diff --git a/.github/workflows/add-pr-labels.yml b/.github/workflows/add-pr-labels.yml
index 78d619f4a..1723cceb0 100644
--- a/.github/workflows/add-pr-labels.yml
+++ b/.github/workflows/add-pr-labels.yml
@@ -1,15 +1,19 @@
---
name: Add pull request labels
on:
pull_request_target:
branches:
- current
- crux
- equuleus
- sagitta
+permissions:
+ pull-requests: write
+ contents: read
+
jobs:
add-pr-label:
uses: vyos/.github/.github/workflows/add-pr-labels.yml@feature/T6349-reusable-workflows
secrets: inherit
diff --git a/.github/workflows/auto-author-assign.yml b/.github/workflows/auto-author-assign.yml
index 1f69f4807..c3696ea47 100644
--- a/.github/workflows/auto-author-assign.yml
+++ b/.github/workflows/auto-author-assign.yml
@@ -1,12 +1,14 @@
name: "PR Triage"
on:
pull_request_target:
types: [opened, reopened, ready_for_review, locked]
+
permissions:
pull-requests: write
+ contents: read
jobs:
assign-author:
uses: vyos/.github/.github/workflows/assign-author.yml@feature/T6349-reusable-workflows
secrets: inherit
diff --git a/.github/workflows/chceck-pr-message.yml b/.github/workflows/chceck-pr-message.yml
index 95c5b69ce..e7e456961 100644
--- a/.github/workflows/chceck-pr-message.yml
+++ b/.github/workflows/chceck-pr-message.yml
@@ -1,14 +1,18 @@
---
name: Check pull request message format
on:
pull_request:
branches:
- current
- crux
- equuleus
+permissions:
+ pull-requests: write
+ contents: read
+
jobs:
check-pr-title:
uses: vyos/.github/.github/workflows/check-pr-message.yml@feature/T6349-reusable-workflows
secrets: inherit
diff --git a/.github/workflows/check-pr-conflicts.yml b/.github/workflows/check-pr-conflicts.yml
index 62a37a7fa..0c659e6ed 100644
--- a/.github/workflows/check-pr-conflicts.yml
+++ b/.github/workflows/check-pr-conflicts.yml
@@ -1,13 +1,14 @@
name: "PR Conflicts checker"
on:
pull_request_target:
types: [synchronize]
permissions:
pull-requests: write
+ contents: read
jobs:
check-pr-conflict-call:
uses: vyos/.github/.github/workflows/check-pr-merge-conflict.yml@feature/T6349-reusable-workflows
secrets: inherit
diff --git a/.github/workflows/check-stale.yml b/.github/workflows/check-stale.yml
index 0b88acdb7..b5ec533f1 100644
--- a/.github/workflows/check-stale.yml
+++ b/.github/workflows/check-stale.yml
@@ -1,9 +1,13 @@
name: "Issue and PR stale management"
on:
schedule:
- cron: "0 0 * * *"
+permissions:
+ pull-requests: write
+ contents: read
+
jobs:
stale:
uses: vyos/.github/.github/workflows/check-stale.yml@feature/T6349-reusable-workflows
secrets: inherit
diff --git a/.github/workflows/check-unused-imports.yml b/.github/workflows/check-unused-imports.yml
index 468543d6e..aada264f7 100644
--- a/.github/workflows/check-unused-imports.yml
+++ b/.github/workflows/check-unused-imports.yml
@@ -1,11 +1,15 @@
name: Check for unused imports using Pylint
on:
- pull_request_target:
+ pull_request:
branches:
- current
- sagitta
+ workflow_dispatch:
+
+permissions:
+ contents: read
jobs:
- Check-Unused-Imports:
+ check-unused-imports:
uses: vyos/.github/.github/workflows/check-unused-imports.yml@feature/T6349-reusable-workflows
secrets: inherit
diff --git a/.github/workflows/label-backport.yml b/.github/workflows/label-backport.yml
index 581363eb1..9192b8184 100644
--- a/.github/workflows/label-backport.yml
+++ b/.github/workflows/label-backport.yml
@@ -1,8 +1,12 @@
name: Mergifyio backport
on: [issue_comment]
+permissions:
+ pull-requests: write
+ contents: read
+
jobs:
- mergifyio_backport:
+ mergifyio-backport:
uses: vyos/.github/.github/workflows/label-backport.yml@feature/T6349-reusable-workflows
secrets: inherit
diff --git a/.github/workflows/linit-j2.yml b/.github/workflows/linit-j2.yml
index 093fe7ffe..364a65a14 100644
--- a/.github/workflows/linit-j2.yml
+++ b/.github/workflows/linit-j2.yml
@@ -1,14 +1,18 @@
---
name: J2 Lint
on:
pull_request:
branches:
- current
- crux
- equuleus
+permissions:
+ pull-requests: write
+ contents: read
+
jobs:
j2lint:
uses: vyos/.github/.github/workflows/lint-j2.yml@feature/T6349-reusable-workflows
secrets: inherit
diff --git a/src/op_mode/cgnat.py b/src/op_mode/cgnat.py
index a98269a15..e58b15809 100755
--- a/src/op_mode/cgnat.py
+++ b/src/op_mode/cgnat.py
@@ -1,75 +1,74 @@
#!/usr/bin/env python3
#
# Copyright (C) 2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import json
import sys
-import typing
from tabulate import tabulate
import vyos.opmode
from vyos.configquery import ConfigTreeQuery
from vyos.utils.process import cmd
CGNAT_TABLE = 'cgnat'
def _get_raw_data():
""" Get CGNAT dictionary
"""
cmd_output = cmd(f'nft --json list table ip {CGNAT_TABLE}')
data = json.loads(cmd_output)
return data
def _get_formatted_output(data):
elements = data['nftables'][2]['map']['elem']
allocations = []
for elem in elements:
internal = elem[0] # internal
external = elem[1]['concat'][0] # external
start_port = elem[1]['concat'][1]['range'][0]
end_port = elem[1]['concat'][1]['range'][1]
port_range = f'{start_port}-{end_port}'
allocations.append((internal, external, port_range))
headers = ['Internal IP', 'External IP', 'Port range']
output = tabulate(allocations, headers, numalign="left")
return output
def show_allocation(raw: bool):
config = ConfigTreeQuery()
if not config.exists('nat cgnat'):
raise vyos.opmode.UnconfiguredSubsystem('CGNAT is not configured')
if raw:
return _get_raw_data()
else:
raw_data = _get_raw_data()
return _get_formatted_output(raw_data)
if __name__ == '__main__':
try:
res = vyos.opmode.run(sys.modules[__name__])
if res:
print(res)
except (ValueError, vyos.opmode.Error) as e:
print(e)
sys.exit(1)