@ -288,6 +287,9 @@ + #include + #include + #include diff --git a/interface-definitions/interfaces-vti.xml.in b/interface-definitions/interfaces-vti.xml.in index f03c7476d..538194c2b 100644 --- a/interface-definitions/interfaces-vti.xml.in +++ b/interface-definitions/interfaces-vti.xml.in @@ -34,6 +34,8 @@ #include #include #include + #include + #include #include #include #include diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in index 0546b4199..18abf9f20 100644 --- a/interface-definitions/interfaces-vxlan.xml.in +++ b/interface-definitions/interfaces-vxlan.xml.in @@ -99,6 +99,8 @@ #include #include #include + #include + #include #include #include diff --git a/interface-definitions/interfaces-wireguard.xml.in b/interface-definitions/interfaces-wireguard.xml.in index 1b4b4a816..2f130c6f2 100644 --- a/interface-definitions/interfaces-wireguard.xml.in +++ b/interface-definitions/interfaces-wireguard.xml.in @@ -19,7 +19,6 @@ #include #include #include - #include #include #include #include @@ -120,6 +119,9 @@ + #include + #include + #include diff --git a/interface-definitions/interfaces-wireless.xml.in b/interface-definitions/interfaces-wireless.xml.in index 9db9fd757..eebe8f841 100644 --- a/interface-definitions/interfaces-wireless.xml.in +++ b/interface-definitions/interfaces-wireless.xml.in @@ -778,6 +778,8 @@ monitor + #include + #include #include #include diff --git a/interface-definitions/interfaces-wwan.xml.in b/interface-definitions/interfaces-wwan.xml.in index 03554feed..7007a67ae 100644 --- a/interface-definitions/interfaces-wwan.xml.in +++ b/interface-definitions/interfaces-wwan.xml.in @@ -30,7 +30,6 @@ #include #include #include - #include #include #include @@ -41,6 +40,9 @@ #include #include #include + #include + #include + #include diff --git a/interface-definitions/qos.xml.in b/interface-definitions/qos.xml.in new file mode 100644 index 000000000..d4468543c --- /dev/null +++ b/interface-definitions/qos.xml.in @@ -0,0 +1,721 @@ + + + + + Quality of Service (QOS) policy type + 900 + + + + + Packet limited First In, First Out queue + + txt + Policy name + + + [[:alnum:]][-_[:alnum:]]* + + Only alpha-numeric policy name allowed + + + #include + #include + + + + + Stochastic Fairness Queueing + + txt + Policy name + + + [[:alnum:]][-_[:alnum:]]* + + Only alpha-numeric policy name allowed + + + #include + + + Interval in seconds for queue algorithm perturbation + + u32:0 + No perturbation + + + u32:1-127 + Interval in seconds for queue algorithm perturbation (advised: 10) + + + + + Interval must be in range 0 to 127 + + 0 + + + + Upper limit of the SFQ + + u32:2-127 + Queue size in packets + + + + + Queue limit must greater than 1 and less than 128 + + 127 + + + + + + Fair Queuing Controlled Delay + + txt + Policy name + + + [[:alnum:]][-_[:alnum:]]* + + Only alpha-numeric policy name allowed + + + #include + #include + #include + #include + #include + #include + + + + + Traffic input limiting policy + + txt + Policy name + + + [[:alnum:]][-_[:alnum:]]* + + Only alpha-numeric policy name allowed + + + + + Class ID + + u32:1-4090 + Class Identifier + + + + + Class identifier must be between 1 and 4090 + + + #include + #include + #include + #include + + + Priority for rule evaluation + + u32:0-20 + Priority for match rule evaluation + + + + + Priority must be between 0 and 20 + + 20 + + + + + + Default policy + + + #include + #include + + + #include + + + + + Network emulator policy + + txt + Policy name + + + [[:alnum:]][-_[:alnum:]]* + + Only alpha-numeric policy name allowed + + + #include + #include + #include + + + Adds delay to packets outgoing to chosen network interface + + <number> + Time in milliseconds + + + + + Priority must be between 0 and 65535 + + + + + Introducing error in a random position for chosen percent of packets + + <number> + Percentage of packets affected + + + + + Priority must be between 0 and 100 + + + + + Add independent loss probability to the packets outgoing to chosen network interface + + <number> + Percentage of packets affected + + + + + Must be between 0 and 100 + + + + + Add independent loss probability to the packets outgoing to chosen network interface + + <number> + Percentage of packets affected + + + + + Must be between 0 and 100 + + + + + Packet reordering percentage + + <number> + Percentage of packets affected + + + + + Must be between 0 and 100 + + + #include + + + + + Priority queuing based policy + + txt + Policy name + + + [[:alnum:]][-_[:alnum:]]* + + Only alpha-numeric policy name allowed + + + + + Class Handle + + u32:1-7 + Priority + + + + + Class handle must be between 1 and 7 + + + #include + #include + #include + #include + #include + #include + #include + #include + + + + + Default policy + + + #include + #include + #include + #include + #include + #include + #include + + + #include + + + + + Priority queuing based policy + + txt + Policy name + + + [[:alnum:]][-_[:alnum:]]* + + Only alpha-numeric policy name allowed + + + #include + + auto + + #include + + + IP precedence + + u32:0-7 + IP precedence value + + + + + IP precedence value must be between 0 and 7 + + + #include + + + Average packet size (bytes) + + u32:16-10240 + Average packet size in bytes + + + + + Average packet size must be between 16 and 10240 + + 1024 + + + + Mark probability for this precedence + + <number> + Numeric value (1/N) + + + + + Mark probability must be greater than 0 + + + + + Maximum threshold for random detection + + u32:0-4096 + Maximum Threshold in packets + + + + + Threshold must be between 0 and 4096 + + + + + Minimum threshold for random detection + + u32:0-4096 + Maximum Threshold in packets + + + + + Threshold must be between 0 and 4096 + + + + + + + + + Rate limiting policy (Token Bucket Filter) + + txt + Policy name + + + [[:alnum:]][-_[:alnum:]]* + + Only alpha-numeric policy name allowed + + + #include + #include + #include + + + Maximum latency + + <number> + Time in milliseconds + + + + + Threshold must be between 0 and 4096 + + 50 + + + + + + Round-Robin based policy + + txt + Policy name + + + [[:alnum:]][-_[:alnum:]]* + + Only alpha-numeric policy name allowed + + + #include + + + Class ID + + u32:1-4095 + Class Identifier + + + + + Class identifier must be between 1 and 4095 + + + #include + #include + #include + #include + #include + + + Packet scheduling quantum + + u32:1-4294967295 + Packet scheduling quantum (bytes) + + + + + Quantum must be in range 1 to 4294967295 + + + #include + #include + #include + + + + + + + Hierarchical Fair Service Curve's policy + + txt + Policy name + + + [[:alnum:]][-_[:alnum:]]* + + Only alpha-numeric policy name allowed + + + #include + + auto + + #include + + + Class ID + + u32:1-4095 + Class Identifier + + + + + Class identifier must be between 1 and 4095 + + + #include + + + Linkshare class settings + + + #include + #include + #include + + + #include + + + Realtime class settings + + + #include + #include + #include + + + + + Upperlimit class settings + + + #include + #include + #include + + + + + + + Default policy + + + + + Linkshare class settings + + + #include + #include + #include + + + + + Realtime class settings + + + #include + #include + #include + + + + + Upperlimit class settings + + + #include + #include + #include + + + + + + + + + Traffic shaping based policy (Hierarchy Token Bucket) + + txt + Policy name + + + [[:alnum:]][-_[:alnum:]]* + + Only alpha-numeric policy name allowed + + + #include + + auto + + + + Class ID + + u32:2-4095 + Class Identifier + + + + + Class identifier must be between 2 and 4095 + + + #include + + 100% + + #include + + + Bandwidth limit for this class + + <number> + Rate in kbit (kilobit per second) + + + <number>%% + Percentage of overall rate + + + <number>bit + bit(1), kbit(10^3), mbit(10^6), gbit, tbit + + + <number>ibit + kibit(1024), mibit(1024^2), gibit(1024^3), tbit(1024^4) + + + <number>ibps + kibps(1024*8), mibps(1024^2*8), gibps, tibps - Byte/sec + + + <number>bps + bps(8),kbps(8*10^3),mbps(8*10^6), gbps, tbps - Byte/sec + + + + #include + #include + #include + #include + #include + + + Priority for usage of excess bandwidth + + u32:0-7 + Priority order for bandwidth pool + + + + + Priority must be between 0 and 7 + + 20 + + #include + #include + #include + #include + + + #include + + + Default policy + + + #include + #include + + + Bandwidth limit for this class + + <number> + Rate in kbit (kilobit per second) + + + <number>%% + Percentage of overall rate + + + <number>bit + bit(1), kbit(10^3), mbit(10^6), gbit, tbit + + + <number>ibit + kibit(1024), mibit(1024^2), gibit(1024^3), tbit(1024^4) + + + <number>ibps + kibps(1024*8), mibps(1024^2*8), gibps, tibps - Byte/sec + + + <number>bps + bps(8),kbps(8*10^3),mbps(8*10^6), gbps, tbps - Byte/sec + + + + #include + #include + #include + #include + + + Priority for usage of excess bandwidth + + u32:0-7 + Priority order for bandwidth pool + + + + + Priority must be between 0 and 7 + + 20 + + #include + #include + #include + #include + + + + + + + diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py index fab88bc72..7f1258575 100644 --- a/python/vyos/configverify.py +++ b/python/vyos/configverify.py @@ -191,6 +191,19 @@ def verify_mirror(config): raise ConfigError(f'Can not mirror "{direction}" traffic back ' \ 'the originating interface!') +def verify_redirect(config): + """ + Common helper function used by interface implementations to perform + recurring validation of the redirect interface configuration. + + It makes no sense to mirror and redirect traffic at the same time! + """ + if {'mirror', 'redirect'} <= set(config): + raise ConfigError('Can not do both redirect and mirror') + + if dict_search('traffic_policy.in', config) != None: + raise ConfigError('Can not use ingress policy and redirect') + def verify_authentication(config): """ Common helper function used by interface implementations to perform @@ -315,6 +328,7 @@ def verify_vlan_config(config): verify_dhcpv6(vlan) verify_address(vlan) verify_vrf(vlan) + verify_redirect(vlan) verify_mtu_parent(vlan, config) # 802.1ad (Q-in-Q) VLANs @@ -323,6 +337,7 @@ def verify_vlan_config(config): verify_dhcpv6(s_vlan) verify_address(s_vlan) verify_vrf(s_vlan) + verify_redirect(s_vlan) verify_mtu_parent(s_vlan, config) for c_vlan in s_vlan.get('vif_c', {}): @@ -330,6 +345,7 @@ def verify_vlan_config(config): verify_dhcpv6(c_vlan) verify_address(c_vlan) verify_vrf(c_vlan) + verify_redirect(c_vlan) verify_mtu_parent(c_vlan, config) verify_mtu_parent(c_vlan, s_vlan) diff --git a/src/conf_mode/interfaces-bonding.py b/src/conf_mode/interfaces-bonding.py index bb53cd6c2..661dc2298 100755 --- a/src/conf_mode/interfaces-bonding.py +++ b/src/conf_mode/interfaces-bonding.py @@ -27,9 +27,10 @@ from vyos.configdict import is_source_interface from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_dhcpv6 -from vyos.configverify import verify_source_interface from vyos.configverify import verify_mirror from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_redirect +from vyos.configverify import verify_source_interface from vyos.configverify import verify_vlan_config from vyos.configverify import verify_vrf from vyos.ifconfig import BondIf @@ -151,6 +152,7 @@ def verify(bond): verify_dhcpv6(bond) verify_vrf(bond) verify_mirror(bond) + verify_redirect(bond) # use common function to verify VLAN configuration verify_vlan_config(bond) diff --git a/src/conf_mode/interfaces-bridge.py b/src/conf_mode/interfaces-bridge.py index 9f840cb58..e16c0e9f4 100755 --- a/src/conf_mode/interfaces-bridge.py +++ b/src/conf_mode/interfaces-bridge.py @@ -28,6 +28,7 @@ from vyos.configdict import has_vlan_subinterface_configured from vyos.configdict import dict_merge from vyos.configverify import verify_dhcpv6 from vyos.configverify import verify_mirror +from vyos.configverify import verify_redirect from vyos.configverify import verify_vrf from vyos.ifconfig import BridgeIf from vyos.validate import has_address_configured @@ -107,6 +108,7 @@ def verify(bridge): verify_dhcpv6(bridge) verify_vrf(bridge) verify_mirror(bridge) + verify_redirect(bridge) ifname = bridge['ifname'] diff --git a/src/conf_mode/interfaces-dummy.py b/src/conf_mode/interfaces-dummy.py index 55c783f38..4072c4452 100755 --- a/src/conf_mode/interfaces-dummy.py +++ b/src/conf_mode/interfaces-dummy.py @@ -21,6 +21,7 @@ from vyos.configdict import get_interface_dict from vyos.configverify import verify_vrf from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete +from vyos.configverify import verify_redirect from vyos.ifconfig import DummyIf from vyos import ConfigError from vyos import airbag @@ -46,6 +47,7 @@ def verify(dummy): verify_vrf(dummy) verify_address(dummy) + verify_redirect(dummy) return None diff --git a/src/conf_mode/interfaces-ethernet.py b/src/conf_mode/interfaces-ethernet.py index 2a8a126f2..3eeddf190 100755 --- a/src/conf_mode/interfaces-ethernet.py +++ b/src/conf_mode/interfaces-ethernet.py @@ -28,6 +28,7 @@ from vyos.configverify import verify_interface_exists from vyos.configverify import verify_mirror from vyos.configverify import verify_mtu from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_redirect from vyos.configverify import verify_vlan_config from vyos.configverify import verify_vrf from vyos.ethtool import Ethtool @@ -84,6 +85,7 @@ def verify(ethernet): verify_vrf(ethernet) verify_eapol(ethernet) verify_mirror(ethernet) + verify_redirect(ethernet) ethtool = Ethtool(ifname) # No need to check speed and duplex keys as both have default values. diff --git a/src/conf_mode/interfaces-geneve.py b/src/conf_mode/interfaces-geneve.py index 2a63b60aa..a94b5e1f7 100755 --- a/src/conf_mode/interfaces-geneve.py +++ b/src/conf_mode/interfaces-geneve.py @@ -24,6 +24,7 @@ from vyos.configdict import get_interface_dict from vyos.configverify import verify_address from vyos.configverify import verify_mtu_ipv6 from vyos.configverify import verify_bridge_delete +from vyos.configverify import verify_redirect from vyos.ifconfig import GeneveIf from vyos import ConfigError @@ -50,6 +51,7 @@ def verify(geneve): verify_mtu_ipv6(geneve) verify_address(geneve) + verify_redirect(geneve) if 'remote' not in geneve: raise ConfigError('Remote side must be configured') diff --git a/src/conf_mode/interfaces-l2tpv3.py b/src/conf_mode/interfaces-l2tpv3.py index 9b6ddd5aa..5ea7159dc 100755 --- a/src/conf_mode/interfaces-l2tpv3.py +++ b/src/conf_mode/interfaces-l2tpv3.py @@ -25,6 +25,7 @@ from vyos.configdict import leaf_node_changed from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_redirect from vyos.ifconfig import L2TPv3If from vyos.util import check_kmod from vyos.validate import is_addr_assigned @@ -76,6 +77,7 @@ def verify(l2tpv3): verify_mtu_ipv6(l2tpv3) verify_address(l2tpv3) + verify_redirect(l2tpv3) return None def generate(l2tpv3): diff --git a/src/conf_mode/interfaces-loopback.py b/src/conf_mode/interfaces-loopback.py index 193334443..e6a851113 100755 --- a/src/conf_mode/interfaces-loopback.py +++ b/src/conf_mode/interfaces-loopback.py @@ -20,6 +20,7 @@ from sys import exit from vyos.config import Config from vyos.configdict import get_interface_dict +from vyos.configverify import verify_redirect from vyos.ifconfig import LoopbackIf from vyos import ConfigError from vyos import airbag @@ -39,6 +40,7 @@ def get_config(config=None): return loopback def verify(loopback): + verify_redirect(loopback) return None def generate(loopback): diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py index eab69f36e..6a29fdb11 100755 --- a/src/conf_mode/interfaces-macsec.py +++ b/src/conf_mode/interfaces-macsec.py @@ -29,6 +29,7 @@ from vyos.configverify import verify_vrf from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_redirect from vyos.configverify import verify_source_interface from vyos import ConfigError from vyos import airbag @@ -66,6 +67,7 @@ def verify(macsec): verify_vrf(macsec) verify_mtu_ipv6(macsec) verify_address(macsec) + verify_redirect(macsec) if not (('security' in macsec) and ('cipher' in macsec['security'])): diff --git a/src/conf_mode/interfaces-pppoe.py b/src/conf_mode/interfaces-pppoe.py index 584adc75e..9962e0a08 100755 --- a/src/conf_mode/interfaces-pppoe.py +++ b/src/conf_mode/interfaces-pppoe.py @@ -28,6 +28,7 @@ from vyos.configverify import verify_source_interface from vyos.configverify import verify_interface_exists from vyos.configverify import verify_vrf from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_redirect from vyos.ifconfig import PPPoEIf from vyos.template import render from vyos.util import call @@ -85,6 +86,7 @@ def verify(pppoe): verify_authentication(pppoe) verify_vrf(pppoe) verify_mtu_ipv6(pppoe) + verify_redirect(pppoe) if {'connect_on_demand', 'vrf'} <= set(pppoe): raise ConfigError('On-demand dialing and VRF can not be used at the same time') diff --git a/src/conf_mode/interfaces-pseudo-ethernet.py b/src/conf_mode/interfaces-pseudo-ethernet.py index 945a2ea9c..f57e41cc4 100755 --- a/src/conf_mode/interfaces-pseudo-ethernet.py +++ b/src/conf_mode/interfaces-pseudo-ethernet.py @@ -25,6 +25,7 @@ from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_source_interface from vyos.configverify import verify_vlan_config from vyos.configverify import verify_mtu_parent +from vyos.configverify import verify_redirect from vyos.ifconfig import MACVLANIf from vyos import ConfigError @@ -60,6 +61,7 @@ def verify(peth): verify_vrf(peth) verify_address(peth) verify_mtu_parent(peth, peth['parent']) + verify_redirect(peth) # use common function to verify VLAN configuration verify_vlan_config(peth) diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces-tunnel.py index 433764b8a..005fae5eb 100755 --- a/src/conf_mode/interfaces-tunnel.py +++ b/src/conf_mode/interfaces-tunnel.py @@ -26,6 +26,7 @@ from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_interface_exists from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_redirect from vyos.configverify import verify_vrf from vyos.configverify import verify_tunnel from vyos.ifconfig import Interface @@ -157,6 +158,7 @@ def verify(tunnel): verify_mtu_ipv6(tunnel) verify_address(tunnel) verify_vrf(tunnel) + verify_redirect(tunnel) if 'source_interface' in tunnel: verify_interface_exists(tunnel['source_interface']) diff --git a/src/conf_mode/interfaces-vti.py b/src/conf_mode/interfaces-vti.py index 57950ffea..30e13536f 100755 --- a/src/conf_mode/interfaces-vti.py +++ b/src/conf_mode/interfaces-vti.py @@ -19,6 +19,7 @@ from sys import exit from vyos.config import Config from vyos.configdict import get_interface_dict +from vyos.configverify import verify_redirect from vyos.ifconfig import VTIIf from vyos.util import dict_search from vyos import ConfigError @@ -39,6 +40,7 @@ def get_config(config=None): return vti def verify(vti): + verify_redirect(vti) return None def generate(vti): diff --git a/src/conf_mode/interfaces-vxlan.py b/src/conf_mode/interfaces-vxlan.py index 29b16af89..a29836efd 100755 --- a/src/conf_mode/interfaces-vxlan.py +++ b/src/conf_mode/interfaces-vxlan.py @@ -25,6 +25,7 @@ from vyos.configdict import leaf_node_changed from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_redirect from vyos.configverify import verify_source_interface from vyos.ifconfig import Interface from vyos.ifconfig import VXLANIf @@ -140,6 +141,7 @@ def verify(vxlan): verify_mtu_ipv6(vxlan) verify_address(vxlan) + verify_redirect(vxlan) return None def generate(vxlan): diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py index da64dd076..dc0fe7b9c 100755 --- a/src/conf_mode/interfaces-wireguard.py +++ b/src/conf_mode/interfaces-wireguard.py @@ -28,6 +28,7 @@ from vyos.configverify import verify_vrf from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_redirect from vyos.ifconfig import WireGuardIf from vyos.util import check_kmod from vyos.util import check_port_availability @@ -70,6 +71,7 @@ def verify(wireguard): verify_mtu_ipv6(wireguard) verify_address(wireguard) verify_vrf(wireguard) + verify_redirect(wireguard) if 'private_key' not in wireguard: raise ConfigError('Wireguard private-key not defined') diff --git a/src/conf_mode/interfaces-wireless.py b/src/conf_mode/interfaces-wireless.py index af35b5f03..fdf9e3988 100755 --- a/src/conf_mode/interfaces-wireless.py +++ b/src/conf_mode/interfaces-wireless.py @@ -27,6 +27,7 @@ from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_dhcpv6 from vyos.configverify import verify_source_interface +from vyos.configverify import verify_redirect from vyos.configverify import verify_vlan_config from vyos.configverify import verify_vrf from vyos.ifconfig import WiFiIf @@ -189,6 +190,7 @@ def verify(wifi): verify_address(wifi) verify_vrf(wifi) + verify_redirect(wifi) # use common function to verify VLAN configuration verify_vlan_config(wifi) diff --git a/src/conf_mode/interfaces-wwan.py b/src/conf_mode/interfaces-wwan.py index a4b033374..367a50e82 100755 --- a/src/conf_mode/interfaces-wwan.py +++ b/src/conf_mode/interfaces-wwan.py @@ -23,6 +23,7 @@ from vyos.config import Config from vyos.configdict import get_interface_dict from vyos.configverify import verify_authentication from vyos.configverify import verify_interface_exists +from vyos.configverify import verify_redirect from vyos.configverify import verify_vrf from vyos.ifconfig import WWANIf from vyos.util import cmd @@ -77,6 +78,7 @@ def verify(wwan): verify_interface_exists(ifname) verify_authentication(wwan) verify_vrf(wwan) + verify_redirect(wwan) return None diff --git a/src/conf_mode/qos.py b/src/conf_mode/qos.py new file mode 100755 index 000000000..cf447d4b5 --- /dev/null +++ b/src/conf_mode/qos.py @@ -0,0 +1,90 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from sys import exit + +from vyos.config import Config +from vyos.configdict import dict_merge +from vyos.xml import defaults +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['traffic-policy'] + if not conf.exists(base): + return None + + qos = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + + for traffic_policy in ['drop-tail', 'fair-queue', 'fq-codel', 'limiter', + 'network-emulator', 'priority-queue', 'random-detect', + 'rate-control', 'round-robin', 'shaper', 'shaper-hfsc']: + traffic_policy_us = traffic_policy.replace('-','_') + # Individual policy type not present on CLI - no need to blend in + # any default values + if traffic_policy_us not in qos: + continue + + default_values = defaults(base + [traffic_policy_us]) + + # class is another tag node which requires individual handling + class_default_values = defaults(base + [traffic_policy_us, 'class']) + if 'class' in default_values: + del default_values['class'] + + for policy, policy_config in qos[traffic_policy_us].items(): + qos[traffic_policy_us][policy] = dict_merge( + default_values, qos[traffic_policy_us][policy]) + + if 'class' in policy_config: + for policy_class in policy_config['class']: + qos[traffic_policy_us][policy]['class'][policy_class] = dict_merge( + class_default_values, qos[traffic_policy_us][policy]['class'][policy_class]) + + import pprint + pprint.pprint(qos) + return qos + +def verify(qos): + if not qos: + return None + + # network policy emulator + # reorder rerquires delay to be set + + raise ConfigError('123') + return None + +def generate(qos): + return None + +def apply(qos): + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) -- cgit v1.2.3 From 34bb64b361b7887def8f507eab1c99fff44165cf Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Wed, 23 Mar 2022 09:04:36 +0100 Subject: l2tpv3: T1923: remove duplicate mtu include --- interface-definitions/interfaces-l2tpv3.xml.in | 1 - 1 file changed, 1 deletion(-) (limited to 'interface-definitions') diff --git a/interface-definitions/interfaces-l2tpv3.xml.in b/interface-definitions/interfaces-l2tpv3.xml.in index 124863653..680170b0f 100644 --- a/interface-definitions/interfaces-l2tpv3.xml.in +++ b/interface-definitions/interfaces-l2tpv3.xml.in @@ -86,7 +86,6 @@ - #include #include -- cgit v1.2.3 From 78a4676f787e5e37f67afd5c2453ce06e3f0f9e9 Mon Sep 17 00:00:00 2001 From: srividya0208 Date: Fri, 18 Mar 2022 08:39:14 -0400 Subject: ike-group: T4288 : close-action is missing in swanctl.conf close-action parameter is missing in the swanctl.conf file --- data/templates/ipsec/swanctl/peer.tmpl | 6 +++-- interface-definitions/vpn_ipsec.xml.in | 8 ++---- src/migration-scripts/ipsec/8-to-9 | 49 ++++++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+), 8 deletions(-) create mode 100755 src/migration-scripts/ipsec/8-to-9 (limited to 'interface-definitions') diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl index 562e8fdd5..a622cbf74 100644 --- a/data/templates/ipsec/swanctl/peer.tmpl +++ b/data/templates/ipsec/swanctl/peer.tmpl @@ -87,9 +87,10 @@ start_action = none {% endif %} {% if ike.dead_peer_detection is defined %} -{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %} +{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %} dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} {% endif %} + close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }} } {% elif peer_conf.tunnel is defined %} {% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %} @@ -137,9 +138,10 @@ start_action = none {% endif %} {% if ike.dead_peer_detection is defined %} -{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %} +{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %} dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} {% endif %} + close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }} {% if peer_conf.vti is defined and peer_conf.vti.bind is defined %} updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}" {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index d8c06a310..a86951ce8 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -231,7 +231,7 @@ Action to take if a child SA is unexpectedly closed - none hold clear restart + none hold restart none @@ -241,16 +241,12 @@ hold Attempt to re-negotiate when matching traffic is seen - - clear - Remove the connection immediately - restart Attempt to re-negotiate the connection immediately - ^(none|hold|clear|restart)$ + ^(none|hold|restart)$ diff --git a/src/migration-scripts/ipsec/8-to-9 b/src/migration-scripts/ipsec/8-to-9 new file mode 100755 index 000000000..209cd8ac9 --- /dev/null +++ b/src/migration-scripts/ipsec/8-to-9 @@ -0,0 +1,49 @@ + +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from sys import argv +from sys import exit + +from vyos.configtree import ConfigTree + +if (len(argv) < 1): + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +base = ['vpn', 'ipsec', 'ike-group'] +config = ConfigTree(config_file) + +if not config.exists(base): + # Nothing to do + exit(0) +else: + for ike_group in config.list_nodes(base): + base_closeaction = base + [ike_group, 'close-action'] + if config.exists(base_closeaction) and config.return_value(base_closeaction) == 'clear': + config.set(base_closeaction, 'none', replace=True) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print(f'Failed to save the modified config: {e}') + exit(1) -- cgit v1.2.3 From e700bd3e22e080525e70ce560c0e48d41a80a9d2 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 24 Mar 2022 18:42:40 +0100 Subject: ipsec: T4288: bump config version 8 -> 9 --- interface-definitions/include/version/ipsec-version.xml.i | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'interface-definitions') diff --git a/interface-definitions/include/version/ipsec-version.xml.i b/interface-definitions/include/version/ipsec-version.xml.i index fcdd6c702..59295cc91 100644 --- a/interface-definitions/include/version/ipsec-version.xml.i +++ b/interface-definitions/include/version/ipsec-version.xml.i @@ -1,3 +1,3 @@ - + -- cgit v1.2.3 From 87ccafd06b897b63f847e6b47cf72b951b0ed223 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 25 Mar 2022 18:53:12 +0100 Subject: T4319: "system ip(v6)" must run before any interface operation --- interface-definitions/system-ip.xml.in | 3 ++- interface-definitions/system-ipv6.xml.in | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) (limited to 'interface-definitions') diff --git a/interface-definitions/system-ip.xml.in b/interface-definitions/system-ip.xml.in index 1fa63d517..b43100418 100644 --- a/interface-definitions/system-ip.xml.in +++ b/interface-definitions/system-ip.xml.in @@ -5,7 +5,8 @@ IPv4 Settings - 400 + + 290 diff --git a/interface-definitions/system-ipv6.xml.in b/interface-definitions/system-ipv6.xml.in index 5ee7adf54..ff1080544 100644 --- a/interface-definitions/system-ipv6.xml.in +++ b/interface-definitions/system-ipv6.xml.in @@ -5,6 +5,7 @@ IPv6 Settings + 290 -- cgit v1.2.3 From eaf4b60c9e7fa094d17b87b29bebaf81182ee7a1 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 25 Mar 2022 18:53:50 +0100 Subject: xml: T4319: use common building block for table-size CLI option --- interface-definitions/include/arp-ndp-table-size.xml.i | 14 ++++++++++++++ interface-definitions/system-ip.xml.in | 13 +------------ interface-definitions/system-ipv6.xml.in | 14 ++------------ 3 files changed, 17 insertions(+), 24 deletions(-) create mode 100644 interface-definitions/include/arp-ndp-table-size.xml.i (limited to 'interface-definitions') diff --git a/interface-definitions/include/arp-ndp-table-size.xml.i b/interface-definitions/include/arp-ndp-table-size.xml.i new file mode 100644 index 000000000..dec86e91a --- /dev/null +++ b/interface-definitions/include/arp-ndp-table-size.xml.i @@ -0,0 +1,14 @@ + + + + Maximum number of entries to keep in the cache + + 1024 2048 4096 8192 16384 32768 + + + (1024|2048|4096|8192|16384|32768) + + + 8192 + + diff --git a/interface-definitions/system-ip.xml.in b/interface-definitions/system-ip.xml.in index b43100418..21d70694b 100644 --- a/interface-definitions/system-ip.xml.in +++ b/interface-definitions/system-ip.xml.in @@ -14,18 +14,7 @@ Parameters for ARP cache - - - Maximum number of entries to keep in the ARP cache - - 1024 2048 4096 8192 16384 32768 - - - ^(1024|2048|4096|8192|16384|32768)$ - - - 8192 - + #include diff --git a/interface-definitions/system-ipv6.xml.in b/interface-definitions/system-ipv6.xml.in index ff1080544..af4dcdb0f 100644 --- a/interface-definitions/system-ipv6.xml.in +++ b/interface-definitions/system-ipv6.xml.in @@ -36,20 +36,10 @@ - Parameters for Neighbor cache + Parameters for neighbor discovery cache - - - Maximum number of entries to keep in the Neighbor cache - - 1024 2048 4096 8192 16384 32768 - - - ^(1024|2048|4096|8192|16384|32768)$ - - - + #include -- cgit v1.2.3