From 5c29377fa91595088118419275f6d05b1fbfbd1d Mon Sep 17 00:00:00 2001
From: Viacheslav <v.gletenko@vyos.io>
Date: Mon, 30 Aug 2021 15:43:02 +0000
Subject: tunnel: T3786: Add checks for source any and not key

---
 src/conf_mode/interfaces-tunnel.py | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src/conf_mode/interfaces-tunnel.py')

diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces-tunnel.py
index 294da8ef9..616a2e23c 100755
--- a/src/conf_mode/interfaces-tunnel.py
+++ b/src/conf_mode/interfaces-tunnel.py
@@ -94,6 +94,12 @@ def verify(tunnel):
             if 'direction' not in tunnel['parameters']['erspan']:
                 raise ConfigError('ERSPAN version 2 requires direction to be set!')
 
+    # If tunnel source address any and key not set
+    if tunnel['encapsulation'] in ['gre'] and \
+       tunnel['source_address'] == '0.0.0.0' and \
+       dict_search('parameters.ip.key', tunnel) == None:
+        raise ConfigError('Tunnel parameters ip key must be set!')
+
     verify_mtu_ipv6(tunnel)
     verify_address(tunnel)
     verify_vrf(tunnel)
-- 
cgit v1.2.3


From 468ba7b076c7145b7fe62b60b7e81b432bb27d54 Mon Sep 17 00:00:00 2001
From: Viacheslav <v.gletenko@vyos.io>
Date: Tue, 31 Aug 2021 10:48:12 +0000
Subject: tunnel: T2920: Add checks tun with same source addr and keys

2 tunnels with the same local-address should has different keys
Check existing tunnels (source-address key) with new tunnel.
---
 src/conf_mode/interfaces-tunnel.py | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

(limited to 'src/conf_mode/interfaces-tunnel.py')

diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces-tunnel.py
index 616a2e23c..bfd9a8c56 100755
--- a/src/conf_mode/interfaces-tunnel.py
+++ b/src/conf_mode/interfaces-tunnel.py
@@ -18,6 +18,7 @@ import os
 
 from sys import exit
 from netifaces import interfaces
+from ipaddress import IPv4Address
 
 from vyos.config import Config
 from vyos.configdict import dict_merge
@@ -31,6 +32,7 @@ from vyos.configverify import verify_mtu_ipv6
 from vyos.configverify import verify_vrf
 from vyos.configverify import verify_tunnel
 from vyos.ifconfig import Interface
+from vyos.ifconfig import Section
 from vyos.ifconfig import TunnelIf
 from vyos.template import is_ipv4
 from vyos.template import is_ipv6
@@ -100,6 +102,27 @@ def verify(tunnel):
        dict_search('parameters.ip.key', tunnel) == None:
         raise ConfigError('Tunnel parameters ip key must be set!')
 
+    if tunnel['encapsulation'] in ['gre', 'gretap']:
+        if dict_search('parameters.ip.key', tunnel) != None:
+            # Check pairs tunnel source-address/encapsulation/key with exists tunnels.
+            # Prevent the same key for 2 tunnels with same source-address/encap. T2920
+            for tunnel_if in Section.interfaces('tunnel'):
+                tunnel_cfg = get_interface_config(tunnel_if)
+                exist_encap = tunnel_cfg['linkinfo']['info_kind']
+                exist_source_address = tunnel_cfg['address']
+                exist_key = tunnel_cfg['linkinfo']['info_data']['ikey']
+                new_source_address = tunnel['source_address']
+                # Convert tunnel key to ip key, format "ip -j link show"
+                # 1 => 0.0.0.1, 999 => 0.0.3.231
+                orig_new_key = int(tunnel['parameters']['ip']['key'])
+                new_key = IPv4Address(orig_new_key)
+                new_key = str(new_key)
+                if tunnel['encapsulation'] == exist_encap and \
+                   new_source_address == exist_source_address and \
+                   new_key == exist_key:
+                    raise ConfigError(f'Key "{orig_new_key}" for source-address "{new_source_address}" ' \
+                                      f'is already used for tunnel "{tunnel_if}"!')
+
     verify_mtu_ipv6(tunnel)
     verify_address(tunnel)
     verify_vrf(tunnel)
-- 
cgit v1.2.3


From 7e84566dedfdc532ffe05b404005daa6f21df567 Mon Sep 17 00:00:00 2001
From: Viacheslav <v.gletenko@vyos.io>
Date: Thu, 2 Sep 2021 18:58:11 +0000
Subject: tunnel: T3788: Add check keys for ipip and sit

Keys are not allowed with ipip and sit tunnels
---
 src/conf_mode/interfaces-tunnel.py | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'src/conf_mode/interfaces-tunnel.py')

diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces-tunnel.py
index bfd9a8c56..ef385d2e7 100755
--- a/src/conf_mode/interfaces-tunnel.py
+++ b/src/conf_mode/interfaces-tunnel.py
@@ -123,6 +123,11 @@ def verify(tunnel):
                     raise ConfigError(f'Key "{orig_new_key}" for source-address "{new_source_address}" ' \
                                       f'is already used for tunnel "{tunnel_if}"!')
 
+    # Keys are not allowed with ipip and sit tunnels
+    if tunnel['encapsulation'] in ['ipip', 'sit']:
+        if dict_search('parameters.ip.key', tunnel) != None:
+            raise ConfigError('Keys are not allowed with ipip and sit tunnels!')
+
     verify_mtu_ipv6(tunnel)
     verify_address(tunnel)
     verify_vrf(tunnel)
-- 
cgit v1.2.3