diff --git a/.github/workflows/package-smoketest.yml b/.github/workflows/package-smoketest.yml
index f78eebe0f..27272a6e2 100644
--- a/.github/workflows/package-smoketest.yml
+++ b/.github/workflows/package-smoketest.yml
@@ -1,142 +1,143 @@
name: VyOS ISO integration Test
on:
pull_request_target:
branches:
- current
- circinus
permissions:
pull-requests: write
contents: read
+env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed for PR comments
+
jobs:
build:
runs-on: ubuntu-24.04
timeout-minutes: 45
container:
image: vyos/vyos-build:current
options: --sysctl net.ipv6.conf.lo.disable_ipv6=0 --privileged
env:
BUILD_BY: autobuild@vyos.net
DEBIAN_MIRROR: http://deb.debian.org/debian/
outputs:
build_version: ${{ steps.version.outputs.build_version }}
steps:
- name: Clone vyos-build source code
uses: actions/checkout@v4
with:
repository: vyos/vyos-build
- name: Clone vyos-1x source code
uses: actions/checkout@v4
with:
- repository: vyos/vyos-1x
path: packages/vyos-1x
- fetch-tags: true # required for Debian package version
- name: Build vyos-1x package
run: |
cd packages/vyos-1x; dpkg-buildpackage -uc -us -tc -b
- name: Generate ISO version string
id: version
run: |
echo "build_version=1.5-integration-$(date -u +%Y%m%d%H%M)" >> $GITHUB_OUTPUT
- name: Build custom ISO image
run: |
sudo --preserve-env ./build-vyos-image \
--architecture amd64 \
--build-by $BUILD_BY \
--debian-mirror $DEBIAN_MIRROR \
--version ${{ steps.version.outputs.build_version }} \
--build-type release \
generic
- uses: actions/upload-artifact@v4
with:
name: vyos-${{ steps.version.outputs.build_version }}
path: build/live-image-amd64.hybrid.iso
cli-smoketests:
needs: build
runs-on: ubuntu-24.04
timeout-minutes: 180
container:
image: vyos/vyos-build:current
options: --sysctl net.ipv6.conf.lo.disable_ipv6=0 --privileged
steps:
# We need the test script from vyos-build repo
- name: Clone vyos-build source code
uses: actions/checkout@v4
with:
repository: vyos/vyos-build
- uses: actions/download-artifact@v4
with:
name: vyos-${{ needs.build.outputs.build_version }}
path: build
- name: VyOS CLI smoketests
run: sudo make test
- name: Add PR comment
if: always()
uses: mshick/add-pr-comment@v2
with:
message-success: '👍 VyOS CLI smoketests finished successfully!'
message-failure: '❌ VyOS CLI smoketests failed!'
message-cancelled: '❌ VyOS CLI smoketests cancelled!'
allow-repeats: false
refresh-message-position: true
config-load-tests:
needs: build
runs-on: ubuntu-24.04
timeout-minutes: 90
container:
image: vyos/vyos-build:current
options: --sysctl net.ipv6.conf.lo.disable_ipv6=0 --privileged
steps:
# We need the test script from vyos-build repo
- name: Clone vyos-build source code
uses: actions/checkout@v4
with:
repository: vyos/vyos-build
- uses: actions/download-artifact@v4
with:
name: vyos-${{ needs.build.outputs.build_version }}
path: build
- name: VyOS config tests
run: sudo make testc
- name: Add PR comment
if: always()
uses: mshick/add-pr-comment@v2
with:
message-success: '👍 VyOS config tests finished successfully!'
message-failure: '❌ VyOS config tests failed!'
message-cancelled: '❌ VyOS config tests cancelled!'
allow-repeats: false
refresh-message-position: true
raid1-install-test:
needs: build
runs-on: ubuntu-24.04
timeout-minutes: 20
container:
image: vyos/vyos-build:current
options: --sysctl net.ipv6.conf.lo.disable_ipv6=0 --privileged
steps:
# We need the test script from vyos-build repo
- name: Clone vyos-build source code
uses: actions/checkout@v4
with:
repository: vyos/vyos-build
- uses: actions/download-artifact@v4
with:
name: vyos-${{ needs.build.outputs.build_version }}
path: build
- name: VyOS RAID1 install test
run: sudo make testraid
- name: Add PR comment
if: always()
uses: mshick/add-pr-comment@v2
with:
message-success: '👍 RAID1 Smoketests finished successfully!'
message-failure: '❌ RAID1 Smoketests failed!'
message-cancelled: '❌ RAID1 action cancelled!'
allow-repeats: false
refresh-message-position: true
diff --git a/.gitignore b/.gitignore
index 507daceee..01333d5b1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,151 +1,153 @@
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# C extensions
*.so
# Distribution / packaging
.Python
env/
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
*.egg-info/
.installed.cfg
*.egg
.idea/
.idea
.idea/*
*.iml
# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*.cover
.hypothesis/
cover
# Translations
*.mo
*.pot
# Django stuff:
*.log
local_settings.py
# Flask stuff:
instance/
.webassets-cache
# Scrapy stuff:
.scrapy
# Sphinx documentation
docs/_build/
# PyBuilder
target/
# Jupyter Notebook
.ipynb_checkpoints
# pyenv
.python-version
# celery beat schedule file
celerybeat-schedule
# SageMath parsed files
*.sage.py
# dotenv
.env
# virtualenv
.venv
venv/
ENV/
# Spyder project settings
.spyderproject
.spyproject
# Rope project settings
.ropeproject
# mkdocs documentation
/site
# mypy
.mypy_cache/
# Autogenerated files
templates-cfg/*
templates-op/*
tests/templates/*
# Debian packaging
debian/files
debian/tmp
debian/debhelper-build-stamp
debian/.debhelper/
debian/vyos-1x
debian/vyos-1x-vmware
debian/vyos-1x-smoketest
debian/*.postinst.debhelper
debian/*.prerm.debhelper
debian/*.postrm.debhelper
debian/*.substvars
# Sonar Cloud
.scannerwork
/.vs
# SlickEdit
*.vpj
*.vpw
*.vpwhist
*.vtg
# VS Code
.vscode/*
!.vscode/settings.json
# VIM
*.swp
# vyos-1x JSON version
data/component-versions.json
# vyos-1x XML cache
python/vyos/xml_ref/cache.py
python/vyos/xml_ref/pkg_cache/*_cache.py
+# autogenerated vyos-configd JSON definition
+data/configd-include.json
# We do not use pip
Pipfile
Pipfile.lock
diff --git a/Makefile b/Makefile
index 509b47858..1e0a12714 100644
--- a/Makefile
+++ b/Makefile
@@ -1,133 +1,126 @@
TMPL_DIR := templates-cfg
OP_TMPL_DIR := templates-op
BUILD_DIR := build
DATA_DIR := data
SHIM_DIR := src/shim
LIBS := -lzmq
CFLAGS :=
BUILD_ARCH := $(shell dpkg-architecture -q DEB_BUILD_ARCH)
J2LINT := $(shell command -v j2lint 2> /dev/null)
PYLINT_FILES := $(shell git ls-files *.py src/migration-scripts)
config_xml_src = $(wildcard interface-definitions/*.xml.in)
config_xml_obj = $(config_xml_src:.xml.in=.xml)
op_xml_src = $(wildcard op-mode-definitions/*.xml.in)
op_xml_obj = $(op_xml_src:.xml.in=.xml)
%.xml: %.xml.in
@echo Generating $(BUILD_DIR)/$@ from $<
mkdir -p $(BUILD_DIR)/$(dir $@)
$(CURDIR)/scripts/transclude-template $< > $(BUILD_DIR)/$@
.PHONY: interface_definitions
.ONESHELL:
interface_definitions: $(config_xml_obj)
mkdir -p $(TMPL_DIR)
$(CURDIR)/scripts/override-default $(BUILD_DIR)/interface-definitions
find $(BUILD_DIR)/interface-definitions -type f -name "*.xml" | xargs -I {} $(CURDIR)/scripts/build-command-templates {} $(CURDIR)/schema/interface_definition.rng $(TMPL_DIR) || exit 1
$(CURDIR)/python/vyos/xml_ref/generate_cache.py --xml-dir $(BUILD_DIR)/interface-definitions || exit 1
# XXX: delete top level node.def's that now live in other packages
# IPSec VPN EAP-RADIUS does not support source-address
rm -rf $(TMPL_DIR)/vpn/ipsec/remote-access/radius/source-address
# T2472 - EIGRP support
rm -rf $(TMPL_DIR)/protocols/eigrp
# T2773 - EIGRP support for VRF
rm -rf $(TMPL_DIR)/vrf/name/node.tag/protocols/eigrp
# XXX: test if there are empty node.def files - this is not allowed as these
# could mask help strings or mandatory priority statements
find $(TMPL_DIR) -name node.def -type f -empty -exec false {} + || sh -c 'echo "There are empty node.def files! Check your interface definitions." && exit 1'
ifeq ($(BUILD_ARCH),arm64)
# There is currently no telegraf support in VyOS for ARM64, remove CLI definitions
rm -rf $(TMPL_DIR)/service/monitoring/telegraf
endif
.PHONY: op_mode_definitions
.ONESHELL:
op_mode_definitions: $(op_xml_obj)
mkdir -p $(OP_TMPL_DIR)
find $(BUILD_DIR)/op-mode-definitions/ -type f -name "*.xml" | xargs -I {} $(CURDIR)/scripts/build-command-op-templates {} $(CURDIR)/schema/op-mode-definition.rng $(OP_TMPL_DIR) || exit 1
# XXX: delete top level op mode node.def's that now live in other packages
rm -f $(OP_TMPL_DIR)/add/node.def
rm -f $(OP_TMPL_DIR)/clear/interfaces/node.def
rm -f $(OP_TMPL_DIR)/clear/node.def
rm -f $(OP_TMPL_DIR)/delete/node.def
# XXX: tcpdump, ping, traceroute and mtr must be able to recursivly call themselves as the
# options are provided from the scripts themselves
ln -s ../node.tag $(OP_TMPL_DIR)/ping/node.tag/node.tag/
ln -s ../node.tag $(OP_TMPL_DIR)/traceroute/node.tag/node.tag/
ln -s ../node.tag $(OP_TMPL_DIR)/mtr/node.tag/node.tag/
ln -s ../node.tag $(OP_TMPL_DIR)/monitor/traceroute/node.tag/node.tag/
ln -s ../node.tag $(OP_TMPL_DIR)/monitor/traffic/interface/node.tag/node.tag/
# XXX: test if there are empty node.def files - this is not allowed as these
# could mask help strings or mandatory priority statements
find $(OP_TMPL_DIR) -name node.def -type f -empty -exec false {} + || sh -c 'echo "There are empty node.def files! Check your interface definitions." && exit 1'
.PHONY: vyshim
vyshim:
$(MAKE) -C $(SHIM_DIR)
.PHONY: all
-all: clean interface_definitions op_mode_definitions check test j2lint vyshim check_migration_scripts_executable
-
-.PHONY: check
-.ONESHELL:
-check:
- @echo "Checking which CLI scripts are not enabled to work with vyos-configd..."
- @for file in `ls src/conf_mode -I__pycache__`
- do
- if ! grep -q $$file data/configd-include.json; then
- echo "* $$file"
- fi
- done
+all: clean interface_definitions op_mode_definitions test j2lint vyshim check_migration_scripts_executable generate-configd-include-json
.PHONY: clean
clean:
rm -rf $(BUILD_DIR)
rm -rf $(TMPL_DIR)
rm -rf $(OP_TMPL_DIR)
$(MAKE) -C $(SHIM_DIR) clean
.PHONY: test
-test:
+test: generate-configd-include-json
set -e; python3 -m compileall -q -x '/vmware-tools/scripts/, /ppp/' .
PYTHONPATH=python/ python3 -m "nose" --with-xunit src --with-coverage --cover-erase --cover-xml --cover-package src/conf_mode,src/op_mode,src/completion,src/helpers,src/validators,src/tests --verbose
.PHONY: check_migration_scripts_executable
.ONESHELL:
check_migration_scripts_executable:
@echo "Checking if migration scripts have executable bit set..."
find src/migration-scripts -type f -not -executable -print -exec false {} + || sh -c 'echo "Found files that are not executable! Add permissions." && exit 1'
.PHONY: j2lint
j2lint:
ifndef J2LINT
$(error "j2lint binary not found, consider installing: pip install git+https://github.com/aristanetworks/j2lint.git@341b5d5db86")
endif
$(J2LINT) data/
.PHONY: sonar
sonar:
sonar-scanner -X -Dsonar.login=${SONAR_TOKEN}
.PHONY: unused-imports
unused-imports:
@pylint --disable=all --enable=W0611 $(PYLINT_FILES)
deb:
dpkg-buildpackage -uc -us -tc -b
+.PHONY: generate-configd-include-json
+generate-configd-include-json:
+ @scripts/generate-configd-include-json.py
+
.PHONY: schema
schema:
trang -I rnc -O rng schema/interface_definition.rnc schema/interface_definition.rng
trang -I rnc -O rng schema/op-mode-definition.rnc schema/op-mode-definition.rng
diff --git a/data/configd-include.json b/data/configd-include.json
deleted file mode 100644
index 224a9c390..000000000
--- a/data/configd-include.json
+++ /dev/null
@@ -1,115 +0,0 @@
-[
-"container.py",
-"firewall.py",
-"high-availability.py",
-"interfaces_bonding.py",
-"interfaces_bridge.py",
-"interfaces_dummy.py",
-"interfaces_ethernet.py",
-"interfaces_geneve.py",
-"interfaces_input.py",
-"interfaces_l2tpv3.py",
-"interfaces_loopback.py",
-"interfaces_macsec.py",
-"interfaces_openvpn.py",
-"interfaces_pppoe.py",
-"interfaces_pseudo-ethernet.py",
-"interfaces_sstpc.py",
-"interfaces_tunnel.py",
-"interfaces_virtual-ethernet.py",
-"interfaces_vti.py",
-"interfaces_vxlan.py",
-"interfaces_wireguard.py",
-"interfaces_wireless.py",
-"interfaces_wwan.py",
-"load-balancing_reverse-proxy.py",
-"load-balancing_wan.py",
-"nat.py",
-"nat64.py",
-"nat66.py",
-"netns.py",
-"pki.py",
-"policy.py",
-"policy_route.py",
-"policy_local-route.py",
-"protocols_babel.py",
-"protocols_bfd.py",
-"protocols_bgp.py",
-"protocols_eigrp.py",
-"protocols_failover.py",
-"protocols_igmp-proxy.py",
-"protocols_isis.py",
-"protocols_mpls.py",
-"protocols_nhrp.py",
-"protocols_ospf.py",
-"protocols_ospfv3.py",
-"protocols_pim.py",
-"protocols_pim6.py",
-"protocols_rip.py",
-"protocols_ripng.py",
-"protocols_rpki.py",
-"protocols_segment-routing.py",
-"protocols_static.py",
-"protocols_static_arp.py",
-"protocols_static_multicast.py",
-"protocols_static_neighbor-proxy.py",
-"qos.py",
-"service_aws_glb.py",
-"service_broadcast-relay.py",
-"service_config-sync.py",
-"service_conntrack-sync.py",
-"service_console-server.py",
-"service_dhcp-relay.py",
-"service_dhcp-server.py",
-"service_dhcpv6-relay.py",
-"service_dhcpv6-server.py",
-"service_dns_dynamic.py",
-"service_dns_forwarding.py",
-"service_event-handler.py",
-"service_https.py",
-"service_ids_ddos-protection.py",
-"service_ipoe-server.py",
-"service_lldp.py",
-"service_mdns_repeater.py",
-"service_monitoring_telegraf.py",
-"service_monitoring_zabbix-agent.py",
-"service_ndp-proxy.py",
-"service_ntp.py",
-"service_pppoe-server.py",
-"service_router-advert.py",
-"service_salt-minion.py",
-"service_sla.py",
-"service_snmp.py",
-"service_ssh.py",
-"service_stunnel.py",
-"service_tftp-server.py",
-"service_webproxy.py",
-"system_acceleration.py",
-"system_config-management.py",
-"system_conntrack.py",
-"system_console.py",
-"system_flow-accounting.py",
-"system_frr.py",
-"system_host-name.py",
-"system_ip.py",
-"system_ipv6.py",
-"system_lcd.py",
-"system_login.py",
-"system_login_banner.py",
-"system_logs.py",
-"system_option.py",
-"system_proxy.py",
-"system_sflow.py",
-"system_sysctl.py",
-"system_syslog.py",
-"system_task-scheduler.py",
-"system_timezone.py",
-"system_update-check.py",
-"system_wireless.py",
-"vpn_ipsec.py",
-"vpn_l2tp.py",
-"vpn_openconnect.py",
-"vpn_pptp.py",
-"vpn_sstp.py",
-"vrf.py"
-]
diff --git a/debian/control b/debian/control
index 2e99bdc28..883e08649 100644
--- a/debian/control
+++ b/debian/control
@@ -1,341 +1,347 @@
Source: vyos-1x
Section: contrib/net
Priority: extra
Maintainer: VyOS Package Maintainers <maintainers@vyos.net>
Build-Depends:
debhelper (>= 9),
dh-python,
fakeroot,
gcc,
iproute2,
libvyosconfig0 (>= 0.0.7),
libzmq3-dev,
procps,
python3 (>= 3.10),
# For QA
pylint,
# For generating command definitions
python3-lxml,
python3-xmltodict,
# For running tests
python3-coverage,
+ python3-hurry.filesize,
+ python3-netaddr,
python3-netifaces,
python3-nose,
python3-jinja2,
+ python3-paramiko,
+ python3-passlib,
python3-psutil,
python3-requests,
python3-setuptools,
+ python3-tabulate,
+ python3-zmq,
quilt,
whois
Standards-Version: 3.9.6
Package: vyos-1x
Architecture: amd64 arm64
Pre-Depends:
libnss-tacplus [amd64],
libpam-tacplus [amd64],
libpam-radius-auth [amd64]
Depends:
## Fundamentals
${python3:Depends} (>= 3.10),
libvyosconfig0,
vyatta-bash,
vyatta-cfg,
vyos-http-api-tools,
vyos-utils,
## End of Fundamentals
## Python libraries used in multiple modules and scripts
python3,
python3-cryptography,
python3-hurry.filesize,
python3-inotify,
python3-jinja2,
python3-jmespath,
python3-netaddr,
python3-netifaces,
python3-paramiko,
python3-passlib,
python3-psutil,
python3-pyhumps,
python3-pystache,
python3-pyudev,
python3-six,
python3-tabulate,
python3-voluptuous,
python3-xmltodict,
python3-zmq,
## End of Python libraries
## Basic System services and utilities
sudo,
systemd,
bsdmainutils,
openssl,
curl,
dbus,
file,
iproute2 (>= 6.0.0),
linux-cpupower,
# ipaddrcheck is widely used in IP value validators
ipaddrcheck,
ethtool,
fdisk,
lm-sensors,
procps,
netplug,
sed,
ssl-cert,
tuned,
beep,
wide-dhcpv6-client,
# Generic colorizer
grc,
## End of System services and utilities
## For the installer
# Image signature verification tool
minisign,
# Live filesystem tools
squashfs-tools,
fuse-overlayfs,
## End installer
auditd,
iputils-arping,
isc-dhcp-client,
# For "vpn pptp", "vpn l2tp", "vpn sstp", "service ipoe-server"
accel-ppp,
# End "vpn pptp", "vpn l2tp", "vpn sstp", "service ipoe-server"
avahi-daemon,
conntrack,
conntrackd,
## Conf mode features
# For "interfaces wireless"
hostapd,
hsflowd,
iw,
wireless-regdb,
wpasupplicant (>= 0.6.7),
# End "interfaces wireless"
# For "interfaces wwan"
modemmanager,
usb-modeswitch,
libqmi-utils,
# End "interfaces wwan"
# For "interfaces openvpn"
openvpn,
openvpn-auth-ldap,
openvpn-auth-radius,
openvpn-otp,
libpam-google-authenticator,
# End "interfaces openvpn"
# For "interfaces wireguard"
wireguard-tools,
qrencode,
# End "interfaces wireguard"
# For "interfaces pppoe"
pppoe,
# End "interfaces pppoe"
# For "interfaces sstpc"
sstp-client,
# End "interfaces sstpc"
# For "protocols *"
frr (>= 7.5),
frr-pythontools,
frr-rpki-rtrlib,
frr-snmp,
# End "protocols *"
# For "protocols nhrp" (part of DMVPN)
opennhrp,
# End "protocols nhrp"
# For "protocols igmp-proxy"
igmpproxy,
# End "protocols igmp-proxy"
# For "pki"
certbot,
# End "pki"
# For "service console-server"
conserver-client,
conserver-server,
console-data,
dropbear,
# End "service console-server"
# For "service aws glb"
aws-gwlbtun,
# For "service dns dynamic"
ddclient (>= 3.11.1),
# End "service dns dynamic"
# # For "service ids"
fastnetmon [amd64],
suricata,
suricata-update,
# End "service ids"
# # For "service ndp-proxy"
ndppd,
# End "service ndp-proxy"
# For "service router-advert"
radvd,
# End "service route-advert"
# For "high-availability reverse-proxy"
haproxy,
# End "high-availability reverse-proxy"
# For "service dhcp-relay"
isc-dhcp-relay,
# For "service dhcp-server"
kea,
# End "service dhcp-server"
# For "service lldp"
lldpd,
# End "service lldp"
# For "service https"
nginx-light,
# End "service https"
# For "service ssh"
openssh-server,
sshguard,
# End "service ssh"
# For "service salt-minion"
salt-minion,
# End "service salt-minion"
# For "service snmp"
snmp,
snmpd,
# End "service snmp"
# For "service webproxy"
squid,
squidclient,
squidguard,
# End "service webproxy"
# For "service monitoring telegraf"
telegraf (>= 1.20),
# End "service monitoring telegraf"
# For "service monitoring zabbix-agent"
zabbix-agent2,
# End "service monitoring zabbix-agent"
# For "service tftp-server"
tftpd-hpa,
# End "service tftp-server"
# For "service dns forwarding"
pdns-recursor,
# End "service dns forwarding"
# For "service sla owamp"
owamp-client,
owamp-server,
# End "service sla owamp"
# For "service sla twamp"
twamp-client,
twamp-server,
# End "service sla twamp"
# For "service broadcast-relay"
udp-broadcast-relay,
# End "service broadcast-relay"
# For "high-availability vrrp"
keepalived (>=2.0.5),
# End "high-availability-vrrp"
# For "system task-scheduler"
cron,
# End "system task-scheduler"
# For "system lcd"
lcdproc,
lcdproc-extra-drivers,
# End "system lcd"
# For "system config-management commit-archive"
git,
# End "system config-management commit-archive"
# For firewall
libndp-tools,
libnetfilter-conntrack3,
libnfnetlink0,
nfct,
nftables (>= 0.9.3),
# For "vpn ipsec"
strongswan (>= 5.9),
strongswan-swanctl (>= 5.9),
charon-systemd,
libcharon-extra-plugins (>=5.9),
libcharon-extauth-plugins (>=5.9),
libstrongswan-extra-plugins (>=5.9),
libstrongswan-standard-plugins (>=5.9),
python3-vici (>= 5.7.2),
# End "vpn ipsec"
# For "nat64"
jool,
# End "nat64"
# For "system conntrack modules rtsp"
nat-rtsp,
# End "system conntrack modules rtsp"
# For "system ntp"
chrony,
# End "system ntp"
# For "vpn openconnect"
ocserv,
# End "vpn openconnect"
# For "system flow-accounting"
pmacct (>= 1.6.0),
# End "system flow-accounting"
# For container
podman,
netavark,
aardvark-dns,
# iptables is only used for containers now, not the the firewall CLI
iptables,
# End container
## End Configuration mode
## Operational mode
# Used for hypervisor model in "run show version"
hvinfo,
# For "run traceroute"
traceroute,
# For "run monitor traffic"
tcpdump,
# End "run monitor traffic"
# For "show hardware dmi"
dmidecode,
# For "run show hardware storage smart"
smartmontools,
# For "run show hardware scsi"
lsscsi,
# For "run show hardware pci"
pciutils,
# For "show hardware usb"
usbutils,
# For "run show hardware storage nvme"
nvme-cli,
# For "run monitor bandwidth-test"
iperf,
iperf3,
# End "run monitor bandwidth-test"
# For "run wake-on-lan"
etherwake,
# For "run force ipv6-nd"
ndisc6,
# For "run monitor bandwidth"
bmon,
# End Operational mode
## TPM tools
cryptsetup,
tpm2-tools,
## End TPM tools
## Optional utilities
easy-rsa,
tcptraceroute,
mtr-tiny,
telnet,
stunnel4,
uidmap
## End optional utilities
Description: VyOS configuration scripts and data
VyOS configuration scripts, interface definitions, and everything
Package: vyos-1x-vmware
Architecture: amd64
Depends:
vyos-1x,
open-vm-tools
Description: VyOS configuration scripts and data for VMware
Adds configuration files required for VyOS running on VMware hosts.
Package: vyos-1x-smoketest
Architecture: all
Depends:
skopeo,
snmp,
vyos-1x
Description: VyOS build sanity checking toolkit
diff --git a/src/tests/test_dependency_graph.py b/scripts/generate-configd-include-json.py
old mode 100644
new mode 100755
similarity index 54%
copy from src/tests/test_dependency_graph.py
copy to scripts/generate-configd-include-json.py
index f682e87bb..b4b627fce
--- a/src/tests/test_dependency_graph.py
+++ b/scripts/generate-configd-include-json.py
@@ -1,31 +1,34 @@
#!/usr/bin/env python3
-#
-# Copyright (C) 2023 VyOS maintainers and contributors
+# Copyright (C) 2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
-from vyos.configdep import check_dependency_graph
+from jinja2 import Template
-_here = os.path.dirname(__file__)
-ddir = os.path.join(_here, '../../data/config-mode-dependencies')
+conf_scripts = 'src/conf_mode'
+configd_include = 'data/configd-include.json'
-from unittest import TestCase
+configd_template = Template("""[
+{% for file in files %}
+"{{ file }}"{{ "," if not loop.last else "" }}
+{% endfor %}
+]
+""", trim_blocks=True)
-class TestDependencyGraph(TestCase):
- def setUp(self):
- pass
+files = [f for f in os.listdir(conf_scripts) if os.path.isfile(f'{conf_scripts}/{f}')]
+files = sorted(files)
- def test_acyclic(self):
- res = check_dependency_graph(dependency_dir=ddir)
- self.assertTrue(res)
+tmp = {'files' : files}
+with open(configd_include, 'w') as f:
+ f.write(configd_template.render(tmp))
diff --git a/smoketest/bin/vyos-configtest b/smoketest/bin/vyos-configtest
index c1b602737..fbf4055ad 100755
--- a/smoketest/bin/vyos-configtest
+++ b/smoketest/bin/vyos-configtest
@@ -1,101 +1,102 @@
#!/usr/bin/env python3
#
# Copyright (C) 2020 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import sys
import time
import logging
import unittest
from vyos.configsession import ConfigSession, ConfigSessionError
from vyos import ConfigError
config_dir = '/usr/libexec/vyos/tests/config'
config_test_dir = '/usr/libexec/vyos/tests/config-tests'
save_config = '/tmp/vyos-configtest-save'
class DynamicClassBase(unittest.TestCase):
def setUp(self):
self._start_time = time.time()
self.session = ConfigSession(os.getpid())
self.session.save_config(save_config)
def tearDown(self):
self.session.migrate_and_load_config(save_config)
self.session.commit()
log.info(f" time: {time.time() - self._start_time:.3f}")
del self.session
try:
os.remove(save_config)
except OSError:
pass
def make_test_function(filename, test_path=None):
def test_config_load(self):
config_path = os.path.join(config_dir, filename)
self.session.migrate_and_load_config(config_path)
try:
self.session.commit()
except (ConfigError, ConfigSessionError):
self.session.discard()
self.fail()
if test_path:
config_commands = self.session.show(['configuration', 'commands'])
-
+
with open(test_path, 'r') as f:
for line in f.readlines():
if not line or line.startswith("#"):
continue
self.assertIn(line, config_commands)
return test_config_load
def class_name_from_func_name(s):
res = ''.join(str.capitalize(x) for x in s.split('_'))
return res
if __name__ == '__main__':
logging.basicConfig(stream=sys.stdout, level=logging.DEBUG,
format='%(message)s')
log = logging.getLogger("TestConfigLog")
start_time = time.time()
log.info("Generating tests")
(_, _, config_list) = next(iter(os.walk(config_dir)))
config_list.sort()
for config in config_list:
test_path = os.path.join(config_test_dir, config)
if not os.path.exists(test_path):
- test_path = None
- else:
- log.info(f'Loaded migration result test for config "{config}"')
+ log.error(f'Missing migration result test for config "{config}"')
+ sys.exit(1)
+
+ log.info(f'Loaded migration result test for config "{config}"')
test_func = make_test_function(config, test_path)
func_name = config.replace('-', '_')
klassname = f'TestConfig{class_name_from_func_name(func_name)}'
globals()[klassname] = type(klassname,
(DynamicClassBase,),
{f'test_{func_name}': test_func})
log.info(f"... completed: {time.time() - start_time:.6f}")
unittest.main(verbosity=2)
diff --git a/smoketest/bin/vyos-configtest-pki b/smoketest/bin/vyos-configtest-pki
index e753193e9..0f9ecdd41 100755
--- a/smoketest/bin/vyos-configtest-pki
+++ b/smoketest/bin/vyos-configtest-pki
@@ -1,139 +1,139 @@
#!/usr/bin/env python3
#
# Copyright (C) 2022-2024, VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from os import system
from vyos.pki import create_private_key
from vyos.pki import create_certificate_request
from vyos.pki import create_certificate
from vyos.pki import create_certificate_revocation_list
from vyos.pki import create_dh_parameters
from vyos.pki import encode_certificate
from vyos.pki import encode_dh_parameters
from vyos.pki import encode_private_key
from vyos.utils.file import write_file
-subject = {'country': 'DE', 'state': 'BY', 'locality': 'Cloud', 'organization': 'VyOS', 'common_name': 'vyos'}
-ca_subject = {'country': 'DE', 'state': 'BY', 'locality': 'Cloud', 'organization': 'VyOS', 'common_name': 'vyos CA'}
-subca_subject = {'country': 'DE', 'state': 'BY', 'locality': 'Cloud', 'organization': 'VyOS', 'common_name': 'vyos SubCA'}
+subject = {'country': 'DE', 'state': 'BY', 'locality': 'Cloud', 'organization': 'VyOS', 'common_name': 'VyOS'}
+ca_subject = {'country': 'DE', 'state': 'BY', 'locality': 'Cloud', 'organization': 'VyOS', 'common_name': 'VyOS CA'}
+subca_subject = {'country': 'DE', 'state': 'BY', 'locality': 'Cloud', 'organization': 'VyOS', 'common_name': 'VyOS SubCA'}
ca_cert = '/config/auth/ovpn_test_ca.pem'
ca_key = '/config/auth/ovpn_test_ca.key'
ca_cert_chain = '/config/auth/ovpn_test_chain.pem'
ca_crl = '/config/auth/ovpn_test_ca.crl'
subca_cert = '/config/auth/ovpn_test_subca.pem'
subca_csr = '/tmp/subca.csr'
subca_key = '/config/auth/ovpn_test_subca.key'
ssl_cert = '/config/auth/ovpn_test_server.pem'
ssl_key = '/config/auth/ovpn_test_server.key'
dh_pem = '/config/auth/ovpn_test_dh.pem'
s2s_key = '/config/auth/ovpn_test_site2site.key'
auth_key = '/config/auth/ovpn_test_tls_auth.key'
rpki_ssh_priv_key = """
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAweDyflDFR4qyEwETbJkZ2ZZc+sJNiDTvYpwGsWIkju49lJSxHe1x
Kf8FhwfyMu40Snt1yDlRmmmz4CsbLgbuZGMPvXG11e34+C0pSVUvpF6aqRTeLl1pDRK7Rn
jgm3su+I8SRLQR4qbLG6VXWOFuVpwiqbExLaU0hFYTPNP+dArNpsWEEKsohk6pTXdhg3Vz
Wp3vCMjl2JTshDa3lD7p2xISSAReEY0fnfEAmQzH4Z6DIwwGdFuMWoQIg+oFBM9ARrO2/F
IjRsz6AecR/WeU72JEw4aJic1/cAJQA6PiQBHwkuo3Wll1tbpxeRZoB2NQG22ETyJLvhfT
aooNLT9HpQAAA8joU5dM6FOXTAAAAAdzc2gtcnNhAAABAQDB4PJ+UMVHirITARNsmRnZll
z6wk2INO9inAaxYiSO7j2UlLEd7XEp/wWHB/Iy7jRKe3XIOVGaabPgKxsuBu5kYw+9cbXV
7fj4LSlJVS+kXpqpFN4uXWkNErtGeOCbey74jxJEtBHipssbpVdY4W5WnCKpsTEtpTSEVh
M80/50Cs2mxYQQqyiGTqlNd2GDdXNane8IyOXYlOyENreUPunbEhJIBF4RjR+d8QCZDMfh
noMjDAZ0W4xahAiD6gUEz0BGs7b8UiNGzPoB5xH9Z5TvYkTDhomJzX9wAlADo+JAEfCS6j
daWXW1unF5FmgHY1AbbYRPIku+F9Nqig0tP0elAAAAAwEAAQAAAQACkDlUjzfUhtJs6uY5
WNrdJB5NmHUS+HQzzxFNlhkapK6+wKqI1UNaRUtq6iF7J+gcFf7MK2nXS098BsXguWm8fQ
zPuemoDvHsQhiaJhyvpSqRUrvPTB/f8t/0AhQiKiJIWgfpTaIw53inAGwjujNNxNm2eafH
TThhCYxOkRT7rsT6bnSio6yeqPy5QHg7IKFztp5FXDUyiOS3aX3SvzQcDUkMXALdvzX50t
1XIk+X48Rgkq72dL4VpV2oMNDu3hM6FqBUplf9Mv3s51FNSma/cibCQoVufrIfoqYjkNTj
IpYFUcq4zZ0/KvgXgzSsy9VN/4TtbalrOuu7X/SHJbvhAAAAgGPFsXgONYQvXxCnK1dIue
ozgaZg1I/n522E2ZCOXBW4dYJVyNpppwRreDzuFzTDEe061MpNHfScjVBJCCulivFYWscL
6oaGsryDbFxO3QmB4I98UBqrds2yan9/JGc6EYe299yvaHy7Y64+NC0+fN8H2RAZ61T4w1
0JrCaJRyvzAAAAgQDvBfuV1U7o9k/fbU+U7W2UYnWblpOZAMfi1XQP6IJJeyWs90PdTdXh
+l0eIQrCawIiRJytNfxMmbD4huwTf77fWiyCcPznmALQ7ex/yJ+W5Z0V4dPGF3h7o1uiS2
36JhQ7mfcliCkhp/1PIklBIMPcCp0zl+s9wMv2hX7w1Pah9QAAAIEAz6YgU9Xute+J+dBw
oWxEQ+igR6KE55Um7O9AvSrqnCm9r7lSFsXC2ErYOxoDSJ3yIBEV0b4XAGn6tbbVIs3jS8
BnLHxclAHQecOx1PGn7PKbnPW0oJRq/X9QCIEelKYvlykpayn7uZooTXqcDaPZxfPpmPdy
e8chVJvdygi7kPEAAAAMY3BvQExSMS53dWUzAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----
"""
rpki_ssh_pub_key = """
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDB4PJ+UMVHirITARNsmRnZllz6wk2INO9inAaxYiSO7j2UlLEd7XEp/wWHB/Iy7jRKe3XIOVGaabPgKxsuBu5kYw+9cbXV7fj4LSlJVS+kXpqpFN4uXWkNErtGeOCbey74jxJEtBHipssbpVdY4W5WnCKpsTEtpTSEVhM80/50Cs2mxYQQqyiGTqlNd2GDdXNane8IyOXYlOyENreUPunbEhJIBF4RjR+d8QCZDMfhnoMjDAZ0W4xahAiD6gUEz0BGs7b8UiNGzPoB5xH9Z5TvYkTDhomJzX9wAlADo+JAEfCS6jdaWXW1unF5FmgHY1AbbYRPIku+F9Nqig0tP0el vyos@vyos
"""
def create_cert(subject, cert_path, key_path, sign_by=None, sign_by_key=None, ca=False, sub_ca=False):
priv_key = create_private_key('rsa', 2048)
cert_req = create_certificate_request(subject, priv_key)
cert = create_certificate(
cert_req,
sign_by if sign_by else cert_req,
sign_by_key if sign_by_key else priv_key,
is_ca=ca, is_sub_ca=sub_ca)
with open(cert_path, 'w') as f:
f.write(encode_certificate(cert))
with open(key_path, 'w') as f:
f.write(encode_private_key(priv_key))
return cert, priv_key
def create_empty_crl(crl_path, sign_by, sign_by_key):
crl = create_certificate_revocation_list(sign_by, sign_by_key, [1])
with open(crl_path, 'w') as f:
f.write(encode_certificate(crl))
return crl
if __name__ == '__main__':
# Create Root CA
ca_cert_obj, ca_key_obj = create_cert(ca_subject, ca_cert, ca_key, ca=True)
# Create Empty CRL
create_empty_crl(ca_crl, ca_cert_obj, ca_key_obj)
# Create Intermediate CA
subca_cert_obj, subca_key_obj = create_cert(
subca_subject, subca_cert, subca_key,
sign_by=ca_cert_obj, sign_by_key=ca_key_obj,
ca=True, sub_ca=True)
# Create Chain
with open(ca_cert_chain, 'w') as f:
f.write(encode_certificate(subca_cert_obj) + "\n")
f.write(encode_certificate(ca_cert_obj) + "\n")
# Create Server Cert
create_cert(subject, ssl_cert, ssl_key, sign_by=subca_cert_obj, sign_by_key=subca_key_obj)
# Create DH params
dh_params = create_dh_parameters()
with open(dh_pem, 'w') as f:
f.write(encode_dh_parameters(dh_params))
# OpenVPN S2S Key
system(f'openvpn --genkey secret {s2s_key}')
# OpenVPN Auth Key
system(f'openvpn --genkey secret {auth_key}')
write_file('/config/id_rsa', rpki_ssh_priv_key.strip())
write_file('/config/id_rsa.pub', rpki_ssh_pub_key.strip())
write_file('/config/known-hosts-file', '')
diff --git a/smoketest/config-tests/basic-api-service b/smoketest/config-tests/basic-api-service
index dc54929b9..3f796f35d 100644
--- a/smoketest/config-tests/basic-api-service
+++ b/smoketest/config-tests/basic-api-service
@@ -1,16 +1,28 @@
set interfaces ethernet eth0 address '192.0.2.1/31'
set interfaces ethernet eth0 address '2001:db8::1234/64'
+set interfaces ethernet eth0 offload gro
set interfaces loopback lo
-set service ntp server time1.vyos.net
-set service ntp server time2.vyos.net
-set service ntp server time3.vyos.net
set service https allow-client address '172.16.0.0/12'
set service https allow-client address '192.168.0.0/16'
set service https allow-client address '10.0.0.0/8'
set service https allow-client address '2001:db8::/32'
set service https api keys id 1 key 'S3cur3'
+set service ntp allow-client address '0.0.0.0/0'
+set service ntp allow-client address '::/0'
+set service ntp server time1.vyos.net
+set service ntp server time2.vyos.net
+set service ntp server time3.vyos.net
set system config-management commit-revisions '100'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
set system host-name 'vyos'
set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'
set system login user vyos authentication plaintext-password ''
-set system console device ttyS0 speed '115200'
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
diff --git a/smoketest/config-tests/basic-vyos b/smoketest/config-tests/basic-vyos
index d676c663d..6ff28ec2e 100644
--- a/smoketest/config-tests/basic-vyos
+++ b/smoketest/config-tests/basic-vyos
@@ -1,84 +1,103 @@
set interfaces ethernet eth0 address '192.168.0.1/24'
set interfaces ethernet eth0 address 'fe88::1/56'
+set interfaces ethernet eth0 duplex 'auto'
+set interfaces ethernet eth0 offload gro
+set interfaces ethernet eth0 speed 'auto'
+set interfaces ethernet eth1 duplex 'auto'
+set interfaces ethernet eth1 offload gro
+set interfaces ethernet eth1 speed 'auto'
+set interfaces ethernet eth2 duplex 'auto'
+set interfaces ethernet eth2 offload gro
+set interfaces ethernet eth2 speed 'auto'
set interfaces ethernet eth2 vif 100 address '100.100.0.1/24'
set interfaces ethernet eth2 vif-s 200 address '100.64.200.254/24'
set interfaces ethernet eth2 vif-s 200 vif-c 201 address '100.64.201.254/24'
set interfaces ethernet eth2 vif-s 200 vif-c 201 address 'fe89::1/56'
set interfaces ethernet eth2 vif-s 200 vif-c 202 address '100.64.202.254/24'
set interfaces loopback lo
set protocols static arp interface eth0 address 192.168.0.20 mac '00:50:00:00:00:20'
set protocols static arp interface eth0 address 192.168.0.30 mac '00:50:00:00:00:30'
set protocols static arp interface eth0 address 192.168.0.40 mac '00:50:00:00:00:40'
set protocols static arp interface eth2.100 address 100.100.0.2 mac '00:50:00:00:02:02'
set protocols static arp interface eth2.100 address 100.100.0.3 mac '00:50:00:00:02:03'
set protocols static arp interface eth2.100 address 100.100.0.4 mac '00:50:00:00:02:04'
set protocols static arp interface eth2.200 address 100.64.200.1 mac '00:50:00:00:00:01'
set protocols static arp interface eth2.200 address 100.64.200.2 mac '00:50:00:00:00:02'
set protocols static arp interface eth2.200.201 address 100.64.201.10 mac '00:50:00:00:00:10'
set protocols static arp interface eth2.200.201 address 100.64.201.20 mac '00:50:00:00:00:20'
set protocols static arp interface eth2.200.202 address 100.64.202.30 mac '00:50:00:00:00:30'
set protocols static arp interface eth2.200.202 address 100.64.202.40 mac '00:50:00:00:00:40'
set protocols static route 0.0.0.0/0 next-hop 100.64.0.1
-set service ssh ciphers 'aes128-ctr'
-set service ssh ciphers 'aes192-ctr'
-set service ssh ciphers 'aes256-ctr'
-set service ssh ciphers 'chacha20-poly1305@openssh.com'
-set service ssh ciphers 'rijndael-cbc@lysator.liu.se'
-set service ssh key-exchange 'curve25519-sha256@libssh.org'
-set service ssh key-exchange 'diffie-hellman-group1-sha1'
-set service ssh key-exchange 'diffie-hellman-group-exchange-sha1'
-set service ssh key-exchange 'diffie-hellman-group-exchange-sha256'
-set service ssh listen-address '192.168.0.1'
-set service ssh port '22'
set service dhcp-server shared-network-name LAN authoritative
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option default-router '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option domain-name 'vyos.net'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option domain-search 'vyos.net'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option name-server '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range LANDynamic start '192.168.0.30'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range LANDynamic stop '192.168.0.240'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping TEST1-1 ip-address '192.168.0.11'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping TEST1-1 mac '00:01:02:03:04:05'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping TEST1-2 disable
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping TEST1-2 ip-address '192.168.0.12'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping TEST1-2 mac '00:01:02:03:04:05'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping TEST2-1 ip-address '192.168.0.21'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping TEST2-1 mac '00:01:02:03:04:21'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping TEST2-2 disable
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping TEST2-2 ip-address '192.168.0.21'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping TEST2-2 mac '00:01:02:03:04:22'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 subnet-id '1'
set service dhcpv6-server shared-network-name LAN6 subnet fe88::/56 interface 'eth0'
set service dhcpv6-server shared-network-name LAN6 subnet fe88::/56 option domain-search 'vyos.net'
set service dhcpv6-server shared-network-name LAN6 subnet fe88::/56 option name-server 'fe88::1'
set service dhcpv6-server shared-network-name LAN6 subnet fe88::/56 range 1 prefix 'fe88::/60'
set service dhcpv6-server shared-network-name LAN6 subnet fe88::/56 range 2 start 'fe88:0000:0000:fe::'
set service dhcpv6-server shared-network-name LAN6 subnet fe88::/56 range 2 stop 'fe88:0000:0000:ff::'
set service dhcpv6-server shared-network-name LAN6 subnet fe88::/56 subnet-id '1'
set service dhcpv6-server shared-network-name LAN6 subnet fe89::/56 interface 'eth2.200.201'
set service dhcpv6-server shared-network-name LAN6 subnet fe89::/56 option domain-search 'vyos.net'
set service dhcpv6-server shared-network-name LAN6 subnet fe89::/56 option name-server 'fe89::1'
set service dhcpv6-server shared-network-name LAN6 subnet fe89::/56 range 1 prefix 'fe89::/60'
set service dhcpv6-server shared-network-name LAN6 subnet fe89::/56 range 2 start 'fe89:0000:0000:fe::'
set service dhcpv6-server shared-network-name LAN6 subnet fe89::/56 range 2 stop 'fe89:0000:0000:ff::'
set service dhcpv6-server shared-network-name LAN6 subnet fe89::/56 subnet-id '2'
set service dns forwarding allow-from '192.168.0.0/16'
set service dns forwarding cache-size '10000'
set service dns forwarding dnssec 'off'
set service dns forwarding listen-address '192.168.0.1'
+set service ssh ciphers 'aes128-ctr'
+set service ssh ciphers 'aes192-ctr'
+set service ssh ciphers 'aes256-ctr'
+set service ssh ciphers 'chacha20-poly1305@openssh.com'
+set service ssh ciphers 'rijndael-cbc@lysator.liu.se'
+set service ssh key-exchange 'curve25519-sha256@libssh.org'
+set service ssh key-exchange 'diffie-hellman-group1-sha1'
+set service ssh key-exchange 'diffie-hellman-group-exchange-sha1'
+set service ssh key-exchange 'diffie-hellman-group-exchange-sha256'
+set service ssh listen-address '192.168.0.1'
+set service ssh port '22'
set system config-management commit-revisions '100'
set system conntrack ignore ipv4 rule 1 destination address '192.0.2.2'
set system conntrack ignore ipv4 rule 1 source address '192.0.2.1'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
set system host-name 'vyos'
set system login user vyos authentication encrypted-password '$6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0'
set system login user vyos authentication plaintext-password ''
set system name-server '192.168.0.1'
-set system syslog global facility auth level 'info'
-set system syslog global preserve-fqdn
set system syslog console facility all level 'emerg'
set system syslog console facility mail level 'info'
+set system syslog global facility all level 'info'
+set system syslog global facility auth level 'info'
+set system syslog global facility local7 level 'debug'
+set system syslog global preserve-fqdn
set system syslog host syslog.vyos.net facility auth level 'warning'
set system syslog host syslog.vyos.net facility local7 level 'notice'
set system syslog host syslog.vyos.net format octet-counted
set system syslog host syslog.vyos.net port '8000'
-set system console device ttyS0 speed '115200'
+set system time-zone 'Europe/Berlin'
diff --git a/smoketest/config-tests/bgp-azure-ipsec-gateway b/smoketest/config-tests/bgp-azure-ipsec-gateway
new file mode 100644
index 000000000..bbd7b961f
--- /dev/null
+++ b/smoketest/config-tests/bgp-azure-ipsec-gateway
@@ -0,0 +1,231 @@
+set firewall global-options all-ping 'enable'
+set firewall global-options broadcast-ping 'disable'
+set firewall global-options ip-src-route 'disable'
+set firewall global-options ipv6-receive-redirects 'disable'
+set firewall global-options ipv6-src-route 'disable'
+set firewall global-options log-martians 'disable'
+set firewall global-options receive-redirects 'disable'
+set firewall global-options send-redirects 'enable'
+set firewall global-options source-validation 'disable'
+set firewall global-options syn-cookies 'enable'
+set firewall global-options twa-hazards-protection 'disable'
+set high-availability vrrp group DMZ-VLAN-3962 address 192.168.34.36/27
+set high-availability vrrp group DMZ-VLAN-3962 interface 'eth1'
+set high-availability vrrp group DMZ-VLAN-3962 preempt-delay '180'
+set high-availability vrrp group DMZ-VLAN-3962 priority '200'
+set high-availability vrrp group DMZ-VLAN-3962 vrid '62'
+set interfaces ethernet eth0 address '192.0.2.189/27'
+set interfaces ethernet eth0 duplex 'auto'
+set interfaces ethernet eth0 offload gro
+set interfaces ethernet eth0 speed 'auto'
+set interfaces ethernet eth1 address '192.168.34.37/27'
+set interfaces ethernet eth1 duplex 'auto'
+set interfaces ethernet eth1 offload gro
+set interfaces ethernet eth1 speed 'auto'
+set interfaces loopback lo
+set interfaces vti vti31 ip adjust-mss '1350'
+set interfaces vti vti32 ip adjust-mss '1350'
+set interfaces vti vti41 ip adjust-mss '1350'
+set interfaces vti vti42 ip adjust-mss '1350'
+set interfaces vti vti51 ip adjust-mss '1350'
+set interfaces vti vti52 ip adjust-mss '1350'
+set policy prefix-list AZURE-BGP-IPv4-in description 'Prefixes received from Azure'
+set policy prefix-list AZURE-BGP-IPv4-in rule 100 action 'permit'
+set policy prefix-list AZURE-BGP-IPv4-in rule 100 le '32'
+set policy prefix-list AZURE-BGP-IPv4-in rule 100 prefix '100.64.0.0/10'
+set policy prefix-list ONPREM-BGP-IPv4-out description 'Prefixes allowed to be announced into Azure'
+set policy prefix-list ONPREM-BGP-IPv4-out rule 100 action 'permit'
+set policy prefix-list ONPREM-BGP-IPv4-out rule 100 prefix '10.0.0.0/8'
+set policy prefix-list ONPREM-BGP-IPv4-out rule 200 action 'permit'
+set policy prefix-list ONPREM-BGP-IPv4-out rule 200 prefix '172.16.0.0/12'
+set policy prefix-list ONPREM-BGP-IPv4-out rule 300 action 'permit'
+set policy prefix-list ONPREM-BGP-IPv4-out rule 300 prefix '192.168.0.0/16'
+set protocols bgp address-family ipv4-unicast network 10.0.0.0/8
+set protocols bgp address-family ipv4-unicast network 172.16.0.0/12
+set protocols bgp address-family ipv4-unicast network 192.168.0.0/16
+set protocols bgp neighbor 100.66.8.36 peer-group 'AZURE'
+set protocols bgp neighbor 100.66.8.36 remote-as '64517'
+set protocols bgp neighbor 100.66.8.37 peer-group 'AZURE'
+set protocols bgp neighbor 100.66.8.37 remote-as '64517'
+set protocols bgp neighbor 100.66.24.36 peer-group 'AZURE'
+set protocols bgp neighbor 100.66.24.36 remote-as '64513'
+set protocols bgp neighbor 100.66.24.37 peer-group 'AZURE'
+set protocols bgp neighbor 100.66.24.37 remote-as '64513'
+set protocols bgp neighbor 100.66.40.36 peer-group 'AZURE'
+set protocols bgp neighbor 100.66.40.36 remote-as '64515'
+set protocols bgp neighbor 100.66.40.37 peer-group 'AZURE'
+set protocols bgp neighbor 100.66.40.37 remote-as '64515'
+set protocols bgp neighbor 192.168.34.38 address-family ipv4-unicast nexthop-self
+set protocols bgp neighbor 192.168.34.38 address-family ipv4-unicast soft-reconfiguration inbound
+set protocols bgp neighbor 192.168.34.38 capability dynamic
+set protocols bgp neighbor 192.168.34.38 password 'VyOSR0xx123'
+set protocols bgp neighbor 192.168.34.38 remote-as '65522'
+set protocols bgp neighbor 192.168.34.38 update-source 'eth1'
+set protocols bgp peer-group AZURE address-family ipv4-unicast maximum-prefix '50'
+set protocols bgp peer-group AZURE address-family ipv4-unicast prefix-list export 'ONPREM-BGP-IPv4-out'
+set protocols bgp peer-group AZURE address-family ipv4-unicast prefix-list import 'AZURE-BGP-IPv4-in'
+set protocols bgp peer-group AZURE ebgp-multihop '2'
+set protocols bgp peer-group AZURE update-source 'eth1'
+set protocols bgp system-as '65522'
+set protocols bgp timers holdtime '30'
+set protocols bgp timers keepalive '5'
+set protocols static route 0.0.0.0/0 next-hop 192.168.34.33
+set protocols static route 51.105.0.0/16 next-hop 192.0.2.161
+set protocols static route 52.143.0.0/16 next-hop 192.0.2.161
+set protocols static route 100.66.8.36/32 interface vti31
+set protocols static route 100.66.8.36/32 interface vti32
+set protocols static route 100.66.8.37/32 interface vti31
+set protocols static route 100.66.8.37/32 interface vti32
+set protocols static route 100.66.24.36/32 interface vti41
+set protocols static route 100.66.24.36/32 interface vti42
+set protocols static route 100.66.24.37/32 interface vti41
+set protocols static route 100.66.24.37/32 interface vti42
+set protocols static route 100.66.40.36/32 interface vti51
+set protocols static route 100.66.40.36/32 interface vti52
+set protocols static route 100.66.40.37/32 interface vti51
+set protocols static route 100.66.40.37/32 interface vti52
+set protocols static route 195.137.175.0/24 next-hop 192.0.2.161
+set protocols static route 212.23.159.0/26 next-hop 192.0.2.161
+set service ntp allow-client address '0.0.0.0/0'
+set service ntp allow-client address '::/0'
+set service ntp server 192.0.2.254
+set service snmp v3 engineid 'ff42'
+set service snmp v3 group default mode 'ro'
+set service snmp v3 group default seclevel 'priv'
+set service snmp v3 group default view 'default'
+set service snmp v3 user VyOS auth encrypted-password '1ad73f4620b8c0dd2de066622f875b161a14adad'
+set service snmp v3 user VyOS auth type 'sha'
+set service snmp v3 user VyOS group 'default'
+set service snmp v3 user VyOS privacy encrypted-password '1ad73f4620b8c0dd2de066622f875b16'
+set service snmp v3 user VyOS privacy type 'aes'
+set service snmp v3 view default oid 1
+set service ssh disable-host-validation
+set service ssh port '22'
+set system config-management commit-revisions '100'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system domain-name 'vyos.net'
+set system flow-accounting interface 'eth1'
+set system flow-accounting interface 'vti31'
+set system flow-accounting interface 'vti32'
+set system flow-accounting interface 'vti41'
+set system flow-accounting interface 'vti42'
+set system flow-accounting interface 'vti51'
+set system flow-accounting interface 'vti52'
+set system flow-accounting netflow server 10.0.1.1 port '2055'
+set system flow-accounting netflow source-address '192.168.34.37'
+set system flow-accounting netflow version '10'
+set system flow-accounting syslog-facility 'daemon'
+set system host-name 'azure-gw-01'
+set system login radius server 192.0.2.253 key 'secret1234'
+set system login radius server 192.0.2.253 port '1812'
+set system login radius server 192.0.2.253 timeout '2'
+set system login radius server 192.0.2.254 key 'secret1234'
+set system login radius server 192.0.2.254 port '1812'
+set system login radius server 192.0.2.254 timeout '2'
+set system login radius source-address '192.168.34.37'
+set system login user vyos authentication encrypted-password '$6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0'
+set system login user vyos authentication plaintext-password ''
+set system logs logrotate messages max-size '20'
+set system logs logrotate messages rotate '10'
+set system name-server '192.0.2.254'
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
+set system syslog host 10.0.9.188 facility all level 'info'
+set system syslog host 10.0.9.188 protocol 'udp'
+set system time-zone 'Europe/Berlin'
+set vpn ipsec authentication psk peer_51-105-0-1 id '51.105.0.1'
+set vpn ipsec authentication psk peer_51-105-0-1 id '192.0.2.189'
+set vpn ipsec authentication psk peer_51-105-0-1 secret 'averysecretpsktowardsazure'
+set vpn ipsec authentication psk peer_51-105-0-2 id '51.105.0.2'
+set vpn ipsec authentication psk peer_51-105-0-2 id '192.0.2.189'
+set vpn ipsec authentication psk peer_51-105-0-2 secret 'averysecretpsktowardsazure'
+set vpn ipsec authentication psk peer_51-105-0-3 id '51.105.0.3'
+set vpn ipsec authentication psk peer_51-105-0-3 id '192.0.2.189'
+set vpn ipsec authentication psk peer_51-105-0-3 secret 'averysecretpsktowardsazure'
+set vpn ipsec authentication psk peer_51-105-0-4 id '51.105.0.4'
+set vpn ipsec authentication psk peer_51-105-0-4 id '192.0.2.189'
+set vpn ipsec authentication psk peer_51-105-0-4 secret 'averysecretpsktowardsazure'
+set vpn ipsec authentication psk peer_51-105-0-5 id '51.105.0.5'
+set vpn ipsec authentication psk peer_51-105-0-5 id '192.0.2.189'
+set vpn ipsec authentication psk peer_51-105-0-5 secret 'averysecretpsktowardsazure'
+set vpn ipsec authentication psk peer_51-105-0-6 id '51.105.0.6'
+set vpn ipsec authentication psk peer_51-105-0-6 id '192.0.2.189'
+set vpn ipsec authentication psk peer_51-105-0-6 secret 'averysecretpsktowardsazure'
+set vpn ipsec esp-group ESP-AZURE lifetime '27000'
+set vpn ipsec esp-group ESP-AZURE mode 'tunnel'
+set vpn ipsec esp-group ESP-AZURE pfs 'disable'
+set vpn ipsec esp-group ESP-AZURE proposal 1 encryption 'aes256'
+set vpn ipsec esp-group ESP-AZURE proposal 1 hash 'sha1'
+set vpn ipsec ike-group IKE-AZURE close-action 'none'
+set vpn ipsec ike-group IKE-AZURE dead-peer-detection action 'restart'
+set vpn ipsec ike-group IKE-AZURE dead-peer-detection interval '2'
+set vpn ipsec ike-group IKE-AZURE dead-peer-detection timeout '15'
+set vpn ipsec ike-group IKE-AZURE key-exchange 'ikev2'
+set vpn ipsec ike-group IKE-AZURE lifetime '27000'
+set vpn ipsec ike-group IKE-AZURE proposal 1 dh-group '2'
+set vpn ipsec ike-group IKE-AZURE proposal 1 encryption 'aes256'
+set vpn ipsec ike-group IKE-AZURE proposal 1 hash 'sha1'
+set vpn ipsec interface 'eth0'
+set vpn ipsec log level '2'
+set vpn ipsec log subsystem 'ike'
+set vpn ipsec site-to-site peer peer_51-105-0-1 authentication mode 'pre-shared-secret'
+set vpn ipsec site-to-site peer peer_51-105-0-1 authentication remote-id '51.105.0.1'
+set vpn ipsec site-to-site peer peer_51-105-0-1 connection-type 'respond'
+set vpn ipsec site-to-site peer peer_51-105-0-1 default-esp-group 'ESP-AZURE'
+set vpn ipsec site-to-site peer peer_51-105-0-1 ike-group 'IKE-AZURE'
+set vpn ipsec site-to-site peer peer_51-105-0-1 ikev2-reauth 'inherit'
+set vpn ipsec site-to-site peer peer_51-105-0-1 local-address '192.0.2.189'
+set vpn ipsec site-to-site peer peer_51-105-0-1 remote-address '51.105.0.1'
+set vpn ipsec site-to-site peer peer_51-105-0-1 vti bind 'vti51'
+set vpn ipsec site-to-site peer peer_51-105-0-2 authentication mode 'pre-shared-secret'
+set vpn ipsec site-to-site peer peer_51-105-0-2 authentication remote-id '51.105.0.2'
+set vpn ipsec site-to-site peer peer_51-105-0-2 connection-type 'respond'
+set vpn ipsec site-to-site peer peer_51-105-0-2 default-esp-group 'ESP-AZURE'
+set vpn ipsec site-to-site peer peer_51-105-0-2 ike-group 'IKE-AZURE'
+set vpn ipsec site-to-site peer peer_51-105-0-2 ikev2-reauth 'inherit'
+set vpn ipsec site-to-site peer peer_51-105-0-2 local-address '192.0.2.189'
+set vpn ipsec site-to-site peer peer_51-105-0-2 remote-address '51.105.0.2'
+set vpn ipsec site-to-site peer peer_51-105-0-2 vti bind 'vti52'
+set vpn ipsec site-to-site peer peer_51-105-0-3 authentication mode 'pre-shared-secret'
+set vpn ipsec site-to-site peer peer_51-105-0-3 authentication remote-id '51.105.0.3'
+set vpn ipsec site-to-site peer peer_51-105-0-3 connection-type 'respond'
+set vpn ipsec site-to-site peer peer_51-105-0-3 ike-group 'IKE-AZURE'
+set vpn ipsec site-to-site peer peer_51-105-0-3 ikev2-reauth 'inherit'
+set vpn ipsec site-to-site peer peer_51-105-0-3 local-address '192.0.2.189'
+set vpn ipsec site-to-site peer peer_51-105-0-3 remote-address '51.105.0.3'
+set vpn ipsec site-to-site peer peer_51-105-0-3 vti bind 'vti32'
+set vpn ipsec site-to-site peer peer_51-105-0-3 vti esp-group 'ESP-AZURE'
+set vpn ipsec site-to-site peer peer_51-105-0-4 authentication mode 'pre-shared-secret'
+set vpn ipsec site-to-site peer peer_51-105-0-4 authentication remote-id '51.105.0.4'
+set vpn ipsec site-to-site peer peer_51-105-0-4 connection-type 'respond'
+set vpn ipsec site-to-site peer peer_51-105-0-4 ike-group 'IKE-AZURE'
+set vpn ipsec site-to-site peer peer_51-105-0-4 ikev2-reauth 'inherit'
+set vpn ipsec site-to-site peer peer_51-105-0-4 local-address '192.0.2.189'
+set vpn ipsec site-to-site peer peer_51-105-0-4 remote-address '51.105.0.4'
+set vpn ipsec site-to-site peer peer_51-105-0-4 vti bind 'vti31'
+set vpn ipsec site-to-site peer peer_51-105-0-4 vti esp-group 'ESP-AZURE'
+set vpn ipsec site-to-site peer peer_51-105-0-5 authentication mode 'pre-shared-secret'
+set vpn ipsec site-to-site peer peer_51-105-0-5 authentication remote-id '51.105.0.5'
+set vpn ipsec site-to-site peer peer_51-105-0-5 connection-type 'respond'
+set vpn ipsec site-to-site peer peer_51-105-0-5 ike-group 'IKE-AZURE'
+set vpn ipsec site-to-site peer peer_51-105-0-5 ikev2-reauth 'inherit'
+set vpn ipsec site-to-site peer peer_51-105-0-5 local-address '192.0.2.189'
+set vpn ipsec site-to-site peer peer_51-105-0-5 remote-address '51.105.0.5'
+set vpn ipsec site-to-site peer peer_51-105-0-5 vti bind 'vti42'
+set vpn ipsec site-to-site peer peer_51-105-0-5 vti esp-group 'ESP-AZURE'
+set vpn ipsec site-to-site peer peer_51-105-0-6 authentication mode 'pre-shared-secret'
+set vpn ipsec site-to-site peer peer_51-105-0-6 authentication remote-id '51.105.0.6'
+set vpn ipsec site-to-site peer peer_51-105-0-6 connection-type 'respond'
+set vpn ipsec site-to-site peer peer_51-105-0-6 ike-group 'IKE-AZURE'
+set vpn ipsec site-to-site peer peer_51-105-0-6 ikev2-reauth 'inherit'
+set vpn ipsec site-to-site peer peer_51-105-0-6 local-address '192.0.2.189'
+set vpn ipsec site-to-site peer peer_51-105-0-6 remote-address '51.105.0.6'
+set vpn ipsec site-to-site peer peer_51-105-0-6 vti bind 'vti41'
+set vpn ipsec site-to-site peer peer_51-105-0-6 vti esp-group 'ESP-AZURE'
diff --git a/smoketest/config-tests/bgp-bfd-communities b/smoketest/config-tests/bgp-bfd-communities
new file mode 100644
index 000000000..6eee0137e
--- /dev/null
+++ b/smoketest/config-tests/bgp-bfd-communities
@@ -0,0 +1,201 @@
+set interfaces ethernet eth0 address '192.0.2.100/25'
+set interfaces ethernet eth0 address '2001:db8::ffff/64'
+set interfaces ethernet eth0 offload gro
+set interfaces loopback lo
+set policy large-community-list ANYCAST_ALL rule 10 action 'permit'
+set policy large-community-list ANYCAST_ALL rule 10 description 'Allow all anycast from anywhere'
+set policy large-community-list ANYCAST_ALL rule 10 regex '4242420696:100:.*'
+set policy large-community-list ANYCAST_INT rule 10 action 'permit'
+set policy large-community-list ANYCAST_INT rule 10 description 'Allow all anycast from int'
+set policy large-community-list ANYCAST_INT rule 10 regex '4242420696:100:1'
+set policy prefix-list BGP-BACKBONE-IN description 'Inbound backbone routes from other sites'
+set policy prefix-list BGP-BACKBONE-IN rule 10 action 'deny'
+set policy prefix-list BGP-BACKBONE-IN rule 10 description 'Block default route'
+set policy prefix-list BGP-BACKBONE-IN rule 10 prefix '0.0.0.0/0'
+set policy prefix-list BGP-BACKBONE-IN rule 20 action 'deny'
+set policy prefix-list BGP-BACKBONE-IN rule 20 description 'Block int primary'
+set policy prefix-list BGP-BACKBONE-IN rule 20 ge '21'
+set policy prefix-list BGP-BACKBONE-IN rule 20 prefix '192.168.0.0/20'
+set policy prefix-list BGP-BACKBONE-IN rule 30 action 'deny'
+set policy prefix-list BGP-BACKBONE-IN rule 30 description 'Block loopbacks'
+set policy prefix-list BGP-BACKBONE-IN rule 30 ge '25'
+set policy prefix-list BGP-BACKBONE-IN rule 30 prefix '192.168.253.0/24'
+set policy prefix-list BGP-BACKBONE-IN rule 40 action 'deny'
+set policy prefix-list BGP-BACKBONE-IN rule 40 description 'Block backbone peering'
+set policy prefix-list BGP-BACKBONE-IN rule 40 ge '25'
+set policy prefix-list BGP-BACKBONE-IN rule 40 prefix '192.168.254.0/24'
+set policy prefix-list BGP-BACKBONE-IN rule 999 action 'permit'
+set policy prefix-list BGP-BACKBONE-IN rule 999 description 'Allow everything else'
+set policy prefix-list BGP-BACKBONE-IN rule 999 ge '1'
+set policy prefix-list BGP-BACKBONE-IN rule 999 prefix '0.0.0.0/0'
+set policy prefix-list BGP-BACKBONE-OUT description 'Outbound backbone routes to other sites'
+set policy prefix-list BGP-BACKBONE-OUT rule 10 action 'permit'
+set policy prefix-list BGP-BACKBONE-OUT rule 10 description 'Int primary'
+set policy prefix-list BGP-BACKBONE-OUT rule 10 ge '23'
+set policy prefix-list BGP-BACKBONE-OUT rule 10 prefix '192.168.0.0/20'
+set policy prefix-list GLOBAL description 'Globally redistributed routes'
+set policy prefix-list GLOBAL rule 10 action 'permit'
+set policy prefix-list GLOBAL rule 10 prefix '192.168.100.1/32'
+set policy prefix-list GLOBAL rule 20 action 'permit'
+set policy prefix-list GLOBAL rule 20 prefix '192.168.7.128/25'
+set policy prefix-list6 BGP-BACKBONE-IN-V6 description 'Inbound backbone routes from other sites'
+set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 10 action 'deny'
+set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 10 description 'Block default route'
+set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 10 prefix '::/0'
+set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 20 action 'deny'
+set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 20 description 'Block int primary'
+set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 20 ge '53'
+set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 20 prefix 'fd52:d62e:8011::/52'
+set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 30 action 'deny'
+set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 30 description 'Block peering and stuff'
+set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 30 ge '53'
+set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 30 prefix 'fd52:d62e:8011:f000::/52'
+set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 999 action 'permit'
+set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 999 description 'Allow everything else'
+set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 999 ge '1'
+set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 999 prefix '::/0'
+set policy prefix-list6 BGP-BACKBONE-OUT-V6 description 'Outbound backbone routes to other sites'
+set policy prefix-list6 BGP-BACKBONE-OUT-V6 rule 10 action 'permit'
+set policy prefix-list6 BGP-BACKBONE-OUT-V6 rule 10 ge '64'
+set policy prefix-list6 BGP-BACKBONE-OUT-V6 rule 10 prefix 'fd52:d62e:8011::/52'
+set policy prefix-list6 GLOBAL-V6 description 'Globally redistributed routes'
+set policy prefix-list6 GLOBAL-V6 rule 10 action 'permit'
+set policy prefix-list6 GLOBAL-V6 rule 10 ge '64'
+set policy prefix-list6 GLOBAL-V6 rule 10 prefix 'fd52:d62e:8011:2::/63'
+set policy route-map BGP-BACKBONE-IN rule 10 action 'permit'
+set policy route-map BGP-BACKBONE-IN rule 10 match ip address prefix-list 'BGP-BACKBONE-IN'
+set policy route-map BGP-BACKBONE-IN rule 20 action 'permit'
+set policy route-map BGP-BACKBONE-IN rule 20 match ipv6 address prefix-list 'BGP-BACKBONE-IN-V6'
+set policy route-map BGP-BACKBONE-IN rule 30 action 'permit'
+set policy route-map BGP-BACKBONE-IN rule 30 match large-community large-community-list 'ANYCAST_ALL'
+set policy route-map BGP-BACKBONE-OUT rule 10 action 'permit'
+set policy route-map BGP-BACKBONE-OUT rule 10 match ip address prefix-list 'BGP-BACKBONE-OUT'
+set policy route-map BGP-BACKBONE-OUT rule 20 action 'permit'
+set policy route-map BGP-BACKBONE-OUT rule 20 match ipv6 address prefix-list 'BGP-BACKBONE-OUT-V6'
+set policy route-map BGP-BACKBONE-OUT rule 30 action 'permit'
+set policy route-map BGP-BACKBONE-OUT rule 30 match large-community large-community-list 'ANYCAST_INT'
+set policy route-map BGP-BACKBONE-OUT rule 30 set as-path prepend '4242420666'
+set policy route-map BGP-REDISTRIBUTE rule 10 action 'permit'
+set policy route-map BGP-REDISTRIBUTE rule 10 description 'Prepend AS and allow VPN and modem'
+set policy route-map BGP-REDISTRIBUTE rule 10 match ip address prefix-list 'GLOBAL'
+set policy route-map BGP-REDISTRIBUTE rule 10 set as-path prepend '4242420666'
+set policy route-map BGP-REDISTRIBUTE rule 20 action 'permit'
+set policy route-map BGP-REDISTRIBUTE rule 20 description 'Allow VPN'
+set policy route-map BGP-REDISTRIBUTE rule 20 match ipv6 address prefix-list 'GLOBAL-V6'
+set protocols bfd peer 192.168.253.1 interval receive '50'
+set protocols bfd peer 192.168.253.1 interval transmit '50'
+set protocols bfd peer 192.168.253.1 multihop
+set protocols bfd peer 192.168.253.1 source address '192.168.253.3'
+set protocols bfd peer 192.168.253.2 interval receive '50'
+set protocols bfd peer 192.168.253.2 interval transmit '50'
+set protocols bfd peer 192.168.253.2 multihop
+set protocols bfd peer 192.168.253.2 source address '192.168.253.3'
+set protocols bfd peer 192.168.253.6 interval receive '50'
+set protocols bfd peer 192.168.253.6 interval transmit '50'
+set protocols bfd peer 192.168.253.6 multihop
+set protocols bfd peer 192.168.253.6 source address '192.168.253.3'
+set protocols bfd peer 192.168.253.7 interval receive '50'
+set protocols bfd peer 192.168.253.7 interval transmit '50'
+set protocols bfd peer 192.168.253.7 multihop
+set protocols bfd peer 192.168.253.7 source address '192.168.253.3'
+set protocols bfd peer 192.168.253.12 interval receive '100'
+set protocols bfd peer 192.168.253.12 interval transmit '100'
+set protocols bfd peer 192.168.253.12 multihop
+set protocols bfd peer 192.168.253.12 source address '192.168.253.3'
+set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:1 interval receive '50'
+set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:1 interval transmit '50'
+set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:1 multihop
+set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:1 source address 'fd52:d62e:8011:fffe:192:168:253:3'
+set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:2 interval receive '50'
+set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:2 interval transmit '50'
+set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:2 multihop
+set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:2 source address 'fd52:d62e:8011:fffe:192:168:253:3'
+set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:6 interval receive '50'
+set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:6 interval transmit '50'
+set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:6 multihop
+set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:6 source address 'fd52:d62e:8011:fffe:192:168:253:3'
+set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:7 interval receive '50'
+set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:7 interval transmit '50'
+set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:7 multihop
+set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:7 source address 'fd52:d62e:8011:fffe:192:168:253:3'
+set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:12 interval receive '100'
+set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:12 interval transmit '100'
+set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:12 multihop
+set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:12 source address 'fd52:d62e:8011:fffe:192:168:253:3'
+set protocols bgp address-family ipv4-unicast redistribute connected route-map 'BGP-REDISTRIBUTE'
+set protocols bgp address-family ipv4-unicast redistribute static route-map 'BGP-REDISTRIBUTE'
+set protocols bgp address-family ipv6-unicast redistribute connected route-map 'BGP-REDISTRIBUTE'
+set protocols bgp neighbor 192.168.253.1 peer-group 'INT'
+set protocols bgp neighbor 192.168.253.2 peer-group 'INT'
+set protocols bgp neighbor 192.168.253.6 peer-group 'DAL13'
+set protocols bgp neighbor 192.168.253.7 peer-group 'DAL13'
+set protocols bgp neighbor 192.168.253.12 address-family ipv4-unicast route-map export 'BGP-BACKBONE-OUT'
+set protocols bgp neighbor 192.168.253.12 address-family ipv4-unicast route-map import 'BGP-BACKBONE-IN'
+set protocols bgp neighbor 192.168.253.12 address-family ipv4-unicast soft-reconfiguration inbound
+set protocols bgp neighbor 192.168.253.12 bfd
+set protocols bgp neighbor 192.168.253.12 ebgp-multihop '2'
+set protocols bgp neighbor 192.168.253.12 remote-as '4242420669'
+set protocols bgp neighbor 192.168.253.12 update-source 'dum0'
+set protocols bgp neighbor fd52:d62e:8011:fffe:192:168:253:1 peer-group 'INTv6'
+set protocols bgp neighbor fd52:d62e:8011:fffe:192:168:253:2 peer-group 'INTv6'
+set protocols bgp neighbor fd52:d62e:8011:fffe:192:168:253:6 peer-group 'DAL13v6'
+set protocols bgp neighbor fd52:d62e:8011:fffe:192:168:253:7 peer-group 'DAL13v6'
+set protocols bgp neighbor fd52:d62e:8011:fffe:192:168:253:12 address-family ipv6-unicast route-map export 'BGP-BACKBONE-OUT'
+set protocols bgp neighbor fd52:d62e:8011:fffe:192:168:253:12 address-family ipv6-unicast route-map import 'BGP-BACKBONE-IN'
+set protocols bgp neighbor fd52:d62e:8011:fffe:192:168:253:12 address-family ipv6-unicast soft-reconfiguration inbound
+set protocols bgp neighbor fd52:d62e:8011:fffe:192:168:253:12 bfd
+set protocols bgp neighbor fd52:d62e:8011:fffe:192:168:253:12 ebgp-multihop '2'
+set protocols bgp neighbor fd52:d62e:8011:fffe:192:168:253:12 remote-as '4242420669'
+set protocols bgp neighbor fd52:d62e:8011:fffe:192:168:253:12 update-source 'dum0'
+set protocols bgp parameters confederation identifier '4242420696'
+set protocols bgp parameters confederation peers '4242420668'
+set protocols bgp parameters confederation peers '4242420669'
+set protocols bgp parameters distance global external '220'
+set protocols bgp parameters distance global internal '220'
+set protocols bgp parameters distance global local '220'
+set protocols bgp parameters graceful-restart
+set protocols bgp peer-group DAL13 address-family ipv4-unicast route-map export 'BGP-BACKBONE-OUT'
+set protocols bgp peer-group DAL13 address-family ipv4-unicast route-map import 'BGP-BACKBONE-IN'
+set protocols bgp peer-group DAL13 address-family ipv4-unicast soft-reconfiguration inbound
+set protocols bgp peer-group DAL13 bfd
+set protocols bgp peer-group DAL13 ebgp-multihop '2'
+set protocols bgp peer-group DAL13 remote-as '4242420668'
+set protocols bgp peer-group DAL13 update-source 'dum0'
+set protocols bgp peer-group DAL13v6 address-family ipv6-unicast route-map export 'BGP-BACKBONE-OUT'
+set protocols bgp peer-group DAL13v6 address-family ipv6-unicast route-map import 'BGP-BACKBONE-IN'
+set protocols bgp peer-group DAL13v6 address-family ipv6-unicast soft-reconfiguration inbound
+set protocols bgp peer-group DAL13v6 bfd
+set protocols bgp peer-group DAL13v6 ebgp-multihop '2'
+set protocols bgp peer-group DAL13v6 remote-as '4242420668'
+set protocols bgp peer-group DAL13v6 update-source 'dum0'
+set protocols bgp peer-group INT address-family ipv4-unicast default-originate
+set protocols bgp peer-group INT address-family ipv4-unicast soft-reconfiguration inbound
+set protocols bgp peer-group INT bfd
+set protocols bgp peer-group INT remote-as '4242420666'
+set protocols bgp peer-group INT update-source 'dum0'
+set protocols bgp peer-group INTv6 address-family ipv6-unicast default-originate
+set protocols bgp peer-group INTv6 address-family ipv6-unicast soft-reconfiguration inbound
+set protocols bgp peer-group INTv6 bfd
+set protocols bgp peer-group INTv6 remote-as '4242420666'
+set protocols bgp peer-group INTv6 update-source 'dum0'
+set protocols bgp system-as '4242420666'
+set service ntp allow-client address '0.0.0.0/0'
+set service ntp allow-client address '::/0'
+set service ntp server 0.pool.ntp.org
+set service ntp server 1.pool.ntp.org
+set service ntp server 2.pool.ntp.org
+set system config-management commit-revisions '200'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'
+set system login user vyos authentication plaintext-password ''
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
+set system time-zone 'Europe/Berlin'
diff --git a/smoketest/config-tests/bgp-big-as-cloud b/smoketest/config-tests/bgp-big-as-cloud
new file mode 100644
index 000000000..8de0cdb02
--- /dev/null
+++ b/smoketest/config-tests/bgp-big-as-cloud
@@ -0,0 +1,850 @@
+set firewall global-options all-ping 'enable'
+set firewall global-options broadcast-ping 'disable'
+set firewall global-options ip-src-route 'disable'
+set firewall global-options ipv6-receive-redirects 'disable'
+set firewall global-options ipv6-src-route 'disable'
+set firewall global-options log-martians 'enable'
+set firewall global-options receive-redirects 'disable'
+set firewall global-options send-redirects 'enable'
+set firewall global-options source-validation 'disable'
+set firewall global-options syn-cookies 'enable'
+set firewall global-options twa-hazards-protection 'disable'
+set firewall group address-group bgp-peers-4 address '192.0.68.3'
+set firewall group address-group bgp-peers-4 address '192.0.68.2'
+set firewall group address-group bgp-peers-4 address '192.0.176.193'
+set firewall group address-group bgp-peers-4 address '192.0.52.0-192.0.52.255'
+set firewall group address-group bgp-peers-4 address '192.0.53.0-192.0.53.255'
+set firewall group address-group bgp-peers-4 address '192.0.16.209'
+set firewall group address-group bgp-peers-4 address '192.0.192.0-192.0.192.255'
+set firewall group address-group bgp-peers-4 address '192.0.193.0-192.0.193.255'
+set firewall group address-group bgp-peers-4 address '192.0.194.0-192.0.194.255'
+set firewall group address-group bgp-peers-4 address '192.0.195.0-192.0.195.255'
+set firewall group address-group bgp-peers-4 address '192.0.196.0-192.0.196.255'
+set firewall group address-group bgp-peers-4 address '192.0.197.0-192.0.197.255'
+set firewall group address-group bgp-peers-4 address '192.0.198.0-192.0.198.255'
+set firewall group address-group bgp-peers-4 address '192.0.199.0-192.0.199.255'
+set firewall group address-group vrrp-peers-4 address '192.0.68.3'
+set firewall group address-group vrrp-peers-4 address '192.0.160.3'
+set firewall group address-group vrrp-peers-4 address '192.0.98.3'
+set firewall group address-group vrrp-peers-4 address '192.0.71.131'
+set firewall group address-group vrrp-peers-4 address '192.0.84.67'
+set firewall group address-group vrrp-peers-4 address '192.0.71.195'
+set firewall group address-group vrrp-peers-4 address '192.0.71.115'
+set firewall group address-group vrrp-peers-4 address '192.0.70.195'
+set firewall group address-group vrrp-peers-4 address '192.0.70.179'
+set firewall group address-group vrrp-peers-4 address '192.0.70.163'
+set firewall group address-group vrrp-peers-4 address '192.0.70.147'
+set firewall group address-group vrrp-peers-4 address '192.0.70.131'
+set firewall group address-group vrrp-peers-4 address '192.0.70.19'
+set firewall group address-group vrrp-peers-4 address '192.0.70.3'
+set firewall group address-group vrrp-peers-4 address '192.0.71.99'
+set firewall group address-group vrrp-peers-4 address '192.0.68.67'
+set firewall group address-group vrrp-peers-4 address '192.0.71.67'
+set firewall group address-group vrrp-peers-4 address '192.0.71.3'
+set firewall group address-group vrrp-peers-4 address '192.0.68.35'
+set firewall group address-group vrrp-peers-4 address '192.0.68.131'
+set firewall group address-group vrrp-peers-4 address '192.0.69.2'
+set firewall group address-group vrrp-peers-4 address '192.0.70.35'
+set firewall group address-group vrrp-peers-4 address '192.0.70.67'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:c::3'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:1000::2e9'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::fb'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::fc'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::fd'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::2e'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::3d'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::4a'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::5e'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::7'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::11'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::18'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::20'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::22'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::31'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::58'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::64'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::a5'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::aa'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::ab'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::b0'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::b3'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::bd'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::c'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::d2'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:24::d3'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8:838::1'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8::1a27:5051:c09d'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8::1a27:5051:c19d'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8::20ad:0:1'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8::2306:0:1'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8::2ca:0:1'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8::2ca:0:2'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8::2ca:0:3'
+set firewall group ipv6-address-group bgp-peers-6 address '2001:db8::2ca:0:4'
+set firewall group ipv6-address-group vrrp-peers-6 address 'fe80::fe89:15cf'
+set firewall group ipv6-network-group AS64512-6 network '2001::/29'
+set firewall group network-group AS64512-4 network '192.0.68.0/22'
+set firewall group network-group AS64512-4 network '192.0.98.0/24'
+set firewall group network-group AS64512-4 network '192.0.160.0/24'
+set firewall group network-group AS64512-4 network '192.0.84.0/22'
+set firewall ipv4 name management-to-local-4 default-action 'reject'
+set firewall ipv4 name management-to-local-4 default-log
+set firewall ipv4 name management-to-local-4 rule 500 action 'return'
+set firewall ipv4 name management-to-local-4 rule 500 protocol 'icmp'
+set firewall ipv4 name management-to-local-4 rule 501 action 'return'
+set firewall ipv4 name management-to-local-4 rule 501 destination port '22'
+set firewall ipv4 name management-to-local-4 rule 501 protocol 'tcp'
+set firewall ipv4 name management-to-local-4 rule 502 action 'return'
+set firewall ipv4 name management-to-local-4 rule 502 destination port 'snmp'
+set firewall ipv4 name management-to-local-4 rule 502 protocol 'udp'
+set firewall ipv4 name management-to-peers-4 default-action 'reject'
+set firewall ipv4 name management-to-peers-4 default-log
+set firewall ipv4 name management-to-servers-4 default-action 'reject'
+set firewall ipv4 name management-to-servers-4 default-log
+set firewall ipv4 name peers-to-local-4 default-action 'reject'
+set firewall ipv4 name peers-to-local-4 default-log
+set firewall ipv4 name peers-to-local-4 rule 500 action 'return'
+set firewall ipv4 name peers-to-local-4 rule 500 protocol 'icmp'
+set firewall ipv4 name peers-to-local-4 rule 501 action 'return'
+set firewall ipv4 name peers-to-local-4 rule 501 protocol 'vrrp'
+set firewall ipv4 name peers-to-local-4 rule 501 source group address-group 'vrrp-peers-4'
+set firewall ipv4 name peers-to-local-4 rule 502 action 'return'
+set firewall ipv4 name peers-to-local-4 rule 502 destination port 'bgp'
+set firewall ipv4 name peers-to-local-4 rule 502 protocol 'tcp'
+set firewall ipv4 name peers-to-local-4 rule 502 source group address-group 'bgp-peers-4'
+set firewall ipv4 name peers-to-local-4 rule 503 action 'return'
+set firewall ipv4 name peers-to-local-4 rule 503 protocol 'tcp'
+set firewall ipv4 name peers-to-local-4 rule 503 source group address-group 'bgp-peers-4'
+set firewall ipv4 name peers-to-local-4 rule 503 source port 'bgp'
+set firewall ipv4 name peers-to-management-4 default-action 'reject'
+set firewall ipv4 name peers-to-management-4 default-log
+set firewall ipv4 name peers-to-servers-4 default-action 'reject'
+set firewall ipv4 name peers-to-servers-4 default-log
+set firewall ipv4 name peers-to-servers-4 rule 9990 action 'reject'
+set firewall ipv4 name peers-to-servers-4 rule 9990 source group network-group 'AS64512-4'
+set firewall ipv4 name peers-to-servers-4 rule 9999 action 'return'
+set firewall ipv4 name peers-to-servers-4 rule 9999 destination group network-group 'AS64512-4'
+set firewall ipv4 name servers-to-local-4 default-action 'reject'
+set firewall ipv4 name servers-to-local-4 default-log
+set firewall ipv4 name servers-to-local-4 rule 500 action 'return'
+set firewall ipv4 name servers-to-local-4 rule 500 protocol 'icmp'
+set firewall ipv4 name servers-to-local-4 rule 501 action 'return'
+set firewall ipv4 name servers-to-local-4 rule 501 protocol 'vrrp'
+set firewall ipv4 name servers-to-local-4 rule 501 source group address-group 'vrrp-peers-4'
+set firewall ipv4 name servers-to-local-4 rule 511 action 'return'
+set firewall ipv4 name servers-to-local-4 rule 511 protocol 'tcp_udp'
+set firewall ipv4 name servers-to-local-4 rule 511 source port '53'
+set firewall ipv4 name servers-to-management-4 default-action 'reject'
+set firewall ipv4 name servers-to-management-4 default-log
+set firewall ipv4 name servers-to-peers-4 default-action 'reject'
+set firewall ipv4 name servers-to-peers-4 default-log
+set firewall ipv4 name servers-to-peers-4 rule 51 action 'return'
+set firewall ipv4 name servers-to-peers-4 rule 51 source group network-group 'AS64512-4'
+set firewall ipv6 name management-to-local-6 default-action 'reject'
+set firewall ipv6 name management-to-local-6 default-log
+set firewall ipv6 name management-to-peers-6 default-action 'reject'
+set firewall ipv6 name management-to-peers-6 default-log
+set firewall ipv6 name management-to-servers-6 default-action 'reject'
+set firewall ipv6 name management-to-servers-6 default-log
+set firewall ipv6 name peers-to-local-6 default-action 'reject'
+set firewall ipv6 name peers-to-local-6 default-log
+set firewall ipv6 name peers-to-local-6 rule 500 action 'return'
+set firewall ipv6 name peers-to-local-6 rule 500 protocol 'ipv6-icmp'
+set firewall ipv6 name peers-to-local-6 rule 501 action 'return'
+set firewall ipv6 name peers-to-local-6 rule 501 protocol 'vrrp'
+set firewall ipv6 name peers-to-local-6 rule 501 source group address-group 'vrrp-peers-6'
+set firewall ipv6 name peers-to-local-6 rule 502 action 'return'
+set firewall ipv6 name peers-to-local-6 rule 502 destination port 'bgp'
+set firewall ipv6 name peers-to-local-6 rule 502 protocol 'tcp'
+set firewall ipv6 name peers-to-local-6 rule 502 source group address-group 'bgp-peers-6'
+set firewall ipv6 name peers-to-local-6 rule 503 action 'return'
+set firewall ipv6 name peers-to-local-6 rule 503 protocol 'tcp'
+set firewall ipv6 name peers-to-local-6 rule 503 source group address-group 'bgp-peers-6'
+set firewall ipv6 name peers-to-local-6 rule 503 source port 'bgp'
+set firewall ipv6 name peers-to-management-6 default-action 'reject'
+set firewall ipv6 name peers-to-management-6 default-log
+set firewall ipv6 name peers-to-servers-6 default-action 'reject'
+set firewall ipv6 name peers-to-servers-6 default-log
+set firewall ipv6 name peers-to-servers-6 rule 9990 action 'reject'
+set firewall ipv6 name peers-to-servers-6 rule 9990 source group network-group 'AS64512-6'
+set firewall ipv6 name peers-to-servers-6 rule 9999 action 'return'
+set firewall ipv6 name peers-to-servers-6 rule 9999 destination group network-group 'AS64512-6'
+set firewall ipv6 name servers-to-local-6 default-action 'reject'
+set firewall ipv6 name servers-to-local-6 default-log
+set firewall ipv6 name servers-to-local-6 rule 500 action 'return'
+set firewall ipv6 name servers-to-local-6 rule 500 protocol 'ipv6-icmp'
+set firewall ipv6 name servers-to-local-6 rule 501 action 'return'
+set firewall ipv6 name servers-to-local-6 rule 501 protocol 'vrrp'
+set firewall ipv6 name servers-to-local-6 rule 501 source group address-group 'vrrp-peers-6'
+set firewall ipv6 name servers-to-local-6 rule 511 action 'return'
+set firewall ipv6 name servers-to-local-6 rule 511 protocol 'tcp_udp'
+set firewall ipv6 name servers-to-local-6 rule 511 source port '53'
+set firewall ipv6 name servers-to-management-6 default-action 'reject'
+set firewall ipv6 name servers-to-management-6 default-log
+set firewall ipv6 name servers-to-peers-6 default-action 'reject'
+set firewall ipv6 name servers-to-peers-6 default-log
+set firewall ipv6 name servers-to-peers-6 rule 51 action 'return'
+set firewall ipv6 name servers-to-peers-6 rule 51 source group network-group 'AS64512-6'
+set firewall zone local default-action 'drop'
+set firewall zone local from management firewall ipv6-name 'management-to-local-6'
+set firewall zone local from management firewall name 'management-to-local-4'
+set firewall zone local from peers firewall ipv6-name 'peers-to-local-6'
+set firewall zone local from peers firewall name 'peers-to-local-4'
+set firewall zone local from servers firewall ipv6-name 'servers-to-local-6'
+set firewall zone local from servers firewall name 'servers-to-local-4'
+set firewall zone local local-zone
+set firewall zone management default-action 'reject'
+set firewall zone management from peers firewall ipv6-name 'peers-to-management-6'
+set firewall zone management from peers firewall name 'peers-to-management-4'
+set firewall zone management from servers firewall ipv6-name 'servers-to-management-6'
+set firewall zone management from servers firewall name 'servers-to-management-4'
+set firewall zone management interface 'eth0'
+set firewall zone peers default-action 'reject'
+set firewall zone peers from management firewall ipv6-name 'management-to-peers-6'
+set firewall zone peers from management firewall name 'management-to-peers-4'
+set firewall zone peers from servers firewall ipv6-name 'servers-to-peers-6'
+set firewall zone peers from servers firewall name 'servers-to-peers-4'
+set firewall zone peers interface 'eth0.4088'
+set firewall zone peers interface 'eth0.4089'
+set firewall zone peers interface 'eth0.11'
+set firewall zone peers interface 'eth0.838'
+set firewall zone peers interface 'eth0.886'
+set firewall zone servers default-action 'reject'
+set firewall zone servers from management firewall ipv6-name 'management-to-servers-6'
+set firewall zone servers from management firewall name 'management-to-servers-4'
+set firewall zone servers from peers firewall ipv6-name 'peers-to-servers-6'
+set firewall zone servers from peers firewall name 'peers-to-servers-4'
+set firewall zone servers interface 'eth0.1001'
+set firewall zone servers interface 'eth0.105'
+set firewall zone servers interface 'eth0.102'
+set firewall zone servers interface 'eth0.1019'
+set firewall zone servers interface 'eth0.1014'
+set firewall zone servers interface 'eth0.1020'
+set firewall zone servers interface 'eth0.1018'
+set firewall zone servers interface 'eth0.1013'
+set firewall zone servers interface 'eth0.1012'
+set firewall zone servers interface 'eth0.1011'
+set firewall zone servers interface 'eth0.1010'
+set firewall zone servers interface 'eth0.1009'
+set firewall zone servers interface 'eth0.1006'
+set firewall zone servers interface 'eth0.1005'
+set firewall zone servers interface 'eth0.1017'
+set firewall zone servers interface 'eth0.1016'
+set firewall zone servers interface 'eth0.1002'
+set firewall zone servers interface 'eth0.1015'
+set firewall zone servers interface 'eth0.1003'
+set firewall zone servers interface 'eth0.1004'
+set firewall zone servers interface 'eth0.1007'
+set firewall zone servers interface 'eth0.1008'
+set high-availability vrrp group 11-4 address 192.0.68.1/27
+set high-availability vrrp group 11-4 interface 'eth0.11'
+set high-availability vrrp group 11-4 priority '200'
+set high-availability vrrp group 11-4 vrid '4'
+set high-availability vrrp group 11-6 address 2001:db8:c::1/64
+set high-availability vrrp group 11-6 interface 'eth0.11'
+set high-availability vrrp group 11-6 priority '200'
+set high-availability vrrp group 11-6 vrid '6'
+set high-availability vrrp group 102-4 address 192.0.98.1/24
+set high-availability vrrp group 102-4 interface 'eth0.102'
+set high-availability vrrp group 102-4 priority '200'
+set high-availability vrrp group 102-4 vrid '4'
+set high-availability vrrp group 102-6 address 2001:db8:0:102::1/64
+set high-availability vrrp group 102-6 interface 'eth0.102'
+set high-availability vrrp group 102-6 priority '200'
+set high-availability vrrp group 102-6 vrid '6'
+set high-availability vrrp group 105-4 address 192.0.160.1/24
+set high-availability vrrp group 105-4 interface 'eth0.105'
+set high-availability vrrp group 105-4 priority '200'
+set high-availability vrrp group 105-4 vrid '4'
+set high-availability vrrp group 105-6 address 2001:db8:0:105::1/64
+set high-availability vrrp group 105-6 interface 'eth0.105'
+set high-availability vrrp group 105-6 priority '200'
+set high-availability vrrp group 105-6 vrid '6'
+set high-availability vrrp group 1001-4 address 192.0.68.33/27
+set high-availability vrrp group 1001-4 interface 'eth0.1001'
+set high-availability vrrp group 1001-4 priority '200'
+set high-availability vrrp group 1001-4 vrid '4'
+set high-availability vrrp group 1001-6 address 2001:db8:0:1001::1/64
+set high-availability vrrp group 1001-6 interface 'eth0.1001'
+set high-availability vrrp group 1001-6 priority '200'
+set high-availability vrrp group 1001-6 vrid '6'
+set high-availability vrrp group 1002-4 address 192.0.68.65/26
+set high-availability vrrp group 1002-4 interface 'eth0.1002'
+set high-availability vrrp group 1002-4 priority '200'
+set high-availability vrrp group 1002-4 vrid '4'
+set high-availability vrrp group 1002-6 address 2001:db8:0:1002::1/64
+set high-availability vrrp group 1002-6 interface 'eth0.1002'
+set high-availability vrrp group 1002-6 priority '200'
+set high-availability vrrp group 1002-6 vrid '6'
+set high-availability vrrp group 1003-4 address 192.0.68.129/25
+set high-availability vrrp group 1003-4 interface 'eth0.1003'
+set high-availability vrrp group 1003-4 priority '200'
+set high-availability vrrp group 1003-4 vrid '4'
+set high-availability vrrp group 1003-6 address 2001:db8:0:1003::1/64
+set high-availability vrrp group 1003-6 interface 'eth0.1003'
+set high-availability vrrp group 1003-6 priority '200'
+set high-availability vrrp group 1003-6 vrid '6'
+set high-availability vrrp group 1004-4 address 192.0.69.1/24
+set high-availability vrrp group 1004-4 interface 'eth0.1004'
+set high-availability vrrp group 1004-4 priority '200'
+set high-availability vrrp group 1004-4 vrid '4'
+set high-availability vrrp group 1004-6 address 2001:db8:0:1004::1/64
+set high-availability vrrp group 1004-6 interface 'eth0.1004'
+set high-availability vrrp group 1004-6 priority '200'
+set high-availability vrrp group 1004-6 vrid '6'
+set high-availability vrrp group 1005-4 address 192.0.70.1/28
+set high-availability vrrp group 1005-4 interface 'eth0.1005'
+set high-availability vrrp group 1005-4 priority '200'
+set high-availability vrrp group 1005-4 vrid '4'
+set high-availability vrrp group 1005-6 address 2001:db8:0:1005::1/64
+set high-availability vrrp group 1005-6 interface 'eth0.1005'
+set high-availability vrrp group 1005-6 priority '200'
+set high-availability vrrp group 1005-6 vrid '6'
+set high-availability vrrp group 1006-4 address 192.0.70.17/28
+set high-availability vrrp group 1006-4 interface 'eth0.1006'
+set high-availability vrrp group 1006-4 priority '200'
+set high-availability vrrp group 1006-4 vrid '4'
+set high-availability vrrp group 1006-6 address 2001:db8:0:1006::1/64
+set high-availability vrrp group 1006-6 interface 'eth0.1006'
+set high-availability vrrp group 1006-6 priority '200'
+set high-availability vrrp group 1006-6 vrid '6'
+set high-availability vrrp group 1007-4 address 192.0.70.33/27
+set high-availability vrrp group 1007-4 interface 'eth0.1007'
+set high-availability vrrp group 1007-4 priority '200'
+set high-availability vrrp group 1007-4 vrid '4'
+set high-availability vrrp group 1007-6 address 2001:db8:0:1007::1/64
+set high-availability vrrp group 1007-6 interface 'eth0.1007'
+set high-availability vrrp group 1007-6 priority '200'
+set high-availability vrrp group 1007-6 vrid '6'
+set high-availability vrrp group 1008-4 address 192.0.70.65/26
+set high-availability vrrp group 1008-4 interface 'eth0.1008'
+set high-availability vrrp group 1008-4 priority '200'
+set high-availability vrrp group 1008-4 vrid '4'
+set high-availability vrrp group 1008-6 address 2001:db8:0:1008::1/64
+set high-availability vrrp group 1008-6 interface 'eth0.1008'
+set high-availability vrrp group 1008-6 priority '200'
+set high-availability vrrp group 1008-6 vrid '6'
+set high-availability vrrp group 1009-4 address 192.0.70.129/28
+set high-availability vrrp group 1009-4 interface 'eth0.1009'
+set high-availability vrrp group 1009-4 priority '200'
+set high-availability vrrp group 1009-4 vrid '4'
+set high-availability vrrp group 1009-6 address 2001:db8:0:1009::1/64
+set high-availability vrrp group 1009-6 interface 'eth0.1009'
+set high-availability vrrp group 1009-6 priority '200'
+set high-availability vrrp group 1009-6 vrid '6'
+set high-availability vrrp group 1010-4 address 192.0.70.145/28
+set high-availability vrrp group 1010-4 interface 'eth0.1010'
+set high-availability vrrp group 1010-4 priority '200'
+set high-availability vrrp group 1010-4 vrid '4'
+set high-availability vrrp group 1010-6 address 2001:db8:0:1010::1/64
+set high-availability vrrp group 1010-6 interface 'eth0.1010'
+set high-availability vrrp group 1010-6 priority '200'
+set high-availability vrrp group 1010-6 vrid '6'
+set high-availability vrrp group 1011-4 address 192.0.70.161/28
+set high-availability vrrp group 1011-4 interface 'eth0.1011'
+set high-availability vrrp group 1011-4 priority '200'
+set high-availability vrrp group 1011-4 vrid '4'
+set high-availability vrrp group 1011-6 address 2001:db8:0:1011::1/64
+set high-availability vrrp group 1011-6 interface 'eth0.1011'
+set high-availability vrrp group 1011-6 priority '200'
+set high-availability vrrp group 1011-6 vrid '6'
+set high-availability vrrp group 1012-4 address 192.0.70.177/28
+set high-availability vrrp group 1012-4 interface 'eth0.1012'
+set high-availability vrrp group 1012-4 priority '200'
+set high-availability vrrp group 1012-4 vrid '4'
+set high-availability vrrp group 1012-6 address 2001:db8:0:1012::1/64
+set high-availability vrrp group 1012-6 interface 'eth0.1012'
+set high-availability vrrp group 1012-6 priority '200'
+set high-availability vrrp group 1012-6 vrid '6'
+set high-availability vrrp group 1013-4 address 192.0.70.193/27
+set high-availability vrrp group 1013-4 interface 'eth0.1013'
+set high-availability vrrp group 1013-4 priority '200'
+set high-availability vrrp group 1013-4 vrid '4'
+set high-availability vrrp group 1013-6 address 2001:db8:0:1013::1/64
+set high-availability vrrp group 1013-6 interface 'eth0.1013'
+set high-availability vrrp group 1013-6 priority '200'
+set high-availability vrrp group 1013-6 vrid '6'
+set high-availability vrrp group 1014-4 address 192.0.84.65/26
+set high-availability vrrp group 1014-4 interface 'eth0.1014'
+set high-availability vrrp group 1014-4 priority '200'
+set high-availability vrrp group 1014-4 vrid '4'
+set high-availability vrrp group 1014-6 address 2001:db8:0:1014::1/64
+set high-availability vrrp group 1014-6 interface 'eth0.1014'
+set high-availability vrrp group 1014-6 priority '200'
+set high-availability vrrp group 1014-6 vrid '6'
+set high-availability vrrp group 1015-4 address 192.0.71.1/26
+set high-availability vrrp group 1015-4 interface 'eth0.1015'
+set high-availability vrrp group 1015-4 priority '200'
+set high-availability vrrp group 1015-4 vrid '4'
+set high-availability vrrp group 1015-6 address 2001:db8:0:1015::1/64
+set high-availability vrrp group 1015-6 interface 'eth0.1015'
+set high-availability vrrp group 1015-6 priority '200'
+set high-availability vrrp group 1015-6 vrid '6'
+set high-availability vrrp group 1016-4 address 192.0.71.65/27
+set high-availability vrrp group 1016-4 interface 'eth0.1016'
+set high-availability vrrp group 1016-4 priority '200'
+set high-availability vrrp group 1016-4 vrid '4'
+set high-availability vrrp group 1016-6 address 2001:db8:0:1016::1/64
+set high-availability vrrp group 1016-6 interface 'eth0.1016'
+set high-availability vrrp group 1016-6 priority '200'
+set high-availability vrrp group 1016-6 vrid '6'
+set high-availability vrrp group 1017-4 address 192.0.71.97/28
+set high-availability vrrp group 1017-4 interface 'eth0.1017'
+set high-availability vrrp group 1017-4 priority '200'
+set high-availability vrrp group 1017-4 vrid '4'
+set high-availability vrrp group 1017-6 address 2001:db8:0:1017::1/64
+set high-availability vrrp group 1017-6 interface 'eth0.1017'
+set high-availability vrrp group 1017-6 priority '200'
+set high-availability vrrp group 1017-6 vrid '6'
+set high-availability vrrp group 1018-4 address 192.0.71.113/28
+set high-availability vrrp group 1018-4 interface 'eth0.1018'
+set high-availability vrrp group 1018-4 priority '200'
+set high-availability vrrp group 1018-4 vrid '4'
+set high-availability vrrp group 1018-6 address 2001:db8:0:1018::1/64
+set high-availability vrrp group 1018-6 interface 'eth0.1018'
+set high-availability vrrp group 1018-6 priority '200'
+set high-availability vrrp group 1018-6 vrid '6'
+set high-availability vrrp group 1019-4 address 192.0.71.129/26
+set high-availability vrrp group 1019-4 interface 'eth0.1019'
+set high-availability vrrp group 1019-4 priority '200'
+set high-availability vrrp group 1019-4 vrid '4'
+set high-availability vrrp group 1019-6 address 2001:db8:0:1019::1/64
+set high-availability vrrp group 1019-6 interface 'eth0.1019'
+set high-availability vrrp group 1019-6 priority '200'
+set high-availability vrrp group 1019-6 vrid '6'
+set high-availability vrrp group 1020-4 address 192.0.71.193/26
+set high-availability vrrp group 1020-4 interface 'eth0.1020'
+set high-availability vrrp group 1020-4 priority '200'
+set high-availability vrrp group 1020-4 vrid '4'
+set high-availability vrrp group 1020-6 address 2001:db8:0:1020::1/64
+set high-availability vrrp group 1020-6 interface 'eth0.1020'
+set high-availability vrrp group 1020-6 priority '200'
+set high-availability vrrp group 1020-6 vrid '6'
+set interfaces ethernet eth0 address '192.0.0.11/16'
+set interfaces ethernet eth0 duplex 'auto'
+set interfaces ethernet eth0 offload gro
+set interfaces ethernet eth0 speed 'auto'
+set interfaces ethernet eth0 vif 11 address '192.0.68.2/27'
+set interfaces ethernet eth0 vif 11 address '2001:db8:c::2/64'
+set interfaces ethernet eth0 vif 102 address '192.0.98.2/24'
+set interfaces ethernet eth0 vif 102 address '2001:db8:0:102::2/64'
+set interfaces ethernet eth0 vif 105 address '192.0.160.2/24'
+set interfaces ethernet eth0 vif 105 address '2001:db8:0:105::2/64'
+set interfaces ethernet eth0 vif 838 address '192.0.16.210/30'
+set interfaces ethernet eth0 vif 838 address '2001:db8:838::2/64'
+set interfaces ethernet eth0 vif 886 address '192.0.193.224/21'
+set interfaces ethernet eth0 vif 886 address '2001:db8::3:669:0:1/64'
+set interfaces ethernet eth0 vif 1001 address '192.0.68.34/27'
+set interfaces ethernet eth0 vif 1001 address '2001:db8:0:1001::2/64'
+set interfaces ethernet eth0 vif 1002 address '192.0.68.66/26'
+set interfaces ethernet eth0 vif 1002 address '2001:db8:0:1002::2/64'
+set interfaces ethernet eth0 vif 1003 address '192.0.68.130/25'
+set interfaces ethernet eth0 vif 1003 address '2001:db8:0:1003::2/64'
+set interfaces ethernet eth0 vif 1004 address '192.0.69.2/24'
+set interfaces ethernet eth0 vif 1004 address '2001:db8:0:1004::2/64'
+set interfaces ethernet eth0 vif 1005 address '192.0.70.2/28'
+set interfaces ethernet eth0 vif 1005 address '2001:db8:0:1005::2/64'
+set interfaces ethernet eth0 vif 1006 address '192.0.70.18/28'
+set interfaces ethernet eth0 vif 1006 address '2001:db8:0:1006::2/64'
+set interfaces ethernet eth0 vif 1007 address '192.0.70.34/27'
+set interfaces ethernet eth0 vif 1007 address '2001:db8:0:1007::2/64'
+set interfaces ethernet eth0 vif 1008 address '192.0.70.66/26'
+set interfaces ethernet eth0 vif 1008 address '2001:db8:0:1008::2/64'
+set interfaces ethernet eth0 vif 1009 address '192.0.70.130/28'
+set interfaces ethernet eth0 vif 1009 address '2001:db8:0:1009::2/64'
+set interfaces ethernet eth0 vif 1010 address '192.0.70.146/28'
+set interfaces ethernet eth0 vif 1010 address '2001:db8:0:1010::2/64'
+set interfaces ethernet eth0 vif 1011 address '192.0.70.162/28'
+set interfaces ethernet eth0 vif 1011 address '2001:db8:0:1011::2/64'
+set interfaces ethernet eth0 vif 1012 address '192.0.70.178/28'
+set interfaces ethernet eth0 vif 1012 address '2001:db8:0:1012::2/64'
+set interfaces ethernet eth0 vif 1013 address '192.0.70.194/27'
+set interfaces ethernet eth0 vif 1013 address '2001:db8:0:1013::3/64'
+set interfaces ethernet eth0 vif 1014 address '192.0.84.66/26'
+set interfaces ethernet eth0 vif 1014 address '2001:db8:0:1014::2/64'
+set interfaces ethernet eth0 vif 1015 address '192.0.71.2/26'
+set interfaces ethernet eth0 vif 1015 address '2001:db8:0:1015::2/64'
+set interfaces ethernet eth0 vif 1016 address '192.0.71.66/27'
+set interfaces ethernet eth0 vif 1016 address '2001:db8:0:1016::2/64'
+set interfaces ethernet eth0 vif 1017 address '192.0.71.98/28'
+set interfaces ethernet eth0 vif 1017 address '2001:db8:0:1017::2/64'
+set interfaces ethernet eth0 vif 1018 address '192.0.71.114/28'
+set interfaces ethernet eth0 vif 1018 address '2001:db8:0:1018::2/64'
+set interfaces ethernet eth0 vif 1019 address '192.0.71.130/26'
+set interfaces ethernet eth0 vif 1019 address '2001:db8:0:1019::2/64'
+set interfaces ethernet eth0 vif 1020 address '192.0.71.194/26'
+set interfaces ethernet eth0 vif 1020 address '2001:db8:0:1020::2/64'
+set interfaces ethernet eth0 vif 4088 address '2001:db8:24::c7/64'
+set interfaces ethernet eth0 vif 4088 address '192.0.52.199/23'
+set interfaces ethernet eth0 vif 4089 address '192.0.176.194/30'
+set interfaces ethernet eth0 vif 4089 address '2001:db8:1000::2ea/126'
+set interfaces loopback lo
+set policy as-path-list AS64512 rule 10 action 'permit'
+set policy as-path-list AS64512 rule 10 regex '^$'
+set policy as-path-list AS64513-AS64514 rule 10 action 'permit'
+set policy as-path-list AS64513-AS64514 rule 10 regex '^64513 64514$'
+set policy prefix-list defaultV4 rule 10 action 'permit'
+set policy prefix-list defaultV4 rule 10 prefix '0.0.0.0/0'
+set policy prefix-list hostrouteV4 rule 10 action 'permit'
+set policy prefix-list hostrouteV4 rule 10 ge '32'
+set policy prefix-list hostrouteV4 rule 10 prefix '192.0.160.0/24'
+set policy prefix-list hostrouteV4 rule 20 action 'permit'
+set policy prefix-list hostrouteV4 rule 20 ge '32'
+set policy prefix-list hostrouteV4 rule 20 prefix '192.0.98.0/24'
+set policy prefix-list hostrouteV4 rule 30 action 'permit'
+set policy prefix-list hostrouteV4 rule 30 ge '32'
+set policy prefix-list hostrouteV4 rule 30 prefix '192.0.68.0/22'
+set policy prefix-list hostrouteV4 rule 40 action 'permit'
+set policy prefix-list hostrouteV4 rule 40 ge '32'
+set policy prefix-list hostrouteV4 rule 40 prefix '192.0.84.0/22'
+set policy prefix-list privateV4 rule 10 action 'permit'
+set policy prefix-list privateV4 rule 10 le '32'
+set policy prefix-list privateV4 rule 10 prefix '192.0.0.0/8'
+set policy prefix-list privateV4 rule 20 action 'permit'
+set policy prefix-list privateV4 rule 20 le '32'
+set policy prefix-list privateV4 rule 20 prefix '192.0.0.0/12'
+set policy prefix-list privateV4 rule 30 action 'permit'
+set policy prefix-list privateV4 rule 30 le '32'
+set policy prefix-list privateV4 rule 30 prefix '192.0.0.0/16'
+set policy prefix-list vyosV4 rule 10 action 'permit'
+set policy prefix-list vyosV4 rule 10 prefix '192.0.160.0/24'
+set policy prefix-list vyosV4 rule 20 action 'permit'
+set policy prefix-list vyosV4 rule 20 prefix '192.0.98.0/24'
+set policy prefix-list vyosV4 rule 30 action 'permit'
+set policy prefix-list vyosV4 rule 30 prefix '192.0.68.0/22'
+set policy prefix-list vyosV4 rule 40 action 'permit'
+set policy prefix-list vyosV4 rule 40 prefix '192.0.84.0/22'
+set policy prefix-list6 all6 rule 10 action 'permit'
+set policy prefix-list6 all6 rule 10 ge '4'
+set policy prefix-list6 all6 rule 10 prefix '2000::/3'
+set policy prefix-list6 hostrouteV6 rule 20 action 'permit'
+set policy prefix-list6 hostrouteV6 rule 20 ge '128'
+set policy prefix-list6 hostrouteV6 rule 20 prefix '2001:db8::/29'
+set policy prefix-list6 privateV6 rule 10 action 'permit'
+set policy prefix-list6 privateV6 rule 10 prefix 'fc00::/7'
+set policy prefix-list6 vyosV6 rule 20 action 'permit'
+set policy prefix-list6 vyosV6 rule 20 prefix '2001:db8::/29'
+set policy route-map ExportRouteMap rule 5 action 'permit'
+set policy route-map ExportRouteMap rule 5 match as-path 'AS64512'
+set policy route-map ExportRouteMap rule 5 match ip address prefix-list 'hostrouteV4'
+set policy route-map ExportRouteMap rule 5 set community replace '65000:666'
+set policy route-map ExportRouteMap rule 10 action 'permit'
+set policy route-map ExportRouteMap rule 10 match as-path 'AS64512'
+set policy route-map ExportRouteMap rule 10 match ip address prefix-list 'vyosV4'
+set policy route-map ExportRouteMap rule 15 action 'permit'
+set policy route-map ExportRouteMap rule 15 match as-path 'AS64512'
+set policy route-map ExportRouteMap rule 15 match ipv6 address prefix-list 'hostrouteV6'
+set policy route-map ExportRouteMap rule 15 set community replace '65000:666'
+set policy route-map ExportRouteMap rule 20 action 'permit'
+set policy route-map ExportRouteMap rule 20 match as-path 'AS64512'
+set policy route-map ExportRouteMap rule 20 match ipv6 address prefix-list 'vyosV6'
+set policy route-map ExportRouteMap rule 100 action 'deny'
+set policy route-map ExportRouteMapAS64513 rule 5 action 'permit'
+set policy route-map ExportRouteMapAS64513 rule 5 match as-path 'AS64512'
+set policy route-map ExportRouteMapAS64513 rule 5 match ip address prefix-list 'hostrouteV4'
+set policy route-map ExportRouteMapAS64513 rule 5 set community replace '64513:666'
+set policy route-map ExportRouteMapAS64513 rule 10 action 'permit'
+set policy route-map ExportRouteMapAS64513 rule 10 match as-path 'AS64512'
+set policy route-map ExportRouteMapAS64513 rule 10 match ip address prefix-list 'vyosV4'
+set policy route-map ExportRouteMapAS64513 rule 15 action 'permit'
+set policy route-map ExportRouteMapAS64513 rule 15 match as-path 'AS64512'
+set policy route-map ExportRouteMapAS64513 rule 15 match ipv6 address prefix-list 'hostrouteV6'
+set policy route-map ExportRouteMapAS64513 rule 15 set community replace '64513:666'
+set policy route-map ExportRouteMapAS64513 rule 20 action 'permit'
+set policy route-map ExportRouteMapAS64513 rule 20 match as-path 'AS64512'
+set policy route-map ExportRouteMapAS64513 rule 20 match ipv6 address prefix-list 'vyosV6'
+set policy route-map ExportRouteMapAS64513 rule 100 action 'deny'
+set policy route-map ExportRouteMapAS64515 rule 10 action 'permit'
+set policy route-map ExportRouteMapAS64515 rule 10 match ipv6 address prefix-list 'all6'
+set policy route-map ExportRouteMapAS64515 rule 20 action 'deny'
+set policy route-map ExportRouteMapAS64515 rule 20 match ip address prefix-list 'defaultV4'
+set policy route-map ExportRouteMapAS64515 rule 100 action 'deny'
+set policy route-map ExportRouteMapAS64516 rule 5 action 'permit'
+set policy route-map ExportRouteMapAS64516 rule 5 match as-path 'AS64512'
+set policy route-map ExportRouteMapAS64516 rule 5 match ip address prefix-list 'hostrouteV4'
+set policy route-map ExportRouteMapAS64516 rule 5 set community replace '65000:666'
+set policy route-map ExportRouteMapAS64516 rule 10 action 'permit'
+set policy route-map ExportRouteMapAS64516 rule 10 match as-path 'AS64512'
+set policy route-map ExportRouteMapAS64516 rule 10 match ip address prefix-list 'vyosV4'
+set policy route-map ExportRouteMapAS64516 rule 15 action 'permit'
+set policy route-map ExportRouteMapAS64516 rule 15 match as-path 'AS64512'
+set policy route-map ExportRouteMapAS64516 rule 15 match ipv6 address prefix-list 'hostrouteV6'
+set policy route-map ExportRouteMapAS64516 rule 15 set community replace '65000:666'
+set policy route-map ExportRouteMapAS64516 rule 20 action 'permit'
+set policy route-map ExportRouteMapAS64516 rule 20 match as-path 'AS64512'
+set policy route-map ExportRouteMapAS64516 rule 20 match ipv6 address prefix-list 'vyosV6'
+set policy route-map ExportRouteMapAS64516 rule 20 set as-path exclude '100 200 300'
+set policy route-map ExportRouteMapAS64516 rule 20 set as-path prepend '64512 64512 64512'
+set policy route-map ExportRouteMapAS64516 rule 100 action 'deny'
+set policy route-map ExportRouteMapAS64517 rule 5 action 'permit'
+set policy route-map ExportRouteMapAS64517 rule 5 match as-path 'AS64512'
+set policy route-map ExportRouteMapAS64517 rule 5 match ip address prefix-list 'hostrouteV4'
+set policy route-map ExportRouteMapAS64517 rule 5 set community replace '64517:666'
+set policy route-map ExportRouteMapAS64517 rule 10 action 'permit'
+set policy route-map ExportRouteMapAS64517 rule 10 match as-path 'AS64512'
+set policy route-map ExportRouteMapAS64517 rule 10 match ip address prefix-list 'vyosV4'
+set policy route-map ExportRouteMapAS64517 rule 15 action 'permit'
+set policy route-map ExportRouteMapAS64517 rule 15 match as-path 'AS64512'
+set policy route-map ExportRouteMapAS64517 rule 15 match ipv6 address prefix-list 'hostrouteV6'
+set policy route-map ExportRouteMapAS64517 rule 15 set community replace '64517:666'
+set policy route-map ExportRouteMapAS64517 rule 20 action 'permit'
+set policy route-map ExportRouteMapAS64517 rule 20 match as-path 'AS64512'
+set policy route-map ExportRouteMapAS64517 rule 20 match ipv6 address prefix-list 'vyosV6'
+set policy route-map ExportRouteMapAS64517 rule 100 action 'deny'
+set policy route-map ImportRouteMap rule 10 action 'deny'
+set policy route-map ImportRouteMap rule 10 match ip address prefix-list 'privateV4'
+set policy route-map ImportRouteMap rule 15 action 'deny'
+set policy route-map ImportRouteMap rule 15 match ipv6 address prefix-list 'privateV6'
+set policy route-map ImportRouteMap rule 20 action 'deny'
+set policy route-map ImportRouteMap rule 20 match ip address prefix-list 'vyosV4'
+set policy route-map ImportRouteMap rule 30 action 'deny'
+set policy route-map ImportRouteMap rule 30 match ipv6 address prefix-list 'vyosV6'
+set policy route-map ImportRouteMap rule 40 action 'deny'
+set policy route-map ImportRouteMap rule 40 match as-path 'AS64512'
+set policy route-map ImportRouteMap rule 50 action 'permit'
+set policy route-map ImportRouteMap rule 50 match as-path 'AS64513-AS64514'
+set policy route-map ImportRouteMap rule 50 set weight '10001'
+set policy route-map ImportRouteMap rule 65535 action 'permit'
+set protocols bgp address-family ipv4-unicast maximum-paths ebgp '8'
+set protocols bgp address-family ipv4-unicast maximum-paths ibgp '16'
+set protocols bgp address-family ipv4-unicast network 192.0.68.0/22
+set protocols bgp address-family ipv4-unicast network 192.0.84.0/22
+set protocols bgp address-family ipv4-unicast network 192.0.98.0/24
+set protocols bgp address-family ipv4-unicast network 192.0.160.0/24
+set protocols bgp address-family ipv4-unicast redistribute static route-map 'ExportRouteMap'
+set protocols bgp address-family ipv6-unicast network 2001:db8::/29
+set protocols bgp address-family ipv6-unicast redistribute static route-map 'ExportRouteMap'
+set protocols bgp neighbor 192.0.16.209 address-family ipv4-unicast route-map export 'ExportRouteMapAS64516'
+set protocols bgp neighbor 192.0.16.209 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.16.209 remote-as '64501'
+set protocols bgp neighbor 192.0.52.12 address-family ipv4-unicast maximum-prefix '300'
+set protocols bgp neighbor 192.0.52.12 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.52.12 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.52.12 remote-as '64511'
+set protocols bgp neighbor 192.0.52.17 address-family ipv4-unicast maximum-prefix '75'
+set protocols bgp neighbor 192.0.52.17 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.52.17 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.52.17 password 'vyosvyos'
+set protocols bgp neighbor 192.0.52.17 remote-as '64512'
+set protocols bgp neighbor 192.0.52.24 address-family ipv4-unicast maximum-prefix '300'
+set protocols bgp neighbor 192.0.52.24 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.52.24 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.52.24 remote-as '64513'
+set protocols bgp neighbor 192.0.52.32 address-family ipv4-unicast maximum-prefix '50'
+set protocols bgp neighbor 192.0.52.32 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.52.32 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.52.32 password 'vyosfoooo'
+set protocols bgp neighbor 192.0.52.32 remote-as '64514'
+set protocols bgp neighbor 192.0.52.34 address-family ipv4-unicast maximum-prefix '10'
+set protocols bgp neighbor 192.0.52.34 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.52.34 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.52.34 remote-as '64515'
+set protocols bgp neighbor 192.0.52.46 address-family ipv4-unicast maximum-prefix '10'
+set protocols bgp neighbor 192.0.52.46 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.52.46 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.52.46 remote-as '64516'
+set protocols bgp neighbor 192.0.52.49 address-family ipv4-unicast maximum-prefix '75'
+set protocols bgp neighbor 192.0.52.49 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.52.49 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.52.49 password 'secret'
+set protocols bgp neighbor 192.0.52.49 remote-as '64517'
+set protocols bgp neighbor 192.0.52.74 address-family ipv4-unicast maximum-prefix '15000'
+set protocols bgp neighbor 192.0.52.74 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.52.74 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.52.74 password 'secretvyos'
+set protocols bgp neighbor 192.0.52.74 remote-as '64518'
+set protocols bgp neighbor 192.0.52.94 address-family ipv4-unicast maximum-prefix '250'
+set protocols bgp neighbor 192.0.52.94 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.52.94 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.52.94 remote-as '64519'
+set protocols bgp neighbor 192.0.52.100 address-family ipv4-unicast maximum-prefix '50'
+set protocols bgp neighbor 192.0.52.100 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.52.100 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.52.100 remote-as '64520'
+set protocols bgp neighbor 192.0.52.119 address-family ipv4-unicast maximum-prefix '30'
+set protocols bgp neighbor 192.0.52.119 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.52.119 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.52.119 remote-as '64521'
+set protocols bgp neighbor 192.0.52.165 address-family ipv4-unicast maximum-prefix '50'
+set protocols bgp neighbor 192.0.52.165 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.52.165 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.52.165 remote-as '64522'
+set protocols bgp neighbor 192.0.52.170 address-family ipv4-unicast maximum-prefix '150000'
+set protocols bgp neighbor 192.0.52.170 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.52.170 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.52.170 remote-as '64523'
+set protocols bgp neighbor 192.0.52.171 address-family ipv4-unicast maximum-prefix '10000'
+set protocols bgp neighbor 192.0.52.171 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.52.171 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.52.171 remote-as '64524'
+set protocols bgp neighbor 192.0.52.179 address-family ipv4-unicast maximum-prefix '20'
+set protocols bgp neighbor 192.0.52.179 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.52.179 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.52.179 remote-as '64525'
+set protocols bgp neighbor 192.0.52.189 address-family ipv4-unicast maximum-prefix '1000'
+set protocols bgp neighbor 192.0.52.189 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.52.189 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.52.189 remote-as '64526'
+set protocols bgp neighbor 192.0.52.210 address-family ipv4-unicast maximum-prefix '15'
+set protocols bgp neighbor 192.0.52.210 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.52.210 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.52.210 remote-as '64527'
+set protocols bgp neighbor 192.0.52.211 address-family ipv4-unicast maximum-prefix '15'
+set protocols bgp neighbor 192.0.52.211 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.52.211 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.52.211 remote-as '64528'
+set protocols bgp neighbor 192.0.52.251 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.52.251 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.52.251 address-family ipv4-unicast weight '1010'
+set protocols bgp neighbor 192.0.52.251 remote-as '64529'
+set protocols bgp neighbor 192.0.52.252 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.52.252 address-family ipv4-unicast weight '1010'
+set protocols bgp neighbor 192.0.52.252 remote-as '64530'
+set protocols bgp neighbor 192.0.52.253 address-family ipv4-unicast route-map export 'ExportRouteMapAS64515'
+set protocols bgp neighbor 192.0.52.253 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.52.253 passive
+set protocols bgp neighbor 192.0.52.253 remote-as '64531'
+set protocols bgp neighbor 192.0.68.3 address-family ipv4-unicast nexthop-self
+set protocols bgp neighbor 192.0.68.3 address-family ipv4-unicast soft-reconfiguration inbound
+set protocols bgp neighbor 192.0.68.3 remote-as '64532'
+set protocols bgp neighbor 192.0.68.3 update-source '192.0.68.2'
+set protocols bgp neighbor 192.0.176.193 address-family ipv4-unicast route-map export 'ExportRouteMapAS64516'
+set protocols bgp neighbor 192.0.176.193 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.176.193 remote-as '64510'
+set protocols bgp neighbor 192.0.192.6 address-family ipv4-unicast maximum-prefix '100'
+set protocols bgp neighbor 192.0.192.6 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.192.6 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.192.6 remote-as '64502'
+set protocols bgp neighbor 192.0.192.157 address-family ipv4-unicast maximum-prefix '350000'
+set protocols bgp neighbor 192.0.192.157 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.192.157 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.192.157 remote-as '64503'
+set protocols bgp neighbor 192.0.192.228 address-family ipv4-unicast maximum-prefix '10000'
+set protocols bgp neighbor 192.0.192.228 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.192.228 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.192.228 remote-as '64504'
+set protocols bgp neighbor 192.0.193.157 address-family ipv4-unicast maximum-prefix '350000'
+set protocols bgp neighbor 192.0.193.157 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.193.157 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.193.157 remote-as '64505'
+set protocols bgp neighbor 192.0.193.202 address-family ipv4-unicast maximum-prefix '10000'
+set protocols bgp neighbor 192.0.193.202 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.193.202 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.193.202 remote-as '64506'
+set protocols bgp neighbor 192.0.193.223 address-family ipv4-unicast maximum-prefix '10000'
+set protocols bgp neighbor 192.0.193.223 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.193.223 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.193.223 remote-as '64507'
+set protocols bgp neighbor 192.0.194.161 address-family ipv4-unicast maximum-prefix '10000'
+set protocols bgp neighbor 192.0.194.161 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.194.161 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.194.161 remote-as '64508'
+set protocols bgp neighbor 192.0.194.171 address-family ipv4-unicast maximum-prefix '10000'
+set protocols bgp neighbor 192.0.194.171 address-family ipv4-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 192.0.194.171 address-family ipv4-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 192.0.194.171 remote-as '64509'
+set protocols bgp neighbor 2001:db8:24::2e address-family ipv6-unicast maximum-prefix '5'
+set protocols bgp neighbor 2001:db8:24::2e address-family ipv6-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 2001:db8:24::2e address-family ipv6-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 2001:db8:24::2e password 'vyossecret'
+set protocols bgp neighbor 2001:db8:24::2e remote-as '64535'
+set protocols bgp neighbor 2001:db8:24::4a address-family ipv6-unicast maximum-prefix '1000'
+set protocols bgp neighbor 2001:db8:24::4a address-family ipv6-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 2001:db8:24::4a address-family ipv6-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 2001:db8:24::4a remote-as '64536'
+set protocols bgp neighbor 2001:db8:24::5e address-family ipv6-unicast maximum-prefix '200'
+set protocols bgp neighbor 2001:db8:24::5e address-family ipv6-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 2001:db8:24::5e address-family ipv6-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 2001:db8:24::5e remote-as '64537'
+set protocols bgp neighbor 2001:db8:24::11 address-family ipv6-unicast maximum-prefix '20'
+set protocols bgp neighbor 2001:db8:24::11 address-family ipv6-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 2001:db8:24::11 address-family ipv6-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 2001:db8:24::11 remote-as '64538'
+set protocols bgp neighbor 2001:db8:24::18 address-family ipv6-unicast maximum-prefix '300'
+set protocols bgp neighbor 2001:db8:24::18 address-family ipv6-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 2001:db8:24::18 address-family ipv6-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 2001:db8:24::18 remote-as '64539'
+set protocols bgp neighbor 2001:db8:24::20 address-family ipv6-unicast maximum-prefix '10'
+set protocols bgp neighbor 2001:db8:24::20 address-family ipv6-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 2001:db8:24::20 address-family ipv6-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 2001:db8:24::20 remote-as '64540'
+set protocols bgp neighbor 2001:db8:24::22 address-family ipv6-unicast maximum-prefix '5'
+set protocols bgp neighbor 2001:db8:24::22 address-family ipv6-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 2001:db8:24::22 address-family ipv6-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 2001:db8:24::22 remote-as '64541'
+set protocols bgp neighbor 2001:db8:24::31 address-family ipv6-unicast maximum-prefix '20'
+set protocols bgp neighbor 2001:db8:24::31 address-family ipv6-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 2001:db8:24::31 address-family ipv6-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 2001:db8:24::31 remote-as '64542'
+set protocols bgp neighbor 2001:db8:24::58 address-family ipv6-unicast maximum-prefix '15'
+set protocols bgp neighbor 2001:db8:24::58 address-family ipv6-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 2001:db8:24::58 address-family ipv6-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 2001:db8:24::58 remote-as '64543'
+set protocols bgp neighbor 2001:db8:24::64 address-family ipv6-unicast maximum-prefix '10'
+set protocols bgp neighbor 2001:db8:24::64 address-family ipv6-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 2001:db8:24::64 address-family ipv6-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 2001:db8:24::64 password 'geheim'
+set protocols bgp neighbor 2001:db8:24::64 remote-as '64544'
+set protocols bgp neighbor 2001:db8:24::a5 address-family ipv6-unicast maximum-prefix '10'
+set protocols bgp neighbor 2001:db8:24::a5 address-family ipv6-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 2001:db8:24::a5 address-family ipv6-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 2001:db8:24::a5 remote-as '64545'
+set protocols bgp neighbor 2001:db8:24::aa address-family ipv6-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 2001:db8:24::aa address-family ipv6-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 2001:db8:24::aa remote-as '64546'
+set protocols bgp neighbor 2001:db8:24::ab address-family ipv6-unicast maximum-prefix '1800'
+set protocols bgp neighbor 2001:db8:24::ab address-family ipv6-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 2001:db8:24::ab address-family ipv6-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 2001:db8:24::ab remote-as '64547'
+set protocols bgp neighbor 2001:db8:24::b0 address-family ipv6-unicast maximum-prefix '5'
+set protocols bgp neighbor 2001:db8:24::b0 address-family ipv6-unicast route-map export 'ExportRouteMap'
+set protocols bgp neighbor 2001:db8:24::b0 address-family ipv6-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 2001:db8:24::b0 password 'secret123'
+set protocols bgp neighbor 2001:db8:24::b0 remote-as '64548'
+set protocols bgp neighbor 2001:db8:838::1 address-family ipv6-unicast route-map export 'ExportRouteMapAS64516'
+set protocols bgp neighbor 2001:db8:838::1 address-family ipv6-unicast route-map import 'ImportRouteMap'
+set protocols bgp neighbor 2001:db8:838::1 remote-as '64533'
+set protocols bgp neighbor 2001:db8:c::3 address-family ipv6-unicast nexthop-self
+set protocols bgp neighbor 2001:db8:c::3 address-family ipv6-unicast soft-reconfiguration inbound
+set protocols bgp neighbor 2001:db8:c::3 remote-as '64534'
+set protocols bgp neighbor 2001:db8:c::3 update-source '2001:db8:c::2'
+set protocols bgp parameters log-neighbor-changes
+set protocols bgp parameters router-id '192.0.68.2'
+set protocols bgp system-as '64500'
+set protocols static route 192.0.68.0/22 blackhole
+set protocols static route 192.0.84.0/22 blackhole
+set protocols static route 192.0.98.0/24 blackhole
+set protocols static route 192.0.160.0/24 blackhole
+set protocols static route6 2001:db8::/29 blackhole
+set service ntp allow-client address '0.0.0.0/0'
+set service ntp allow-client address '::/0'
+set service ntp server 0.pool.ntp.org
+set service ntp server 1.pool.ntp.org
+set service ntp server 2.pool.ntp.org
+set system config-management commit-revisions '100'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system flow-accounting disable-imt
+set system flow-accounting interface 'eth0.4088'
+set system flow-accounting interface 'eth0.4089'
+set system flow-accounting netflow engine-id '1'
+set system flow-accounting netflow server 192.0.2.55 port '2055'
+set system flow-accounting netflow version '9'
+set system flow-accounting sflow server 1.2.3.4 port '1234'
+set system flow-accounting syslog-facility 'daemon'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'
+set system login user vyos authentication plaintext-password ''
+set system name-server '2001:db8::1'
+set system name-server '2001:db8::2'
+set system name-server '192.0.2.1'
+set system name-server '192.0.2.2'
+set system syslog global facility all level 'all'
+set system syslog global preserve-fqdn
+set system time-zone 'Europe/Zurich'
diff --git a/smoketest/config-tests/bgp-dmvpn-hub b/smoketest/config-tests/bgp-dmvpn-hub
new file mode 100644
index 000000000..30521520a
--- /dev/null
+++ b/smoketest/config-tests/bgp-dmvpn-hub
@@ -0,0 +1,69 @@
+set interfaces ethernet eth0 address '100.64.10.1/31'
+set interfaces ethernet eth0 speed 'auto'
+set interfaces ethernet eth0 duplex 'auto'
+set interfaces ethernet eth1 speed 'auto'
+set interfaces ethernet eth1 duplex 'auto'
+set interfaces loopback lo
+set interfaces tunnel tun0 address '192.168.254.62/26'
+set interfaces tunnel tun0 enable-multicast
+set interfaces tunnel tun0 encapsulation 'gre'
+set interfaces tunnel tun0 parameters ip key '1'
+set interfaces tunnel tun0 source-address '100.64.10.1'
+set protocols bgp address-family ipv4-unicast network 172.20.0.0/16
+set protocols bgp neighbor 192.168.254.1 peer-group 'DMVPN'
+set protocols bgp neighbor 192.168.254.1 remote-as '65001'
+set protocols bgp neighbor 192.168.254.2 peer-group 'DMVPN'
+set protocols bgp neighbor 192.168.254.2 remote-as '65002'
+set protocols bgp neighbor 192.168.254.3 peer-group 'DMVPN'
+set protocols bgp neighbor 192.168.254.3 remote-as '65003'
+set protocols bgp parameters log-neighbor-changes
+set protocols bgp peer-group DMVPN address-family ipv4-unicast
+set protocols bgp system-as '65000'
+set protocols bgp timers holdtime '30'
+set protocols bgp timers keepalive '10'
+set protocols nhrp tunnel tun0 cisco-authentication 'secret'
+set protocols nhrp tunnel tun0 holding-time '300'
+set protocols nhrp tunnel tun0 multicast 'dynamic'
+set protocols nhrp tunnel tun0 redirect
+set protocols nhrp tunnel tun0 shortcut
+set protocols static route 0.0.0.0/0 next-hop 100.64.10.0
+set protocols static route 172.20.0.0/16 blackhole distance '200'
+set service ntp allow-client address '0.0.0.0/0'
+set service ntp allow-client address '::/0'
+set service ntp server time1.vyos.net
+set service ntp server time2.vyos.net
+set service ntp server time3.vyos.net
+set system config-management commit-revisions '100'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system host-name 'cpe-4'
+set system login user vyos authentication encrypted-password '$6$r/Yw/07NXNY$/ZB.Rjf9jxEV.BYoDyLdH.kH14rU52pOBtrX.4S34qlPt77chflCHvpTCq9a6huLzwaMR50rEICzA5GoIRZlM0'
+set system login user vyos authentication plaintext-password ''
+set system name-server '1.1.1.1'
+set system name-server '8.8.8.8'
+set system name-server '9.9.9.9'
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
+set vpn ipsec esp-group ESP-DMVPN lifetime '1800'
+set vpn ipsec esp-group ESP-DMVPN mode 'transport'
+set vpn ipsec esp-group ESP-DMVPN pfs 'dh-group2'
+set vpn ipsec esp-group ESP-DMVPN proposal 1 encryption 'aes256'
+set vpn ipsec esp-group ESP-DMVPN proposal 1 hash 'sha1'
+set vpn ipsec ike-group IKE-DMVPN close-action 'none'
+set vpn ipsec ike-group IKE-DMVPN key-exchange 'ikev1'
+set vpn ipsec ike-group IKE-DMVPN lifetime '3600'
+set vpn ipsec ike-group IKE-DMVPN proposal 1 dh-group '2'
+set vpn ipsec ike-group IKE-DMVPN proposal 1 encryption 'aes256'
+set vpn ipsec ike-group IKE-DMVPN proposal 1 hash 'sha1'
+set vpn ipsec interface 'eth0'
+set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
+set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'VyOS-topsecret'
+set vpn ipsec profile NHRPVPN bind tunnel 'tun0'
+set vpn ipsec profile NHRPVPN esp-group 'ESP-DMVPN'
+set vpn ipsec profile NHRPVPN ike-group 'IKE-DMVPN'
diff --git a/smoketest/config-tests/bgp-dmvpn-spoke b/smoketest/config-tests/bgp-dmvpn-spoke
new file mode 100644
index 000000000..d1c7bc7c0
--- /dev/null
+++ b/smoketest/config-tests/bgp-dmvpn-spoke
@@ -0,0 +1,75 @@
+set interfaces ethernet eth0 vif 7 description 'PPPoE-UPLINK'
+set interfaces ethernet eth1 address '172.17.1.1/24'
+set interfaces loopback lo
+set interfaces pppoe pppoe1 authentication password 'cpe-1'
+set interfaces pppoe pppoe1 authentication username 'cpe-1'
+set interfaces pppoe pppoe1 no-peer-dns
+set interfaces pppoe pppoe1 source-interface 'eth0.7'
+set interfaces tunnel tun0 address '192.168.254.1/26'
+set interfaces tunnel tun0 enable-multicast
+set interfaces tunnel tun0 encapsulation 'gre'
+set interfaces tunnel tun0 parameters ip key '1'
+set interfaces tunnel tun0 source-address '0.0.0.0'
+set nat source rule 10 log
+set nat source rule 10 outbound-interface name 'pppoe1'
+set nat source rule 10 source address '172.17.0.0/16'
+set nat source rule 10 translation address 'masquerade'
+set protocols bgp address-family ipv4-unicast network 172.17.0.0/16
+set protocols bgp neighbor 192.168.254.62 address-family ipv4-unicast
+set protocols bgp neighbor 192.168.254.62 remote-as '65000'
+set protocols bgp parameters log-neighbor-changes
+set protocols bgp system-as '65001'
+set protocols bgp timers holdtime '30'
+set protocols bgp timers keepalive '10'
+set protocols nhrp tunnel tun0 cisco-authentication 'secret'
+set protocols nhrp tunnel tun0 holding-time '300'
+set protocols nhrp tunnel tun0 map 192.168.254.62/26 nbma-address '100.64.10.1'
+set protocols nhrp tunnel tun0 map 192.168.254.62/26 register
+set protocols nhrp tunnel tun0 multicast 'nhs'
+set protocols nhrp tunnel tun0 redirect
+set protocols nhrp tunnel tun0 shortcut
+set protocols static route 172.17.0.0/16 blackhole distance '200'
+set service dhcp-server shared-network-name LAN-3 subnet 172.17.1.0/24 option default-router '172.17.1.1'
+set service dhcp-server shared-network-name LAN-3 subnet 172.17.1.0/24 option name-server '172.17.1.1'
+set service dhcp-server shared-network-name LAN-3 subnet 172.17.1.0/24 range 0 start '172.17.1.100'
+set service dhcp-server shared-network-name LAN-3 subnet 172.17.1.0/24 range 0 stop '172.17.1.200'
+set service dhcp-server shared-network-name LAN-3 subnet 172.17.1.0/24 subnet-id '1'
+set service ntp allow-client address '0.0.0.0/0'
+set service ntp allow-client address '::/0'
+set service ntp server time1.vyos.net
+set service ntp server time2.vyos.net
+set service ntp server time3.vyos.net
+set system config-management commit-revisions '100'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system host-name 'cpe-1'
+set system login user vyos authentication encrypted-password '$6$r/Yw/07NXNY$/ZB.Rjf9jxEV.BYoDyLdH.kH14rU52pOBtrX.4S34qlPt77chflCHvpTCq9a6huLzwaMR50rEICzA5GoIRZlM0'
+set system login user vyos authentication plaintext-password ''
+set system name-server '1.1.1.1'
+set system name-server '8.8.8.8'
+set system name-server '9.9.9.9'
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
+set vpn ipsec esp-group ESP-DMVPN lifetime '1800'
+set vpn ipsec esp-group ESP-DMVPN mode 'transport'
+set vpn ipsec esp-group ESP-DMVPN pfs 'dh-group2'
+set vpn ipsec esp-group ESP-DMVPN proposal 1 encryption 'aes256'
+set vpn ipsec esp-group ESP-DMVPN proposal 1 hash 'sha1'
+set vpn ipsec ike-group IKE-DMVPN close-action 'none'
+set vpn ipsec ike-group IKE-DMVPN key-exchange 'ikev1'
+set vpn ipsec ike-group IKE-DMVPN lifetime '3600'
+set vpn ipsec ike-group IKE-DMVPN proposal 1 dh-group '2'
+set vpn ipsec ike-group IKE-DMVPN proposal 1 encryption 'aes256'
+set vpn ipsec ike-group IKE-DMVPN proposal 1 hash 'sha1'
+set vpn ipsec interface 'pppoe1'
+set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
+set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'VyOS-topsecret'
+set vpn ipsec profile NHRPVPN bind tunnel 'tun0'
+set vpn ipsec profile NHRPVPN esp-group 'ESP-DMVPN'
+set vpn ipsec profile NHRPVPN ike-group 'IKE-DMVPN'
diff --git a/smoketest/config-tests/bgp-evpn-l2vpn-leaf b/smoketest/config-tests/bgp-evpn-l2vpn-leaf
new file mode 100644
index 000000000..315cb9e06
--- /dev/null
+++ b/smoketest/config-tests/bgp-evpn-l2vpn-leaf
@@ -0,0 +1,55 @@
+set interfaces bridge br100 member interface eth3
+set interfaces bridge br100 member interface vxlan100
+set interfaces dummy dum0 address '172.29.0.1/32'
+set interfaces ethernet eth0 address '2001:db8::41/64'
+set interfaces ethernet eth0 address '192.0.2.41/27'
+set interfaces ethernet eth0 description 'Out-of-Band Managament Port'
+set interfaces ethernet eth0 vrf 'MGMT'
+set interfaces ethernet eth1 address '172.29.1.1/31'
+set interfaces ethernet eth1 mtu '1600'
+set interfaces ethernet eth2 address '172.29.2.1/31'
+set interfaces ethernet eth2 mtu '1600'
+set interfaces ethernet eth2 offload gro
+set interfaces ethernet eth3 offload gro
+set interfaces loopback lo
+set interfaces vxlan vxlan100 mtu '1500'
+set interfaces vxlan vxlan100 parameters nolearning
+set interfaces vxlan vxlan100 port '8472'
+set interfaces vxlan vxlan100 source-address '172.29.0.1'
+set interfaces vxlan vxlan100 vni '100'
+set protocols bgp address-family ipv4-unicast maximum-paths ibgp '4'
+set protocols bgp address-family ipv4-unicast redistribute connected
+set protocols bgp address-family l2vpn-evpn advertise-all-vni
+set protocols bgp neighbor 172.29.1.0 peer-group 'evpn'
+set protocols bgp neighbor 172.29.2.0 peer-group 'evpn'
+set protocols bgp parameters log-neighbor-changes
+set protocols bgp peer-group evpn address-family ipv4-unicast nexthop-self
+set protocols bgp peer-group evpn address-family l2vpn-evpn nexthop-self
+set protocols bgp peer-group evpn remote-as '65010'
+set protocols bgp system-as '65010'
+set service lldp interface all
+set service ntp allow-client address '0.0.0.0/0'
+set service ntp allow-client address '::/0'
+set service ntp listen-address '192.0.2.41'
+set service ntp listen-address '2001:db8::41'
+set service ntp server 0.de.pool.ntp.org prefer
+set service ntp vrf 'MGMT'
+set service ssh disable-host-validation
+set service ssh vrf 'MGMT'
+set system config-management commit-revisions '100'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0'
+set system login user vyos authentication plaintext-password ''
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
+set vrf name MGMT protocols static route 0.0.0.0/0 next-hop 192.0.2.62
+set vrf name MGMT protocols static route6 ::/0 next-hop 2001:db8::1
+set vrf name MGMT table '1000'
diff --git a/smoketest/config-tests/bgp-evpn-l2vpn-spine b/smoketest/config-tests/bgp-evpn-l2vpn-spine
new file mode 100644
index 000000000..dee29e021
--- /dev/null
+++ b/smoketest/config-tests/bgp-evpn-l2vpn-spine
@@ -0,0 +1,48 @@
+set interfaces ethernet eth0 address '192.0.2.51/27'
+set interfaces ethernet eth0 address '2001:db8::51/64'
+set interfaces ethernet eth0 description 'Out-of-Band Managament Port'
+set interfaces ethernet eth0 vrf 'MGMT'
+set interfaces ethernet eth1 address '172.29.1.0/31'
+set interfaces ethernet eth1 mtu '1600'
+set interfaces ethernet eth2 address '172.29.1.2/31'
+set interfaces ethernet eth2 mtu '1600'
+set interfaces ethernet eth2 offload gro
+set interfaces ethernet eth3 address '172.29.1.4/31'
+set interfaces ethernet eth3 mtu '1600'
+set interfaces ethernet eth3 offload gro
+set interfaces loopback lo
+set protocols bgp address-family ipv4-unicast maximum-paths ibgp '4'
+set protocols bgp address-family ipv4-unicast redistribute connected
+set protocols bgp listen range 172.29.1.0/24 peer-group 'evpn'
+set protocols bgp parameters log-neighbor-changes
+set protocols bgp peer-group evpn address-family ipv4-unicast route-reflector-client
+set protocols bgp peer-group evpn address-family l2vpn-evpn route-reflector-client
+set protocols bgp peer-group evpn capability dynamic
+set protocols bgp peer-group evpn remote-as '65010'
+set protocols bgp system-as '65010'
+set service lldp interface all
+set service ntp allow-client address '0.0.0.0/0'
+set service ntp allow-client address '::/0'
+set service ntp listen-address '192.0.2.51'
+set service ntp listen-address '2001:db8::51'
+set service ntp server 0.de.pool.ntp.org prefer
+set service ntp vrf 'MGMT'
+set service ssh disable-host-validation
+set service ssh vrf 'MGMT'
+set system config-management commit-revisions '100'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0'
+set system login user vyos authentication plaintext-password ''
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
+set vrf name MGMT protocols static route 0.0.0.0/0 next-hop 192.0.2.62
+set vrf name MGMT protocols static route6 ::/0 next-hop 2001:db8::1
+set vrf name MGMT table '1000'
diff --git a/smoketest/config-tests/bgp-evpn-l3vpn-pe-router b/smoketest/config-tests/bgp-evpn-l3vpn-pe-router
new file mode 100644
index 000000000..7a2ec9f91
--- /dev/null
+++ b/smoketest/config-tests/bgp-evpn-l3vpn-pe-router
@@ -0,0 +1,123 @@
+set interfaces bridge br2000 address '10.1.1.1/24'
+set interfaces bridge br2000 description 'customer blue'
+set interfaces bridge br2000 member interface eth4
+set interfaces bridge br2000 member interface vxlan2000
+set interfaces bridge br2000 vrf 'blue'
+set interfaces bridge br3000 address '10.2.1.1/24'
+set interfaces bridge br3000 description 'customer red'
+set interfaces bridge br3000 member interface eth5
+set interfaces bridge br3000 member interface vxlan3000
+set interfaces bridge br3000 vrf 'red'
+set interfaces bridge br4000 address '10.3.1.1/24'
+set interfaces bridge br4000 description 'customer green'
+set interfaces bridge br4000 member interface eth6
+set interfaces bridge br4000 member interface vxlan4000
+set interfaces bridge br4000 vrf 'green'
+set interfaces dummy dum0 address '172.29.255.1/32'
+set interfaces ethernet eth0 address '192.0.2.59/27'
+set interfaces ethernet eth0 address '2001:db8:ffff::59/64'
+set interfaces ethernet eth0 description 'Out-of-Band Managament Port'
+set interfaces ethernet eth0 offload gro
+set interfaces ethernet eth0 vrf 'mgmt'
+set interfaces ethernet eth1 address '172.29.0.2/31'
+set interfaces ethernet eth1 description 'link to pe2'
+set interfaces ethernet eth1 mtu '1600'
+set interfaces ethernet eth1 offload gro
+set interfaces ethernet eth2 disable
+set interfaces ethernet eth2 offload gro
+set interfaces ethernet eth3 address '172.29.0.6/31'
+set interfaces ethernet eth3 description 'link to pe3'
+set interfaces ethernet eth3 mtu '1600'
+set interfaces ethernet eth3 offload gro
+set interfaces ethernet eth4 description 'customer blue'
+set interfaces ethernet eth4 offload gro
+set interfaces ethernet eth5 description 'customer red'
+set interfaces ethernet eth5 offload gro
+set interfaces ethernet eth6 description 'customer green'
+set interfaces ethernet eth6 offload gro
+set interfaces loopback lo
+set interfaces vxlan vxlan2000 mtu '1500'
+set interfaces vxlan vxlan2000 parameters nolearning
+set interfaces vxlan vxlan2000 port '4789'
+set interfaces vxlan vxlan2000 source-address '172.29.255.1'
+set interfaces vxlan vxlan2000 vni '2000'
+set interfaces vxlan vxlan3000 mtu '1500'
+set interfaces vxlan vxlan3000 parameters nolearning
+set interfaces vxlan vxlan3000 port '4789'
+set interfaces vxlan vxlan3000 source-address '172.29.255.1'
+set interfaces vxlan vxlan3000 vni '3000'
+set interfaces vxlan vxlan4000 mtu '1500'
+set interfaces vxlan vxlan4000 parameters nolearning
+set interfaces vxlan vxlan4000 port '4789'
+set interfaces vxlan vxlan4000 source-address '172.29.255.1'
+set interfaces vxlan vxlan4000 vni '4000'
+set protocols bgp address-family l2vpn-evpn advertise ipv4 unicast
+set protocols bgp address-family l2vpn-evpn advertise-all-vni
+set protocols bgp neighbor 172.29.255.2 peer-group 'ibgp'
+set protocols bgp neighbor 172.29.255.3 peer-group 'ibgp'
+set protocols bgp parameters log-neighbor-changes
+set protocols bgp parameters router-id '172.29.255.1'
+set protocols bgp peer-group ibgp address-family l2vpn-evpn
+set protocols bgp peer-group ibgp remote-as '100'
+set protocols bgp peer-group ibgp update-source 'dum0'
+set protocols bgp system-as '100'
+set protocols ospf area 0 network '172.29.0.2/31'
+set protocols ospf area 0 network '172.29.0.6/31'
+set protocols ospf interface eth1 network 'point-to-point'
+set protocols ospf interface eth1 passive disable
+set protocols ospf interface eth3 network 'point-to-point'
+set protocols ospf interface eth3 passive disable
+set protocols ospf log-adjacency-changes detail
+set protocols ospf parameters abr-type 'cisco'
+set protocols ospf parameters router-id '172.29.255.1'
+set protocols ospf passive-interface 'default'
+set protocols ospf redistribute connected
+set service lldp interface all
+set service ntp allow-client address '0.0.0.0/0'
+set service ntp allow-client address '::/0'
+set service ntp listen-address '192.0.2.59'
+set service ntp listen-address '2001:db8:ffff::59'
+set service ntp server 192.0.2.251
+set service ntp server 192.0.2.252
+set service ntp server 2001:db8::251
+set service ntp server 2001:db8::252
+set service ntp vrf 'mgmt'
+set service ssh disable-host-validation
+set service ssh port '22'
+set service ssh vrf 'mgmt'
+set system config-management commit-revisions '100'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system domain-name 'vyos.net'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0'
+set system login user vyos authentication plaintext-password ''
+set system name-server '192.0.2.251'
+set system name-server '192.0.2.252'
+set system name-server '2001:db8::1'
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
+set vrf name blue protocols bgp address-family ipv4-unicast redistribute connected
+set vrf name blue protocols bgp address-family l2vpn-evpn advertise ipv4 unicast
+set vrf name blue protocols bgp system-as '100'
+set vrf name blue table '2000'
+set vrf name blue vni '2000'
+set vrf name green protocols bgp address-family ipv4-unicast redistribute connected
+set vrf name green protocols bgp address-family l2vpn-evpn advertise ipv4 unicast
+set vrf name green protocols bgp system-as '100'
+set vrf name green table '4000'
+set vrf name green vni '4000'
+set vrf name mgmt protocols static route 0.0.0.0/0 next-hop 192.0.2.62
+set vrf name mgmt protocols static route6 ::/0 next-hop 2001:db8:ffff::1
+set vrf name mgmt table '1000'
+set vrf name red protocols bgp address-family ipv4-unicast redistribute connected
+set vrf name red protocols bgp address-family l2vpn-evpn advertise ipv4 unicast
+set vrf name red protocols bgp system-as '100'
+set vrf name red table '3000'
+set vrf name red vni '3000'
diff --git a/smoketest/config-tests/bgp-medium-confederation b/smoketest/config-tests/bgp-medium-confederation
index ea3c2d144..582e28047 100644
--- a/smoketest/config-tests/bgp-medium-confederation
+++ b/smoketest/config-tests/bgp-medium-confederation
@@ -1,73 +1,73 @@
set interfaces dummy dum0 address '1.1.1.1/32'
set interfaces dummy dum0 address '2001:db8::1/128'
-set interfaces ethernet eth0 address 'fd52:100:200:fffe::1/64'
set interfaces ethernet eth0 address '192.168.253.1/24'
+set interfaces ethernet eth0 address 'fd52:100:200:fffe::1/64'
set interfaces ethernet eth1
set interfaces ethernet eth2
set policy route-map BGP-IN rule 10 action 'permit'
set policy route-map BGP-OUT rule 10 action 'permit'
set policy route-map BGP-REDISTRIBUTE rule 10 action 'deny'
set policy route-map DEFAULT-ZEBRA-IN rule 10 action 'deny'
set protocols bgp address-family ipv4-unicast redistribute connected route-map 'BGP-REDISTRIBUTE'
set protocols bgp address-family ipv4-unicast redistribute static route-map 'BGP-REDISTRIBUTE'
set protocols bgp address-family ipv6-unicast redistribute connected route-map 'BGP-REDISTRIBUTE'
set protocols bgp neighbor 192.168.253.14 peer-group 'WDC07'
set protocols bgp neighbor 192.168.253.16 peer-group 'WDC07'
set protocols bgp neighbor 192.168.253.17 peer-group 'WDC07'
set protocols bgp neighbor 192.168.253.18 peer-group 'WDC07'
set protocols bgp neighbor 192.168.253.19 peer-group 'WDC07'
set protocols bgp neighbor eth1 interface v6only peer-group 'BACKBONE'
set protocols bgp neighbor eth1 interface v6only remote-as '666'
set protocols bgp neighbor eth2 interface v6only peer-group 'BACKBONE'
set protocols bgp neighbor eth2 interface v6only remote-as '666'
set protocols bgp neighbor fd52:100:200:fffe::14 address-family ipv6-unicast
set protocols bgp neighbor fd52:100:200:fffe::14 peer-group 'WDC07v6'
set protocols bgp neighbor fd52:100:200:fffe::16 address-family ipv6-unicast
set protocols bgp neighbor fd52:100:200:fffe::16 peer-group 'WDC07v6'
set protocols bgp neighbor fd52:100:200:fffe::17 address-family ipv6-unicast
set protocols bgp neighbor fd52:100:200:fffe::17 peer-group 'WDC07v6'
set protocols bgp neighbor fd52:100:200:fffe::18 address-family ipv6-unicast
set protocols bgp neighbor fd52:100:200:fffe::18 peer-group 'WDC07v6'
set protocols bgp neighbor fd52:100:200:fffe::19 address-family ipv6-unicast
set protocols bgp neighbor fd52:100:200:fffe::19 peer-group 'WDC07v6'
set protocols bgp parameters bestpath as-path confed
set protocols bgp parameters bestpath as-path multipath-relax
set protocols bgp parameters confederation identifier '696'
set protocols bgp parameters confederation peers '668'
set protocols bgp parameters confederation peers '669'
set protocols bgp parameters confederation peers '666'
set protocols bgp parameters graceful-restart
set protocols bgp parameters router-id '192.168.253.15'
set protocols bgp peer-group BACKBONE address-family ipv4-unicast nexthop-self
set protocols bgp peer-group BACKBONE address-family ipv4-unicast route-map export 'BGP-OUT'
set protocols bgp peer-group BACKBONE address-family ipv4-unicast route-map import 'BGP-IN'
set protocols bgp peer-group BACKBONE address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp peer-group BACKBONE address-family ipv6-unicast nexthop-self
set protocols bgp peer-group BACKBONE address-family ipv6-unicast route-map export 'BGP-OUT'
set protocols bgp peer-group BACKBONE address-family ipv6-unicast route-map import 'BGP-IN'
set protocols bgp peer-group BACKBONE address-family ipv6-unicast soft-reconfiguration inbound
set protocols bgp peer-group BACKBONE capability extended-nexthop
set protocols bgp peer-group WDC07 address-family ipv4-unicast default-originate
set protocols bgp peer-group WDC07 address-family ipv4-unicast nexthop-self
set protocols bgp peer-group WDC07 address-family ipv4-unicast route-map export 'BGP-OUT'
set protocols bgp peer-group WDC07 address-family ipv4-unicast route-map import 'BGP-IN'
set protocols bgp peer-group WDC07 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp peer-group WDC07 remote-as '670'
set protocols bgp peer-group WDC07 update-source 'dum0'
set protocols bgp peer-group WDC07v6 address-family ipv6-unicast default-originate
set protocols bgp peer-group WDC07v6 address-family ipv6-unicast nexthop-self
set protocols bgp peer-group WDC07v6 address-family ipv6-unicast route-map export 'BGP-OUT'
set protocols bgp peer-group WDC07v6 address-family ipv6-unicast route-map import 'BGP-IN'
set protocols bgp peer-group WDC07v6 address-family ipv6-unicast soft-reconfiguration inbound
set protocols bgp peer-group WDC07v6 remote-as '670'
set protocols bgp peer-group WDC07v6 update-source 'dum0'
set protocols bgp system-as '670'
set system config-management commit-revisions '200'
set system console device ttyS0 speed '115200'
set system domain-name 'vyos.net'
set system host-name 'vyos'
set system ip protocol bgp route-map 'DEFAULT-ZEBRA-IN'
set system login user vyos authentication encrypted-password '$6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0'
set system login user vyos authentication plaintext-password ''
set system syslog global facility all level 'notice'
set system syslog global facility local7 level 'debug'
diff --git a/smoketest/config-tests/bgp-rpki b/smoketest/config-tests/bgp-rpki
new file mode 100644
index 000000000..44e95ae98
--- /dev/null
+++ b/smoketest/config-tests/bgp-rpki
@@ -0,0 +1,43 @@
+set interfaces ethernet eth0 address '192.0.2.100/25'
+set interfaces ethernet eth0 address '2001:db8::ffff/64'
+set interfaces ethernet eth1 address '100.64.0.1/24'
+set interfaces loopback lo
+set policy route-map ebgp-transit-rpki rule 10 action 'deny'
+set policy route-map ebgp-transit-rpki rule 10 match rpki 'invalid'
+set policy route-map ebgp-transit-rpki rule 20 action 'permit'
+set policy route-map ebgp-transit-rpki rule 20 match rpki 'notfound'
+set policy route-map ebgp-transit-rpki rule 20 set local-preference '20'
+set policy route-map ebgp-transit-rpki rule 30 action 'permit'
+set policy route-map ebgp-transit-rpki rule 30 match rpki 'valid'
+set policy route-map ebgp-transit-rpki rule 30 set local-preference '100'
+set policy route-map ebgp-transit-rpki rule 40 action 'permit'
+set policy route-map ebgp-transit-rpki rule 40 set extcommunity rt '192.0.2.100:100'
+set policy route-map ebgp-transit-rpki rule 40 set extcommunity soo '64500:100'
+set protocols bgp neighbor 1.2.3.4 address-family ipv4-unicast nexthop-self
+set protocols bgp neighbor 1.2.3.4 address-family ipv4-unicast route-map import 'ebgp-transit-rpki'
+set protocols bgp neighbor 1.2.3.4 remote-as '10'
+set protocols bgp system-as '64500'
+set protocols rpki cache 192.0.2.10 port '3323'
+set protocols rpki cache 192.0.2.10 preference '1'
+set protocols static route 0.0.0.0/0 next-hop 192.0.2.1
+set protocols static route6 ::/0 next-hop 2001:db8::1
+set service ntp allow-client address '0.0.0.0/0'
+set service ntp allow-client address '::/0'
+set service ntp server 0.pool.ntp.org
+set service ntp server 1.pool.ntp.org
+set service ntp server 2.pool.ntp.org
+set service ssh
+set system config-management commit-revisions '100'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'
+set system login user vyos authentication plaintext-password ''
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
diff --git a/smoketest/config-tests/bgp-small-internet-exchange b/smoketest/config-tests/bgp-small-internet-exchange
new file mode 100644
index 000000000..a9dce4dd5
--- /dev/null
+++ b/smoketest/config-tests/bgp-small-internet-exchange
@@ -0,0 +1,209 @@
+set interfaces ethernet eth0 address '192.0.2.100/25'
+set interfaces ethernet eth0 address '2001:db8:aaaa::ffff/64'
+set interfaces ethernet eth1 address '192.0.2.200/25'
+set interfaces ethernet eth1 address '2001:db8:bbbb::ffff/64'
+set interfaces loopback lo
+set policy as-path-list bogon-asns rule 10 action 'permit'
+set policy as-path-list bogon-asns rule 10 description 'RFC 7607'
+set policy as-path-list bogon-asns rule 10 regex '_0_'
+set policy as-path-list bogon-asns rule 20 action 'permit'
+set policy as-path-list bogon-asns rule 20 description 'RFC 4893'
+set policy as-path-list bogon-asns rule 20 regex '_23456_'
+set policy as-path-list bogon-asns rule 30 action 'permit'
+set policy as-path-list bogon-asns rule 30 description 'RFC 5398/6996/7300'
+set policy as-path-list bogon-asns rule 30 regex '_6449[6-9]_|_65[0-4][0-9][0-9]_|_655[0-4][0-9]_|_6555[0-1]_'
+set policy as-path-list bogon-asns rule 40 action 'permit'
+set policy as-path-list bogon-asns rule 40 description 'IANA reserved'
+set policy as-path-list bogon-asns rule 40 regex '_6555[2-9]_|_655[6-9][0-9]_|_65[6-9][0-9][0-9]_|_6[6-9][0-9][0-9][0-]_|_[7-9][0-9][0-9][0-9][0-9]_|_1[0-2][0-9][0-9][0-9][0-9]_|_130[0-9][0-9][0-9]_|_1310[0-6][0-9]_|_13107[01]_'
+set policy prefix-list IX-out-v4 rule 10 action 'permit'
+set policy prefix-list IX-out-v4 rule 10 prefix '10.0.0.0/23'
+set policy prefix-list IX-out-v4 rule 20 action 'permit'
+set policy prefix-list IX-out-v4 rule 20 prefix '10.0.128.0/23'
+set policy prefix-list bogon-v4 rule 10 action 'permit'
+set policy prefix-list bogon-v4 rule 10 le '32'
+set policy prefix-list bogon-v4 rule 10 prefix '0.0.0.0/8'
+set policy prefix-list bogon-v4 rule 20 action 'permit'
+set policy prefix-list bogon-v4 rule 20 le '32'
+set policy prefix-list bogon-v4 rule 20 prefix '10.0.0.0/8'
+set policy prefix-list bogon-v4 rule 30 action 'permit'
+set policy prefix-list bogon-v4 rule 30 le '32'
+set policy prefix-list bogon-v4 rule 30 prefix '100.64.0.0/10'
+set policy prefix-list bogon-v4 rule 40 action 'permit'
+set policy prefix-list bogon-v4 rule 40 le '32'
+set policy prefix-list bogon-v4 rule 40 prefix '127.0.0.0/8'
+set policy prefix-list bogon-v4 rule 50 action 'permit'
+set policy prefix-list bogon-v4 rule 50 le '32'
+set policy prefix-list bogon-v4 rule 50 prefix '169.254.0.0/16'
+set policy prefix-list bogon-v4 rule 60 action 'permit'
+set policy prefix-list bogon-v4 rule 60 le '32'
+set policy prefix-list bogon-v4 rule 60 prefix '172.16.0.0/12'
+set policy prefix-list bogon-v4 rule 70 action 'permit'
+set policy prefix-list bogon-v4 rule 70 le '32'
+set policy prefix-list bogon-v4 rule 70 prefix '192.0.2.0/24'
+set policy prefix-list bogon-v4 rule 80 action 'permit'
+set policy prefix-list bogon-v4 rule 80 le '32'
+set policy prefix-list bogon-v4 rule 80 prefix '192.88.99.0/24'
+set policy prefix-list bogon-v4 rule 90 action 'permit'
+set policy prefix-list bogon-v4 rule 90 le '32'
+set policy prefix-list bogon-v4 rule 90 prefix '192.168.0.0/16'
+set policy prefix-list bogon-v4 rule 100 action 'permit'
+set policy prefix-list bogon-v4 rule 100 le '32'
+set policy prefix-list bogon-v4 rule 100 prefix '198.18.0.0/15'
+set policy prefix-list bogon-v4 rule 110 action 'permit'
+set policy prefix-list bogon-v4 rule 110 le '32'
+set policy prefix-list bogon-v4 rule 110 prefix '198.51.100.0/24'
+set policy prefix-list bogon-v4 rule 120 action 'permit'
+set policy prefix-list bogon-v4 rule 120 le '32'
+set policy prefix-list bogon-v4 rule 120 prefix '203.0.113.0/24'
+set policy prefix-list bogon-v4 rule 130 action 'permit'
+set policy prefix-list bogon-v4 rule 130 le '32'
+set policy prefix-list bogon-v4 rule 130 prefix '224.0.0.0/4'
+set policy prefix-list bogon-v4 rule 140 action 'permit'
+set policy prefix-list bogon-v4 rule 140 le '32'
+set policy prefix-list bogon-v4 rule 140 prefix '240.0.0.0/4'
+set policy prefix-list prefix-filter-v4 rule 10 action 'permit'
+set policy prefix-list prefix-filter-v4 rule 10 ge '25'
+set policy prefix-list prefix-filter-v4 rule 10 prefix '0.0.0.0/0'
+set policy prefix-list6 IX-out-v6 rule 10 action 'permit'
+set policy prefix-list6 IX-out-v6 rule 10 prefix '2001:db8:100::/40'
+set policy prefix-list6 IX-out-v6 rule 20 action 'permit'
+set policy prefix-list6 IX-out-v6 rule 20 prefix '2001:db8:200::/40'
+set policy prefix-list6 bogon-v6 rule 10 action 'permit'
+set policy prefix-list6 bogon-v6 rule 10 description 'RFC 4291 IPv4-compatible, loopback, et al'
+set policy prefix-list6 bogon-v6 rule 10 le '128'
+set policy prefix-list6 bogon-v6 rule 10 prefix '::/8'
+set policy prefix-list6 bogon-v6 rule 20 action 'permit'
+set policy prefix-list6 bogon-v6 rule 20 description 'RFC 6666 Discard-Only'
+set policy prefix-list6 bogon-v6 rule 20 le '128'
+set policy prefix-list6 bogon-v6 rule 20 prefix '0100::/64'
+set policy prefix-list6 bogon-v6 rule 30 action 'permit'
+set policy prefix-list6 bogon-v6 rule 30 description 'RFC 5180 BMWG'
+set policy prefix-list6 bogon-v6 rule 30 le '128'
+set policy prefix-list6 bogon-v6 rule 30 prefix '2001:2::/48'
+set policy prefix-list6 bogon-v6 rule 40 action 'permit'
+set policy prefix-list6 bogon-v6 rule 40 description 'RFC 4843 ORCHID'
+set policy prefix-list6 bogon-v6 rule 40 le '128'
+set policy prefix-list6 bogon-v6 rule 40 prefix '2001:10::/28'
+set policy prefix-list6 bogon-v6 rule 50 action 'permit'
+set policy prefix-list6 bogon-v6 rule 50 description 'RFC 3849 documentation'
+set policy prefix-list6 bogon-v6 rule 50 le '128'
+set policy prefix-list6 bogon-v6 rule 50 prefix '2001:db8::/32'
+set policy prefix-list6 bogon-v6 rule 60 action 'permit'
+set policy prefix-list6 bogon-v6 rule 60 description 'RFC 7526 6to4 anycast relay'
+set policy prefix-list6 bogon-v6 rule 60 le '128'
+set policy prefix-list6 bogon-v6 rule 60 prefix '2002::/16'
+set policy prefix-list6 bogon-v6 rule 70 action 'permit'
+set policy prefix-list6 bogon-v6 rule 70 description 'RFC 3701 old 6bone'
+set policy prefix-list6 bogon-v6 rule 70 le '128'
+set policy prefix-list6 bogon-v6 rule 70 prefix '3ffe::/16'
+set policy prefix-list6 bogon-v6 rule 80 action 'permit'
+set policy prefix-list6 bogon-v6 rule 80 description 'RFC 4193 unique local unicast'
+set policy prefix-list6 bogon-v6 rule 80 le '128'
+set policy prefix-list6 bogon-v6 rule 80 prefix 'fc00::/7'
+set policy prefix-list6 bogon-v6 rule 90 action 'permit'
+set policy prefix-list6 bogon-v6 rule 90 description 'RFC 4291 link local unicast'
+set policy prefix-list6 bogon-v6 rule 90 le '128'
+set policy prefix-list6 bogon-v6 rule 90 prefix 'fe80::/10'
+set policy prefix-list6 bogon-v6 rule 100 action 'permit'
+set policy prefix-list6 bogon-v6 rule 100 description 'RFC 3879 old site local unicast'
+set policy prefix-list6 bogon-v6 rule 100 le '128'
+set policy prefix-list6 bogon-v6 rule 100 prefix 'fec0::/10'
+set policy prefix-list6 bogon-v6 rule 110 action 'permit'
+set policy prefix-list6 bogon-v6 rule 110 description 'RFC 4291 multicast'
+set policy prefix-list6 bogon-v6 rule 110 le '128'
+set policy prefix-list6 bogon-v6 rule 110 prefix 'ff00::/8'
+set policy prefix-list6 prefix-filter-v6 rule 10 action 'permit'
+set policy prefix-list6 prefix-filter-v6 rule 10 ge '49'
+set policy prefix-list6 prefix-filter-v6 rule 10 prefix '::/0'
+set policy route-map IX-in-v4 rule 5 action 'permit'
+set policy route-map IX-in-v4 rule 5 call 'eBGP-IN-v4'
+set policy route-map IX-in-v4 rule 5 on-match next
+set policy route-map IX-in-v4 rule 10 action 'permit'
+set policy route-map IX-in-v6 rule 5 action 'permit'
+set policy route-map IX-in-v6 rule 5 call 'eBGP-IN-v6'
+set policy route-map IX-in-v6 rule 5 on-match next
+set policy route-map IX-in-v6 rule 10 action 'permit'
+set policy route-map IX-out-v4 rule 10 action 'permit'
+set policy route-map IX-out-v4 rule 10 match ip address prefix-list 'IX-out-v4'
+set policy route-map IX-out-v6 rule 10 action 'permit'
+set policy route-map IX-out-v6 rule 10 match ipv6 address prefix-list 'IX-out-v6'
+set policy route-map eBGP-IN-v4 rule 10 action 'deny'
+set policy route-map eBGP-IN-v4 rule 10 match as-path 'bogon-asns'
+set policy route-map eBGP-IN-v4 rule 20 action 'deny'
+set policy route-map eBGP-IN-v4 rule 20 match ip address prefix-list 'bogon-v4'
+set policy route-map eBGP-IN-v4 rule 30 action 'deny'
+set policy route-map eBGP-IN-v4 rule 30 match ip address prefix-list 'prefix-filter-v4'
+set policy route-map eBGP-IN-v4 rule 40 action 'permit'
+set policy route-map eBGP-IN-v4 rule 40 set local-preference '100'
+set policy route-map eBGP-IN-v4 rule 40 set metric '0'
+set policy route-map eBGP-IN-v6 rule 10 action 'deny'
+set policy route-map eBGP-IN-v6 rule 10 match as-path 'bogon-asns'
+set policy route-map eBGP-IN-v6 rule 20 action 'deny'
+set policy route-map eBGP-IN-v6 rule 20 match ipv6 address prefix-list 'bogon-v6'
+set policy route-map eBGP-IN-v6 rule 30 action 'deny'
+set policy route-map eBGP-IN-v6 rule 30 match ipv6 address prefix-list 'prefix-filter-v6'
+set policy route-map eBGP-IN-v6 rule 31 action 'deny'
+set policy route-map eBGP-IN-v6 rule 31 match ipv6 nexthop address '2001:db8::1'
+set policy route-map eBGP-IN-v6 rule 40 action 'permit'
+set policy route-map eBGP-IN-v6 rule 40 set local-preference '100'
+set policy route-map eBGP-IN-v6 rule 40 set metric '0'
+set protocols bgp address-family ipv4-unicast network 10.0.0.0/23
+set protocols bgp address-family ipv4-unicast network 10.0.128.0/23
+set protocols bgp address-family ipv6-unicast network 2001:db8:100::/40
+set protocols bgp address-family ipv6-unicast network 2001:db8:200::/40
+set protocols bgp neighbor 192.0.2.1 description 'Peering: IX-1 (Route Server)'
+set protocols bgp neighbor 192.0.2.1 peer-group 'IXPeeringIPv4'
+set protocols bgp neighbor 192.0.2.1 remote-as '65020'
+set protocols bgp neighbor 192.0.2.2 description 'Peering: IX-1 (Route Server)'
+set protocols bgp neighbor 192.0.2.2 peer-group 'IXPeeringIPv4'
+set protocols bgp neighbor 192.0.2.2 remote-as '65020'
+set protocols bgp neighbor 192.0.2.3 description 'Peering: IX-1 (Route Server)'
+set protocols bgp neighbor 192.0.2.3 peer-group 'IXPeeringIPv4'
+set protocols bgp neighbor 192.0.2.3 remote-as '65020'
+set protocols bgp neighbor 192.0.2.129 description 'Peering: IX-2 (Route Server)'
+set protocols bgp neighbor 192.0.2.129 peer-group 'IXPeeringIPv4'
+set protocols bgp neighbor 192.0.2.129 remote-as '65030'
+set protocols bgp neighbor 192.0.2.130 description 'Peering: IX-2 (Route Server)'
+set protocols bgp neighbor 192.0.2.130 peer-group 'IXPeeringIPv4'
+set protocols bgp neighbor 192.0.2.130 remote-as '65030'
+set protocols bgp neighbor 2001:db8:aaaa::1 description 'Peering: IX-1 (Route Server)'
+set protocols bgp neighbor 2001:db8:aaaa::1 peer-group 'IXPeeringIPv6'
+set protocols bgp neighbor 2001:db8:aaaa::1 remote-as '65020'
+set protocols bgp neighbor 2001:db8:aaaa::2 description 'Peering: IX-1 (Route Server)'
+set protocols bgp neighbor 2001:db8:aaaa::2 peer-group 'IXPeeringIPv6'
+set protocols bgp neighbor 2001:db8:aaaa::2 remote-as '65020'
+set protocols bgp neighbor 2001:db8:bbbb::1 description 'Peering: IX-2 (Route Server)'
+set protocols bgp neighbor 2001:db8:bbbb::1 peer-group 'IXPeeringIPv6'
+set protocols bgp neighbor 2001:db8:bbbb::1 remote-as '65030'
+set protocols bgp neighbor 2001:db8:bbbb::2 description 'Peering: IX-2 (Route Server)'
+set protocols bgp neighbor 2001:db8:bbbb::2 peer-group 'IXPeeringIPv6'
+set protocols bgp neighbor 2001:db8:bbbb::2 remote-as '65030'
+set protocols bgp peer-group IXPeeringIPv4 address-family ipv4-unicast route-map export 'IX-out-v4'
+set protocols bgp peer-group IXPeeringIPv4 address-family ipv4-unicast soft-reconfiguration inbound
+set protocols bgp peer-group IXPeeringIPv6 address-family ipv6-unicast route-map export 'IX-out-v6'
+set protocols bgp peer-group IXPeeringIPv6 address-family ipv6-unicast soft-reconfiguration inbound
+set protocols bgp system-as '65000'
+set protocols static route 10.0.0.0/23 blackhole distance '250'
+set protocols static route 10.0.128.0/23 blackhole distance '250'
+set protocols static route6 2001:db8:100::/40 blackhole distance '250'
+set protocols static route6 2001:db8:200::/40 blackhole distance '250'
+set service ntp allow-client address '0.0.0.0/0'
+set service ntp allow-client address '::/0'
+set service ntp server 0.pool.ntp.org
+set service ntp server 1.pool.ntp.org
+set service ntp server 2.pool.ntp.org
+set service ssh
+set system config-management commit-revisions '100'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'
+set system login user vyos authentication plaintext-password ''
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
diff --git a/smoketest/config-tests/bgp-small-ipv4-unicast b/smoketest/config-tests/bgp-small-ipv4-unicast
new file mode 100644
index 000000000..b8c0e1246
--- /dev/null
+++ b/smoketest/config-tests/bgp-small-ipv4-unicast
@@ -0,0 +1,32 @@
+set interfaces ethernet eth0 address '192.0.2.1/24'
+set interfaces ethernet eth0 address '2001:db8::1/64'
+set interfaces loopback lo
+set protocols bgp address-family ipv4-unicast network 10.0.150.0/23
+set protocols bgp address-family ipv6-unicast network 2001:db8:200::/40
+set protocols bgp neighbor 192.0.2.10 address-family ipv4-unicast
+set protocols bgp neighbor 192.0.2.10 remote-as '65010'
+set protocols bgp neighbor 192.0.2.11 address-family ipv4-unicast
+set protocols bgp neighbor 192.0.2.11 remote-as '65011'
+set protocols bgp neighbor 2001:db8::10 address-family ipv4-unicast
+set protocols bgp neighbor 2001:db8::10 remote-as '65010'
+set protocols bgp neighbor 2001:db8::11 address-family ipv4-unicast
+set protocols bgp neighbor 2001:db8::11 remote-as '65011'
+set protocols bgp parameters log-neighbor-changes
+set protocols bgp system-as '65001'
+set service ssh disable-host-validation
+set service ssh port '22'
+set system config-management commit-revisions '200'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system domain-name 'vyos.net'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0'
+set system login user vyos authentication plaintext-password ''
+set system syslog global facility all level 'notice'
+set system syslog global facility local7 level 'debug'
diff --git a/smoketest/config-tests/cluster-basic b/smoketest/config-tests/cluster-basic
new file mode 100644
index 000000000..744c117eb
--- /dev/null
+++ b/smoketest/config-tests/cluster-basic
@@ -0,0 +1,21 @@
+set high-availability vrrp group VyOS address 192.0.2.10/24
+set high-availability vrrp group VyOS address 192.0.2.20/24
+set high-availability vrrp group VyOS advertise-interval '1'
+set high-availability vrrp group VyOS authentication password 'qwerty'
+set high-availability vrrp group VyOS authentication type 'plaintext-password'
+set high-availability vrrp group VyOS interface 'eth1'
+set high-availability vrrp group VyOS vrid '1'
+set interfaces ethernet eth0 duplex 'auto'
+set interfaces ethernet eth0 speed 'auto'
+set interfaces ethernet eth1 address '192.0.2.1/24'
+set interfaces ethernet eth1 duplex 'auto'
+set interfaces ethernet eth1 speed 'auto'
+set interfaces loopback lo
+set system config-management commit-revisions '100'
+set system console device ttyS0 speed '115200'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0'
+set system login user vyos authentication plaintext-password ''
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
+set system time-zone 'Antarctica/South_Pole'
diff --git a/smoketest/config-tests/container-simple b/smoketest/config-tests/container-simple
index 5af365cf9..fcc665100 100644
--- a/smoketest/config-tests/container-simple
+++ b/smoketest/config-tests/container-simple
@@ -1,14 +1,18 @@
-set system config-management commit-revisions '50'
-set system host-name 'vyos'
-set system login user vyos authentication encrypted-password '$6$r/Yw/07NXNY$/ZB.Rjf9jxEV.BYoDyLdH.kH14rU52pOBtrX.4S34qlPt77chflCHvpTCq9a6huLzwaMR50rEICzA5GoIRZlM0'
-set system login user vyos authentication plaintext-password ''
-set system console device ttyS0 speed '115200'
set container name c01 allow-host-networks
set container name c01 capability 'net-bind-service'
set container name c01 capability 'net-raw'
set container name c01 image 'busybox:stable'
set container name c02 allow-host-networks
set container name c02 allow-host-pid
set container name c02 capability 'sys-time'
set container name c02 image 'busybox:stable'
-set container name c02 sysctl parameter kernel.msgmax value '8192'
\ No newline at end of file
+set container name c02 sysctl parameter kernel.msgmax value '8192'
+set interfaces ethernet eth0 duplex 'auto'
+set interfaces ethernet eth0 speed 'auto'
+set interfaces ethernet eth1 duplex 'auto'
+set interfaces ethernet eth1 speed 'auto'
+set system config-management commit-revisions '50'
+set system console device ttyS0 speed '115200'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$r/Yw/07NXNY$/ZB.Rjf9jxEV.BYoDyLdH.kH14rU52pOBtrX.4S34qlPt77chflCHvpTCq9a6huLzwaMR50rEICzA5GoIRZlM0'
+set system login user vyos authentication plaintext-password ''
diff --git a/smoketest/config-tests/dialup-router-wireguard-ipv6 b/smoketest/config-tests/dialup-router-complex
similarity index 60%
copy from smoketest/config-tests/dialup-router-wireguard-ipv6
copy to smoketest/config-tests/dialup-router-complex
index 814a62d55..4416ef82e 100644
--- a/smoketest/config-tests/dialup-router-wireguard-ipv6
+++ b/smoketest/config-tests/dialup-router-complex
@@ -1,674 +1,740 @@
-set interfaces dummy dum0 address '172.16.254.30/32'
-set interfaces ethernet eth0 vif 10 address '172.16.33.254/24'
-set interfaces ethernet eth0 vif 10 address '172.16.40.254/24'
-set interfaces ethernet eth0 vif 5 address '172.16.37.254/24'
-set interfaces ethernet eth0 vif 50 address '172.16.36.254/24'
-set interfaces ethernet eth0 ring-buffer rx '256'
-set interfaces ethernet eth0 ring-buffer tx '256'
-set interfaces ethernet eth1 offload gro
-set interfaces ethernet eth1 offload gso
-set interfaces ethernet eth1 offload sg
-set interfaces ethernet eth1 offload tso
-set interfaces ethernet eth1 vif 20 address '172.31.0.254/24'
-set interfaces ethernet eth2 disable
-set interfaces ethernet eth2 offload gro
-set interfaces ethernet eth2 offload gso
-set interfaces ethernet eth2 offload sg
-set interfaces ethernet eth2 offload tso
-set interfaces ethernet eth3 offload gro
-set interfaces ethernet eth3 offload gso
-set interfaces ethernet eth3 offload sg
-set interfaces ethernet eth3 offload tso
-set interfaces ethernet eth3 ring-buffer rx '256'
-set interfaces ethernet eth3 ring-buffer tx '256'
-set interfaces ethernet eth3 vif 7
-set interfaces loopback lo address '172.16.254.30/32'
-set interfaces pppoe pppoe0 authentication password 'vyos'
-set interfaces pppoe pppoe0 authentication username 'vyos'
-set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0.10 address '1'
-set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0.10 sla-id '10'
-set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth1.20 address '1'
-set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth1.20 sla-id '20'
-set interfaces pppoe pppoe0 dhcpv6-options pd 0 length '56'
-set interfaces pppoe pppoe0 ip adjust-mss '1452'
-set interfaces pppoe pppoe0 ipv6 address autoconf
-set interfaces pppoe pppoe0 ipv6 adjust-mss '1432'
-set interfaces pppoe pppoe0 no-peer-dns
-set interfaces pppoe pppoe0 source-interface 'eth3.7'
-set interfaces wireguard wg100 address '172.16.252.128/31'
-set interfaces wireguard wg100 mtu '1500'
-set interfaces wireguard wg100 peer HR6 address '100.65.151.213'
-set interfaces wireguard wg100 peer HR6 allowed-ips '0.0.0.0/0'
-set interfaces wireguard wg100 peer HR6 port '10100'
-set interfaces wireguard wg100 port '10100'
-set interfaces wireguard wg200 address '172.16.252.130/31'
-set interfaces wireguard wg200 mtu '1500'
-set interfaces wireguard wg200 peer WH56 address '80.151.69.205'
-set interfaces wireguard wg200 peer WH56 allowed-ips '0.0.0.0/0'
-set interfaces wireguard wg200 peer WH56 port '10200'
-set interfaces wireguard wg200 port '10200'
-set interfaces wireguard wg666 address '172.29.0.1/31'
-set interfaces wireguard wg666 mtu '1500'
-set interfaces wireguard wg666 peer WH34 address '100.65.55.1'
-set interfaces wireguard wg666 peer WH34 allowed-ips '0.0.0.0/0'
-set interfaces wireguard wg666 peer WH34 port '10666'
-set interfaces wireguard wg666 port '10666'
-set protocols ospf area 0 network '172.16.37.0/24'
-set protocols ospf area 0 network '172.16.254.30/32'
-set protocols ospf area 0 network '172.18.202.0/24'
-set protocols ospf area 0 network '172.18.203.0/24'
-set protocols ospf area 0 network '172.18.204.0/24'
-set protocols ospf interface eth0.5 authentication md5 key-id 10 md5-key 'ospf'
-set protocols ospf interface eth0.5 dead-interval '40'
-set protocols ospf interface eth0.5 hello-interval '10'
-set protocols ospf interface eth0.5 passive disable
-set protocols ospf interface eth0.5 priority '1'
-set protocols ospf interface eth0.5 retransmit-interval '5'
-set protocols ospf interface eth0.5 transmit-delay '1'
-set protocols ospf log-adjacency-changes detail
-set protocols ospf parameters router-id '172.16.254.30'
-set protocols ospf default-information originate always
-set protocols ospf default-information originate metric-type '2'
-set protocols ospf redistribute connected metric-type '2'
-set protocols ospf redistribute connected route-map 'MAP-OSPF-CONNECTED'
-set protocols static route 10.0.0.0/8 blackhole distance '254'
-set protocols static route 169.254.0.0/16 blackhole distance '254'
-set protocols static route 172.16.0.0/12 blackhole distance '254'
-set protocols static route 172.16.32.0/21 blackhole
-set protocols static route 172.18.0.0/16 blackhole
-set protocols static route 172.29.0.2/31 next-hop 172.29.0.0
-set protocols static route 192.168.0.0/16 blackhole distance '254'
-set protocols static route 192.168.189.0/24 next-hop 172.29.0.0
-set protocols static route6 2000::/3 interface pppoe0
-set protocols bfd peer 172.16.252.129
-set protocols bfd peer 172.16.252.131
-set protocols bfd peer 172.18.254.201
-set protocols bgp address-family ipv4-unicast network 172.16.32.0/21
-set protocols bgp address-family ipv4-unicast network 172.16.100.0/24
-set protocols bgp address-family ipv4-unicast network 172.16.252.128/31
-set protocols bgp address-family ipv4-unicast network 172.16.252.130/31
-set protocols bgp address-family ipv4-unicast network 172.16.254.30/32
-set protocols bgp address-family ipv4-unicast network 172.18.0.0/16
-set protocols bgp neighbor 172.16.252.129 peer-group 'WIREGUARD'
-set protocols bgp neighbor 172.16.252.131 peer-group 'WIREGUARD'
-set protocols bgp neighbor 172.18.254.201 address-family ipv4-unicast nexthop-self
-set protocols bgp neighbor 172.18.254.201 bfd
-set protocols bgp neighbor 172.18.254.201 remote-as '64503'
-set protocols bgp neighbor 172.18.254.201 update-source 'dum0'
-set protocols bgp parameters log-neighbor-changes
-set protocols bgp peer-group WIREGUARD address-family ipv4-unicast soft-reconfiguration inbound
-set protocols bgp peer-group WIREGUARD bfd
-set protocols bgp peer-group WIREGUARD remote-as 'external'
-set protocols bgp system-as '64503'
-set protocols bgp timers holdtime '30'
-set protocols bgp timers keepalive '10'
-set service lldp legacy-protocols cdp
-set service lldp legacy-protocols edp
-set service lldp legacy-protocols fdp
-set service lldp legacy-protocols sonmp
-set service lldp snmp
-set service ntp allow-client address '172.16.0.0/12'
-set service ntp server time1.vyos.net
-set service ntp server time2.vyos.net
-set service dhcp-server shared-network-name BACKBONE authoritative
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 lease '86400'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 option default-router '172.16.37.254'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 option domain-name 'vyos.net'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 option domain-search 'vyos.net'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 option name-server '172.16.254.30'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 option ntp-server '172.16.254.30'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 range 0 start '172.16.37.120'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 range 0 stop '172.16.37.149'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP1 ip-address '172.16.37.231'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP1 mac '02:00:00:00:ee:18'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP2 ip-address '172.16.37.232'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP2 mac '02:00:00:00:52:84'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP3 ip-address '172.16.37.233'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP3 mac '02:00:00:00:51:c0'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP4 ip-address '172.16.37.234'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP4 mac '02:00:00:00:e6:fc'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP5 ip-address '172.16.37.235'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP5 mac '02:00:00:00:c3:50'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 subnet-id '1'
-set service dhcp-server shared-network-name GUEST authoritative
-set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 lease '86400'
-set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 option default-router '172.31.0.254'
-set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 option domain-name 'vyos.net'
-set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 option domain-search 'vyos.net'
-set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 option name-server '172.31.0.254'
-set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 range 0 start '172.31.0.101'
-set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 range 0 stop '172.31.0.199'
-set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 subnet-id '2'
-set service dhcp-server shared-network-name LAN authoritative
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 lease '86400'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 option default-router '172.16.33.254'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 option domain-name 'vyos.net'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 option domain-search 'vyos.net'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 option name-server '172.16.254.30'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 option ntp-server '172.16.254.30'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 range 0 start '172.16.33.100'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 range 0 stop '172.16.33.189'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping four ip-address '172.16.33.214'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping four mac '02:00:00:00:c4:33'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping one ip-address '172.16.33.221'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping one mac '02:00:00:00:eb:a6'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping three ip-address '172.16.33.212'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping three mac '02:00:00:00:12:c7'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping two ip-address '172.16.33.211'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping two mac '02:00:00:00:58:90'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 subnet-id '3'
-set service dns dynamic name service-vyos-pppoe0 address interface 'pppoe0'
-set service dns dynamic name service-vyos-pppoe0 host-name 'r1.vyos.net'
-set service dns dynamic name service-vyos-pppoe0 password 'vyos'
-set service dns dynamic name service-vyos-pppoe0 protocol 'dyndns2'
-set service dns dynamic name service-vyos-pppoe0 server 'dyndns.vyos.io'
-set service dns dynamic name service-vyos-pppoe0 username 'vyos-vyos'
-set service dns forwarding allow-from '172.16.0.0/12'
-set service dns forwarding domain 16.172.in-addr.arpa addnta
-set service dns forwarding domain 16.172.in-addr.arpa name-server 172.16.100.10
-set service dns forwarding domain 16.172.in-addr.arpa name-server 172.16.100.20
-set service dns forwarding domain 16.172.in-addr.arpa recursion-desired
-set service dns forwarding domain 18.172.in-addr.arpa addnta
-set service dns forwarding domain 18.172.in-addr.arpa name-server 172.16.100.10
-set service dns forwarding domain 18.172.in-addr.arpa name-server 172.16.100.20
-set service dns forwarding domain 18.172.in-addr.arpa recursion-desired
-set service dns forwarding domain vyos.net addnta
-set service dns forwarding domain vyos.net name-server 172.16.100.10
-set service dns forwarding domain vyos.net name-server 172.16.100.20
-set service dns forwarding domain vyos.net recursion-desired
-set service dns forwarding ignore-hosts-file
-set service dns forwarding listen-address '172.16.254.30'
-set service dns forwarding listen-address '172.31.0.254'
-set service dns forwarding negative-ttl '60'
-set service router-advert interface eth0.10 prefix ::/64 preferred-lifetime '2700'
-set service router-advert interface eth0.10 prefix ::/64 valid-lifetime '5400'
-set service router-advert interface eth1.20 prefix ::/64 preferred-lifetime '2700'
-set service router-advert interface eth1.20 prefix ::/64 valid-lifetime '5400'
-set service snmp community ro-community authorization 'ro'
-set service snmp community ro-community network '172.16.100.0/24'
-set service snmp contact 'VyOS'
-set service snmp listen-address 172.16.254.30 port '161'
-set service snmp location 'CLOUD'
-set system conntrack expect-table-size '2048'
-set system conntrack hash-size '32768'
-set system conntrack table-size '262144'
-set system domain-name 'vyos.net'
-set system host-name 'r1'
-set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'
-set system login user vyos authentication plaintext-password ''
-set system option ctrl-alt-delete 'ignore'
-set system option performance 'latency'
-set system option startup-beep
-set system syslog global facility all level 'debug'
-set system syslog host 172.16.100.1 facility all level 'warning'
-set system console device ttyS0 speed '115200'
set firewall global-options all-ping 'enable'
set firewall global-options broadcast-ping 'disable'
set firewall global-options ip-src-route 'disable'
set firewall global-options ipv6-receive-redirects 'disable'
set firewall global-options ipv6-src-route 'disable'
set firewall global-options log-martians 'enable'
set firewall global-options receive-redirects 'disable'
set firewall global-options send-redirects 'enable'
set firewall global-options source-validation 'disable'
set firewall global-options syn-cookies 'enable'
set firewall global-options timeout icmp '30'
set firewall global-options timeout other '600'
set firewall global-options timeout udp other '300'
set firewall global-options timeout udp stream '300'
set firewall global-options twa-hazards-protection 'disable'
+set firewall group address-group AUDIO-STREAM address '172.16.35.20'
+set firewall group address-group AUDIO-STREAM address '172.16.35.21'
+set firewall group address-group AUDIO-STREAM address '172.16.35.22'
+set firewall group address-group AUDIO-STREAM address '172.16.35.23'
set firewall group address-group DMZ-RDP-SERVER address '172.16.33.40'
-set firewall group address-group DMZ-RDP-SERVER description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall group address-group DMZ-WEBSERVER address '172.16.36.10'
set firewall group address-group DMZ-WEBSERVER address '172.16.36.40'
set firewall group address-group DMZ-WEBSERVER address '172.16.36.20'
-set firewall group address-group DMZ-WEBSERVER description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall group address-group DOMAIN-CONTROLLER address '172.16.100.10'
set firewall group address-group DOMAIN-CONTROLLER address '172.16.100.20'
-set firewall group address-group DOMAIN-CONTROLLER address '172.16.110.30'
-set firewall group address-group VIDEO address '172.16.33.211'
-set firewall group address-group VIDEO address '172.16.33.212'
-set firewall group address-group VIDEO address '172.16.33.213'
-set firewall group address-group VIDEO address '172.16.33.214'
+set firewall group address-group MEDIA-STREAMING-CLIENTS address '172.16.35.241'
+set firewall group address-group MEDIA-STREAMING-CLIENTS address '172.16.35.242'
+set firewall group address-group MEDIA-STREAMING-CLIENTS address '172.16.35.243'
set firewall group ipv6-network-group LOCAL-ADDRESSES network 'ff02::/64'
set firewall group ipv6-network-group LOCAL-ADDRESSES network 'fe80::/10'
-set firewall group network-group SSH-IN-ALLOW network '100.65.150.0/23'
-set firewall group network-group SSH-IN-ALLOW network '100.64.69.205/32'
-set firewall group network-group SSH-IN-ALLOW network '100.64.8.67/32'
-set firewall group network-group SSH-IN-ALLOW network '100.64.55.1/32'
+set firewall group network-group SSH-IN-ALLOW network '192.0.2.0/24'
+set firewall group network-group SSH-IN-ALLOW network '10.0.0.0/8'
+set firewall group network-group SSH-IN-ALLOW network '172.16.0.0/12'
+set firewall group network-group SSH-IN-ALLOW network '192.168.0.0/16'
+set firewall group port-group SMART-TV-PORTS port '5005-5006'
+set firewall group port-group SMART-TV-PORTS port '80'
+set firewall group port-group SMART-TV-PORTS port '443'
+set firewall group port-group SMART-TV-PORTS port '3722'
set firewall ipv4 name DMZ-GUEST default-action 'drop'
set firewall ipv4 name DMZ-GUEST default-log
set firewall ipv4 name DMZ-GUEST rule 1 action 'return'
set firewall ipv4 name DMZ-GUEST rule 1 state 'established'
set firewall ipv4 name DMZ-GUEST rule 1 state 'related'
set firewall ipv4 name DMZ-GUEST rule 2 action 'drop'
set firewall ipv4 name DMZ-GUEST rule 2 log
set firewall ipv4 name DMZ-GUEST rule 2 state 'invalid'
set firewall ipv4 name DMZ-LAN default-action 'drop'
set firewall ipv4 name DMZ-LAN default-log
-set firewall ipv4 name DMZ-LAN description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv4 name DMZ-LAN rule 1 action 'return'
-set firewall ipv4 name DMZ-LAN rule 1 description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv4 name DMZ-LAN rule 1 state 'established'
set firewall ipv4 name DMZ-LAN rule 1 state 'related'
set firewall ipv4 name DMZ-LAN rule 2 action 'drop'
-set firewall ipv4 name DMZ-LAN rule 2 description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv4 name DMZ-LAN rule 2 log
set firewall ipv4 name DMZ-LAN rule 2 state 'invalid'
set firewall ipv4 name DMZ-LAN rule 100 action 'return'
-set firewall ipv4 name DMZ-LAN rule 100 description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
+set firewall ipv4 name DMZ-LAN rule 100 description 'NTP and LDAP to AD DC'
set firewall ipv4 name DMZ-LAN rule 100 destination group address-group 'DOMAIN-CONTROLLER'
set firewall ipv4 name DMZ-LAN rule 100 destination port '123,389,636'
set firewall ipv4 name DMZ-LAN rule 100 protocol 'tcp_udp'
set firewall ipv4 name DMZ-LAN rule 300 action 'return'
-set firewall ipv4 name DMZ-LAN rule 300 description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv4 name DMZ-LAN rule 300 destination group address-group 'DMZ-RDP-SERVER'
set firewall ipv4 name DMZ-LAN rule 300 destination port '3389'
set firewall ipv4 name DMZ-LAN rule 300 protocol 'tcp_udp'
set firewall ipv4 name DMZ-LAN rule 300 source address '172.16.36.20'
set firewall ipv4 name DMZ-LOCAL default-action 'drop'
set firewall ipv4 name DMZ-LOCAL default-log
-set firewall ipv4 name DMZ-LOCAL description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv4 name DMZ-LOCAL rule 1 action 'return'
set firewall ipv4 name DMZ-LOCAL rule 1 state 'established'
set firewall ipv4 name DMZ-LOCAL rule 1 state 'related'
set firewall ipv4 name DMZ-LOCAL rule 2 action 'drop'
set firewall ipv4 name DMZ-LOCAL rule 2 log
set firewall ipv4 name DMZ-LOCAL rule 2 state 'invalid'
set firewall ipv4 name DMZ-LOCAL rule 50 action 'return'
-set firewall ipv4 name DMZ-LOCAL rule 50 description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv4 name DMZ-LOCAL rule 50 destination address '172.16.254.30'
set firewall ipv4 name DMZ-LOCAL rule 50 destination port '53'
set firewall ipv4 name DMZ-LOCAL rule 50 protocol 'tcp_udp'
set firewall ipv4 name DMZ-LOCAL rule 123 action 'return'
set firewall ipv4 name DMZ-LOCAL rule 123 destination port '123'
set firewall ipv4 name DMZ-LOCAL rule 123 protocol 'udp'
+set firewall ipv4 name DMZ-LOCAL rule 800 action 'drop'
+set firewall ipv4 name DMZ-LOCAL rule 800 description 'SSH anti brute force'
+set firewall ipv4 name DMZ-LOCAL rule 800 destination port 'ssh'
+set firewall ipv4 name DMZ-LOCAL rule 800 log
+set firewall ipv4 name DMZ-LOCAL rule 800 protocol 'tcp'
+set firewall ipv4 name DMZ-LOCAL rule 800 recent count '4'
+set firewall ipv4 name DMZ-LOCAL rule 800 recent time 'minute'
+set firewall ipv4 name DMZ-LOCAL rule 800 state 'new'
set firewall ipv4 name DMZ-WAN default-action 'return'
-set firewall ipv4 name DMZ-WAN description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv4 name GUEST-DMZ default-action 'drop'
set firewall ipv4 name GUEST-DMZ default-log
set firewall ipv4 name GUEST-DMZ rule 1 action 'return'
set firewall ipv4 name GUEST-DMZ rule 1 state 'established'
set firewall ipv4 name GUEST-DMZ rule 1 state 'related'
set firewall ipv4 name GUEST-DMZ rule 2 action 'drop'
set firewall ipv4 name GUEST-DMZ rule 2 log
set firewall ipv4 name GUEST-DMZ rule 2 state 'invalid'
+set firewall ipv4 name GUEST-DMZ rule 100 action 'return'
+set firewall ipv4 name GUEST-DMZ rule 100 destination port '80,443'
+set firewall ipv4 name GUEST-DMZ rule 100 protocol 'tcp'
+set firewall ipv4 name GUEST-IOT default-action 'drop'
+set firewall ipv4 name GUEST-IOT default-log
+set firewall ipv4 name GUEST-IOT rule 1 action 'return'
+set firewall ipv4 name GUEST-IOT rule 1 state 'established'
+set firewall ipv4 name GUEST-IOT rule 1 state 'related'
+set firewall ipv4 name GUEST-IOT rule 2 action 'drop'
+set firewall ipv4 name GUEST-IOT rule 2 log
+set firewall ipv4 name GUEST-IOT rule 2 state 'invalid'
+set firewall ipv4 name GUEST-IOT rule 100 action 'return'
+set firewall ipv4 name GUEST-IOT rule 100 description 'MEDIA-STREAMING-CLIENTS Devices to GUEST'
+set firewall ipv4 name GUEST-IOT rule 100 destination group address-group 'MEDIA-STREAMING-CLIENTS'
+set firewall ipv4 name GUEST-IOT rule 100 protocol 'tcp_udp'
+set firewall ipv4 name GUEST-IOT rule 110 action 'return'
+set firewall ipv4 name GUEST-IOT rule 110 description 'AUDIO-STREAM Devices to GUEST'
+set firewall ipv4 name GUEST-IOT rule 110 destination group address-group 'AUDIO-STREAM'
+set firewall ipv4 name GUEST-IOT rule 110 protocol 'tcp_udp'
+set firewall ipv4 name GUEST-IOT rule 200 action 'return'
+set firewall ipv4 name GUEST-IOT rule 200 description 'MCAST relay'
+set firewall ipv4 name GUEST-IOT rule 200 destination address '224.0.0.251'
+set firewall ipv4 name GUEST-IOT rule 200 destination port '5353'
+set firewall ipv4 name GUEST-IOT rule 200 protocol 'udp'
+set firewall ipv4 name GUEST-IOT rule 300 action 'return'
+set firewall ipv4 name GUEST-IOT rule 300 description 'BCAST relay'
+set firewall ipv4 name GUEST-IOT rule 300 destination port '1900'
+set firewall ipv4 name GUEST-IOT rule 300 protocol 'udp'
set firewall ipv4 name GUEST-LAN default-action 'drop'
set firewall ipv4 name GUEST-LAN default-log
set firewall ipv4 name GUEST-LAN rule 1 action 'return'
set firewall ipv4 name GUEST-LAN rule 1 state 'established'
set firewall ipv4 name GUEST-LAN rule 1 state 'related'
set firewall ipv4 name GUEST-LAN rule 2 action 'drop'
set firewall ipv4 name GUEST-LAN rule 2 log
set firewall ipv4 name GUEST-LAN rule 2 state 'invalid'
set firewall ipv4 name GUEST-LOCAL default-action 'drop'
set firewall ipv4 name GUEST-LOCAL default-log
set firewall ipv4 name GUEST-LOCAL rule 1 action 'return'
set firewall ipv4 name GUEST-LOCAL rule 1 state 'established'
set firewall ipv4 name GUEST-LOCAL rule 1 state 'related'
set firewall ipv4 name GUEST-LOCAL rule 2 action 'drop'
set firewall ipv4 name GUEST-LOCAL rule 2 log
set firewall ipv4 name GUEST-LOCAL rule 2 state 'invalid'
set firewall ipv4 name GUEST-LOCAL rule 10 action 'return'
+set firewall ipv4 name GUEST-LOCAL rule 10 description 'DNS'
set firewall ipv4 name GUEST-LOCAL rule 10 destination address '172.31.0.254'
set firewall ipv4 name GUEST-LOCAL rule 10 destination port '53'
set firewall ipv4 name GUEST-LOCAL rule 10 protocol 'tcp_udp'
set firewall ipv4 name GUEST-LOCAL rule 11 action 'return'
+set firewall ipv4 name GUEST-LOCAL rule 11 description 'DHCP'
set firewall ipv4 name GUEST-LOCAL rule 11 destination port '67'
set firewall ipv4 name GUEST-LOCAL rule 11 protocol 'udp'
set firewall ipv4 name GUEST-LOCAL rule 15 action 'return'
set firewall ipv4 name GUEST-LOCAL rule 15 destination address '172.31.0.254'
set firewall ipv4 name GUEST-LOCAL rule 15 protocol 'icmp'
-set firewall ipv4 name GUEST-LOCAL rule 100 action 'return'
-set firewall ipv4 name GUEST-LOCAL rule 100 destination address '172.31.0.254'
-set firewall ipv4 name GUEST-LOCAL rule 100 destination port '80,443'
-set firewall ipv4 name GUEST-LOCAL rule 100 protocol 'tcp'
+set firewall ipv4 name GUEST-LOCAL rule 200 action 'return'
+set firewall ipv4 name GUEST-LOCAL rule 200 description 'MCAST relay'
+set firewall ipv4 name GUEST-LOCAL rule 200 destination address '224.0.0.251'
+set firewall ipv4 name GUEST-LOCAL rule 200 destination port '5353'
+set firewall ipv4 name GUEST-LOCAL rule 200 protocol 'udp'
+set firewall ipv4 name GUEST-LOCAL rule 210 action 'return'
+set firewall ipv4 name GUEST-LOCAL rule 210 description 'AUDIO-STREAM Broadcast'
+set firewall ipv4 name GUEST-LOCAL rule 210 destination port '1900'
+set firewall ipv4 name GUEST-LOCAL rule 210 protocol 'udp'
set firewall ipv4 name GUEST-WAN default-action 'drop'
set firewall ipv4 name GUEST-WAN default-log
set firewall ipv4 name GUEST-WAN rule 1 action 'return'
set firewall ipv4 name GUEST-WAN rule 1 state 'established'
set firewall ipv4 name GUEST-WAN rule 1 state 'related'
set firewall ipv4 name GUEST-WAN rule 2 action 'drop'
set firewall ipv4 name GUEST-WAN rule 2 log
set firewall ipv4 name GUEST-WAN rule 2 state 'invalid'
set firewall ipv4 name GUEST-WAN rule 25 action 'return'
+set firewall ipv4 name GUEST-WAN rule 25 description 'SMTP'
set firewall ipv4 name GUEST-WAN rule 25 destination port '25,587'
set firewall ipv4 name GUEST-WAN rule 25 protocol 'tcp'
set firewall ipv4 name GUEST-WAN rule 53 action 'return'
set firewall ipv4 name GUEST-WAN rule 53 destination port '53'
set firewall ipv4 name GUEST-WAN rule 53 protocol 'tcp_udp'
set firewall ipv4 name GUEST-WAN rule 60 action 'return'
set firewall ipv4 name GUEST-WAN rule 60 source address '172.31.0.200'
set firewall ipv4 name GUEST-WAN rule 80 action 'return'
set firewall ipv4 name GUEST-WAN rule 80 source address '172.31.0.200'
set firewall ipv4 name GUEST-WAN rule 100 action 'return'
set firewall ipv4 name GUEST-WAN rule 100 protocol 'icmp'
set firewall ipv4 name GUEST-WAN rule 110 action 'return'
+set firewall ipv4 name GUEST-WAN rule 110 description 'POP3'
set firewall ipv4 name GUEST-WAN rule 110 destination port '110,995'
+set firewall ipv4 name GUEST-WAN rule 110 limit rate '10/minute'
set firewall ipv4 name GUEST-WAN rule 110 protocol 'tcp'
set firewall ipv4 name GUEST-WAN rule 123 action 'return'
+set firewall ipv4 name GUEST-WAN rule 123 description 'NTP Client'
set firewall ipv4 name GUEST-WAN rule 123 destination port '123'
set firewall ipv4 name GUEST-WAN rule 123 protocol 'udp'
set firewall ipv4 name GUEST-WAN rule 143 action 'return'
+set firewall ipv4 name GUEST-WAN rule 143 description 'IMAP'
set firewall ipv4 name GUEST-WAN rule 143 destination port '143,993'
set firewall ipv4 name GUEST-WAN rule 143 protocol 'tcp'
set firewall ipv4 name GUEST-WAN rule 200 action 'return'
set firewall ipv4 name GUEST-WAN rule 200 destination port '80,443'
set firewall ipv4 name GUEST-WAN rule 200 protocol 'tcp'
set firewall ipv4 name GUEST-WAN rule 500 action 'return'
+set firewall ipv4 name GUEST-WAN rule 500 description 'L2TP IPSec'
set firewall ipv4 name GUEST-WAN rule 500 destination port '500,4500'
set firewall ipv4 name GUEST-WAN rule 500 protocol 'udp'
set firewall ipv4 name GUEST-WAN rule 600 action 'return'
set firewall ipv4 name GUEST-WAN rule 600 destination port '5222-5224'
set firewall ipv4 name GUEST-WAN rule 600 protocol 'tcp'
set firewall ipv4 name GUEST-WAN rule 601 action 'return'
set firewall ipv4 name GUEST-WAN rule 601 destination port '3478-3497,4500,16384-16387,16393-16402'
set firewall ipv4 name GUEST-WAN rule 601 protocol 'udp'
set firewall ipv4 name GUEST-WAN rule 1000 action 'return'
set firewall ipv4 name GUEST-WAN rule 1000 source address '172.31.0.184'
+set firewall ipv4 name IOT-GUEST default-action 'drop'
+set firewall ipv4 name IOT-GUEST default-log
+set firewall ipv4 name IOT-GUEST rule 1 action 'return'
+set firewall ipv4 name IOT-GUEST rule 1 state 'established'
+set firewall ipv4 name IOT-GUEST rule 1 state 'related'
+set firewall ipv4 name IOT-GUEST rule 2 action 'drop'
+set firewall ipv4 name IOT-GUEST rule 2 log
+set firewall ipv4 name IOT-GUEST rule 2 state 'invalid'
+set firewall ipv4 name IOT-GUEST rule 100 action 'return'
+set firewall ipv4 name IOT-GUEST rule 100 description 'MEDIA-STREAMING-CLIENTS Devices to IOT'
+set firewall ipv4 name IOT-GUEST rule 100 protocol 'tcp_udp'
+set firewall ipv4 name IOT-GUEST rule 100 source group address-group 'MEDIA-STREAMING-CLIENTS'
+set firewall ipv4 name IOT-GUEST rule 110 action 'return'
+set firewall ipv4 name IOT-GUEST rule 110 description 'AUDIO-STREAM Devices to IOT'
+set firewall ipv4 name IOT-GUEST rule 110 protocol 'tcp_udp'
+set firewall ipv4 name IOT-GUEST rule 110 source group address-group 'AUDIO-STREAM'
+set firewall ipv4 name IOT-GUEST rule 200 action 'return'
+set firewall ipv4 name IOT-GUEST rule 200 description 'MCAST relay'
+set firewall ipv4 name IOT-GUEST rule 200 destination address '224.0.0.251'
+set firewall ipv4 name IOT-GUEST rule 200 destination port '5353'
+set firewall ipv4 name IOT-GUEST rule 200 protocol 'udp'
+set firewall ipv4 name IOT-GUEST rule 300 action 'return'
+set firewall ipv4 name IOT-GUEST rule 300 description 'BCAST relay'
+set firewall ipv4 name IOT-GUEST rule 300 destination port '1900'
+set firewall ipv4 name IOT-GUEST rule 300 protocol 'udp'
+set firewall ipv4 name IOT-LAN default-action 'drop'
+set firewall ipv4 name IOT-LAN default-log
+set firewall ipv4 name IOT-LAN rule 1 action 'return'
+set firewall ipv4 name IOT-LAN rule 1 state 'established'
+set firewall ipv4 name IOT-LAN rule 1 state 'related'
+set firewall ipv4 name IOT-LAN rule 2 action 'drop'
+set firewall ipv4 name IOT-LAN rule 2 log
+set firewall ipv4 name IOT-LAN rule 2 state 'invalid'
+set firewall ipv4 name IOT-LAN rule 100 action 'return'
+set firewall ipv4 name IOT-LAN rule 100 description 'AppleTV to LAN'
+set firewall ipv4 name IOT-LAN rule 100 destination group port-group 'SMART-TV-PORTS'
+set firewall ipv4 name IOT-LAN rule 100 protocol 'tcp_udp'
+set firewall ipv4 name IOT-LAN rule 100 source group address-group 'MEDIA-STREAMING-CLIENTS'
+set firewall ipv4 name IOT-LAN rule 110 action 'return'
+set firewall ipv4 name IOT-LAN rule 110 description 'AUDIO-STREAM Devices to LAN'
+set firewall ipv4 name IOT-LAN rule 110 protocol 'tcp_udp'
+set firewall ipv4 name IOT-LAN rule 110 source group address-group 'AUDIO-STREAM'
+set firewall ipv4 name IOT-LOCAL default-action 'drop'
+set firewall ipv4 name IOT-LOCAL default-log
+set firewall ipv4 name IOT-LOCAL rule 1 action 'return'
+set firewall ipv4 name IOT-LOCAL rule 1 state 'established'
+set firewall ipv4 name IOT-LOCAL rule 1 state 'related'
+set firewall ipv4 name IOT-LOCAL rule 2 action 'drop'
+set firewall ipv4 name IOT-LOCAL rule 2 log
+set firewall ipv4 name IOT-LOCAL rule 2 state 'invalid'
+set firewall ipv4 name IOT-LOCAL rule 10 action 'return'
+set firewall ipv4 name IOT-LOCAL rule 10 description 'DNS'
+set firewall ipv4 name IOT-LOCAL rule 10 destination address '172.16.254.30'
+set firewall ipv4 name IOT-LOCAL rule 10 destination port '53'
+set firewall ipv4 name IOT-LOCAL rule 10 protocol 'tcp_udp'
+set firewall ipv4 name IOT-LOCAL rule 11 action 'return'
+set firewall ipv4 name IOT-LOCAL rule 11 description 'DHCP'
+set firewall ipv4 name IOT-LOCAL rule 11 destination port '67'
+set firewall ipv4 name IOT-LOCAL rule 11 protocol 'udp'
+set firewall ipv4 name IOT-LOCAL rule 15 action 'return'
+set firewall ipv4 name IOT-LOCAL rule 15 destination address '172.16.35.254'
+set firewall ipv4 name IOT-LOCAL rule 15 protocol 'icmp'
+set firewall ipv4 name IOT-LOCAL rule 200 action 'return'
+set firewall ipv4 name IOT-LOCAL rule 200 description 'MCAST relay'
+set firewall ipv4 name IOT-LOCAL rule 200 destination address '224.0.0.251'
+set firewall ipv4 name IOT-LOCAL rule 200 destination port '5353'
+set firewall ipv4 name IOT-LOCAL rule 200 protocol 'udp'
+set firewall ipv4 name IOT-LOCAL rule 201 action 'return'
+set firewall ipv4 name IOT-LOCAL rule 201 description 'MCAST relay'
+set firewall ipv4 name IOT-LOCAL rule 201 destination address '172.16.35.254'
+set firewall ipv4 name IOT-LOCAL rule 201 destination port '5353'
+set firewall ipv4 name IOT-LOCAL rule 201 protocol 'udp'
+set firewall ipv4 name IOT-LOCAL rule 210 action 'return'
+set firewall ipv4 name IOT-LOCAL rule 210 description 'AUDIO-STREAM Broadcast'
+set firewall ipv4 name IOT-LOCAL rule 210 destination port '1900,1902,6969'
+set firewall ipv4 name IOT-LOCAL rule 210 protocol 'udp'
+set firewall ipv4 name IOT-WAN default-action 'return'
set firewall ipv4 name LAN-DMZ default-action 'drop'
set firewall ipv4 name LAN-DMZ default-log
set firewall ipv4 name LAN-DMZ rule 1 action 'return'
set firewall ipv4 name LAN-DMZ rule 1 state 'established'
set firewall ipv4 name LAN-DMZ rule 1 state 'related'
set firewall ipv4 name LAN-DMZ rule 2 action 'drop'
set firewall ipv4 name LAN-DMZ rule 2 log
set firewall ipv4 name LAN-DMZ rule 2 state 'invalid'
set firewall ipv4 name LAN-DMZ rule 22 action 'return'
+set firewall ipv4 name LAN-DMZ rule 22 description 'SSH into DMZ'
set firewall ipv4 name LAN-DMZ rule 22 destination port '22'
set firewall ipv4 name LAN-DMZ rule 22 protocol 'tcp'
set firewall ipv4 name LAN-DMZ rule 100 action 'return'
set firewall ipv4 name LAN-DMZ rule 100 destination group address-group 'DMZ-WEBSERVER'
-set firewall ipv4 name LAN-DMZ rule 100 destination port '22'
+set firewall ipv4 name LAN-DMZ rule 100 destination port '22,80,443'
set firewall ipv4 name LAN-DMZ rule 100 protocol 'tcp'
set firewall ipv4 name LAN-GUEST default-action 'drop'
set firewall ipv4 name LAN-GUEST default-log
set firewall ipv4 name LAN-GUEST rule 1 action 'return'
set firewall ipv4 name LAN-GUEST rule 1 state 'established'
set firewall ipv4 name LAN-GUEST rule 1 state 'related'
set firewall ipv4 name LAN-GUEST rule 2 action 'drop'
set firewall ipv4 name LAN-GUEST rule 2 log
set firewall ipv4 name LAN-GUEST rule 2 state 'invalid'
+set firewall ipv4 name LAN-IOT default-action 'return'
set firewall ipv4 name LAN-LOCAL default-action 'return'
set firewall ipv4 name LAN-WAN default-action 'return'
-set firewall ipv4 name LAN-WAN rule 90 action 'return'
-set firewall ipv4 name LAN-WAN rule 90 destination address '100.65.150.0/23'
-set firewall ipv4 name LAN-WAN rule 90 destination port '25'
-set firewall ipv4 name LAN-WAN rule 90 protocol 'tcp_udp'
-set firewall ipv4 name LAN-WAN rule 90 source group address-group 'VIDEO'
-set firewall ipv4 name LAN-WAN rule 100 action 'drop'
-set firewall ipv4 name LAN-WAN rule 100 source group address-group 'VIDEO'
set firewall ipv4 name LOCAL-DMZ default-action 'drop'
set firewall ipv4 name LOCAL-DMZ default-log
set firewall ipv4 name LOCAL-DMZ rule 1 action 'return'
set firewall ipv4 name LOCAL-DMZ rule 1 state 'established'
set firewall ipv4 name LOCAL-DMZ rule 1 state 'related'
set firewall ipv4 name LOCAL-DMZ rule 2 action 'drop'
set firewall ipv4 name LOCAL-DMZ rule 2 log
set firewall ipv4 name LOCAL-DMZ rule 2 state 'invalid'
-set firewall ipv4 name LOCAL-DMZ rule 100 action 'return'
-set firewall ipv4 name LOCAL-DMZ rule 100 destination address '172.16.36.40'
-set firewall ipv4 name LOCAL-DMZ rule 100 destination port '80,443'
-set firewall ipv4 name LOCAL-DMZ rule 100 protocol 'tcp'
set firewall ipv4 name LOCAL-GUEST default-action 'drop'
set firewall ipv4 name LOCAL-GUEST default-log
set firewall ipv4 name LOCAL-GUEST rule 1 action 'return'
set firewall ipv4 name LOCAL-GUEST rule 1 state 'established'
set firewall ipv4 name LOCAL-GUEST rule 1 state 'related'
set firewall ipv4 name LOCAL-GUEST rule 2 action 'drop'
set firewall ipv4 name LOCAL-GUEST rule 2 log
set firewall ipv4 name LOCAL-GUEST rule 2 state 'invalid'
set firewall ipv4 name LOCAL-GUEST rule 5 action 'return'
set firewall ipv4 name LOCAL-GUEST rule 5 protocol 'icmp'
+set firewall ipv4 name LOCAL-GUEST rule 200 action 'return'
+set firewall ipv4 name LOCAL-GUEST rule 200 description 'MCAST relay'
+set firewall ipv4 name LOCAL-GUEST rule 200 destination address '224.0.0.251'
+set firewall ipv4 name LOCAL-GUEST rule 200 destination port '5353'
+set firewall ipv4 name LOCAL-GUEST rule 200 protocol 'udp'
set firewall ipv4 name LOCAL-GUEST rule 300 action 'return'
+set firewall ipv4 name LOCAL-GUEST rule 300 description 'BCAST relay'
set firewall ipv4 name LOCAL-GUEST rule 300 destination port '1900'
set firewall ipv4 name LOCAL-GUEST rule 300 protocol 'udp'
+set firewall ipv4 name LOCAL-IOT default-action 'drop'
+set firewall ipv4 name LOCAL-IOT default-log
+set firewall ipv4 name LOCAL-IOT rule 1 action 'return'
+set firewall ipv4 name LOCAL-IOT rule 1 state 'established'
+set firewall ipv4 name LOCAL-IOT rule 1 state 'related'
+set firewall ipv4 name LOCAL-IOT rule 2 action 'drop'
+set firewall ipv4 name LOCAL-IOT rule 2 log
+set firewall ipv4 name LOCAL-IOT rule 2 state 'invalid'
+set firewall ipv4 name LOCAL-IOT rule 5 action 'return'
+set firewall ipv4 name LOCAL-IOT rule 5 protocol 'icmp'
+set firewall ipv4 name LOCAL-IOT rule 200 action 'return'
+set firewall ipv4 name LOCAL-IOT rule 200 description 'MCAST relay'
+set firewall ipv4 name LOCAL-IOT rule 200 destination address '224.0.0.251'
+set firewall ipv4 name LOCAL-IOT rule 200 destination port '5353'
+set firewall ipv4 name LOCAL-IOT rule 200 protocol 'udp'
+set firewall ipv4 name LOCAL-IOT rule 300 action 'return'
+set firewall ipv4 name LOCAL-IOT rule 300 description 'BCAST relay'
+set firewall ipv4 name LOCAL-IOT rule 300 destination port '1900,6969'
+set firewall ipv4 name LOCAL-IOT rule 300 protocol 'udp'
set firewall ipv4 name LOCAL-LAN default-action 'return'
set firewall ipv4 name LOCAL-WAN default-action 'drop'
set firewall ipv4 name LOCAL-WAN default-log
set firewall ipv4 name LOCAL-WAN rule 1 action 'return'
set firewall ipv4 name LOCAL-WAN rule 1 state 'established'
set firewall ipv4 name LOCAL-WAN rule 1 state 'related'
set firewall ipv4 name LOCAL-WAN rule 2 action 'drop'
set firewall ipv4 name LOCAL-WAN rule 2 log
set firewall ipv4 name LOCAL-WAN rule 2 state 'invalid'
set firewall ipv4 name LOCAL-WAN rule 10 action 'return'
set firewall ipv4 name LOCAL-WAN rule 10 protocol 'icmp'
set firewall ipv4 name LOCAL-WAN rule 50 action 'return'
+set firewall ipv4 name LOCAL-WAN rule 50 description 'DNS'
set firewall ipv4 name LOCAL-WAN rule 50 destination port '53'
set firewall ipv4 name LOCAL-WAN rule 50 protocol 'tcp_udp'
set firewall ipv4 name LOCAL-WAN rule 80 action 'return'
set firewall ipv4 name LOCAL-WAN rule 80 destination port '80,443'
set firewall ipv4 name LOCAL-WAN rule 80 protocol 'tcp'
set firewall ipv4 name LOCAL-WAN rule 123 action 'return'
+set firewall ipv4 name LOCAL-WAN rule 123 description 'NTP'
set firewall ipv4 name LOCAL-WAN rule 123 destination port '123'
set firewall ipv4 name LOCAL-WAN rule 123 protocol 'udp'
-set firewall ipv4 name LOCAL-WAN rule 800 action 'return'
-set firewall ipv4 name LOCAL-WAN rule 800 destination address '100.65.151.213'
-set firewall ipv4 name LOCAL-WAN rule 800 protocol 'udp'
-set firewall ipv4 name LOCAL-WAN rule 805 action 'return'
-set firewall ipv4 name LOCAL-WAN rule 805 destination address '100.65.151.2'
-set firewall ipv4 name LOCAL-WAN rule 805 protocol 'all'
-set firewall ipv4 name LOCAL-WAN rule 1010 action 'return'
-set firewall ipv4 name LOCAL-WAN rule 1010 destination address '100.64.69.205'
-set firewall ipv4 name LOCAL-WAN rule 1010 destination port '7705'
-set firewall ipv4 name LOCAL-WAN rule 1010 protocol 'udp'
-set firewall ipv4 name LOCAL-WAN rule 1010 source port '7705'
-set firewall ipv4 name LOCAL-WAN rule 1990 action 'return'
-set firewall ipv4 name LOCAL-WAN rule 1990 destination address '100.64.55.1'
-set firewall ipv4 name LOCAL-WAN rule 1990 destination port '10666'
-set firewall ipv4 name LOCAL-WAN rule 1990 protocol 'udp'
-set firewall ipv4 name LOCAL-WAN rule 2000 action 'return'
-set firewall ipv4 name LOCAL-WAN rule 2000 destination address '100.64.39.249'
-set firewall ipv4 name LOCAL-WAN rule 10200 action 'return'
-set firewall ipv4 name LOCAL-WAN rule 10200 destination address '100.64.89.98'
-set firewall ipv4 name LOCAL-WAN rule 10200 destination port '10200'
-set firewall ipv4 name LOCAL-WAN rule 10200 protocol 'udp'
-set firewall ipv4 name LOCAL-WAN rule 10200 source port '10200'
set firewall ipv4 name WAN-DMZ default-action 'drop'
set firewall ipv4 name WAN-DMZ default-log
set firewall ipv4 name WAN-DMZ rule 1 action 'return'
set firewall ipv4 name WAN-DMZ rule 1 state 'established'
set firewall ipv4 name WAN-DMZ rule 1 state 'related'
set firewall ipv4 name WAN-DMZ rule 2 action 'drop'
set firewall ipv4 name WAN-DMZ rule 2 log
set firewall ipv4 name WAN-DMZ rule 2 state 'invalid'
set firewall ipv4 name WAN-DMZ rule 100 action 'return'
set firewall ipv4 name WAN-DMZ rule 100 destination address '172.16.36.10'
set firewall ipv4 name WAN-DMZ rule 100 destination port '80,443'
set firewall ipv4 name WAN-DMZ rule 100 protocol 'tcp'
set firewall ipv4 name WAN-GUEST default-action 'drop'
set firewall ipv4 name WAN-GUEST default-log
set firewall ipv4 name WAN-GUEST rule 1 action 'return'
set firewall ipv4 name WAN-GUEST rule 1 state 'established'
set firewall ipv4 name WAN-GUEST rule 1 state 'related'
set firewall ipv4 name WAN-GUEST rule 2 action 'drop'
set firewall ipv4 name WAN-GUEST rule 2 log
set firewall ipv4 name WAN-GUEST rule 2 state 'invalid'
set firewall ipv4 name WAN-GUEST rule 1000 action 'return'
set firewall ipv4 name WAN-GUEST rule 1000 destination address '172.31.0.184'
set firewall ipv4 name WAN-GUEST rule 8000 action 'return'
set firewall ipv4 name WAN-GUEST rule 8000 destination address '172.31.0.200'
set firewall ipv4 name WAN-GUEST rule 8000 destination port '10000'
set firewall ipv4 name WAN-GUEST rule 8000 protocol 'udp'
+set firewall ipv4 name WAN-IOT default-action 'drop'
+set firewall ipv4 name WAN-IOT default-log
+set firewall ipv4 name WAN-IOT rule 1 action 'return'
+set firewall ipv4 name WAN-IOT rule 1 state 'established'
+set firewall ipv4 name WAN-IOT rule 1 state 'related'
+set firewall ipv4 name WAN-IOT rule 2 action 'drop'
+set firewall ipv4 name WAN-IOT rule 2 log
+set firewall ipv4 name WAN-IOT rule 2 state 'invalid'
set firewall ipv4 name WAN-LAN default-action 'drop'
set firewall ipv4 name WAN-LAN default-log
-set firewall ipv4 name WAN-LAN description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv4 name WAN-LAN rule 1 action 'return'
-set firewall ipv4 name WAN-LAN rule 1 description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv4 name WAN-LAN rule 1 state 'established'
set firewall ipv4 name WAN-LAN rule 1 state 'related'
set firewall ipv4 name WAN-LAN rule 2 action 'drop'
set firewall ipv4 name WAN-LAN rule 2 log
set firewall ipv4 name WAN-LAN rule 2 state 'invalid'
set firewall ipv4 name WAN-LAN rule 1000 action 'return'
set firewall ipv4 name WAN-LAN rule 1000 destination address '172.16.33.40'
set firewall ipv4 name WAN-LAN rule 1000 destination port '3389'
set firewall ipv4 name WAN-LAN rule 1000 protocol 'tcp'
set firewall ipv4 name WAN-LAN rule 1000 source group network-group 'SSH-IN-ALLOW'
set firewall ipv4 name WAN-LOCAL default-action 'drop'
+set firewall ipv4 name WAN-LOCAL default-log
set firewall ipv4 name WAN-LOCAL rule 1 action 'return'
set firewall ipv4 name WAN-LOCAL rule 1 state 'established'
set firewall ipv4 name WAN-LOCAL rule 1 state 'related'
set firewall ipv4 name WAN-LOCAL rule 2 action 'drop'
set firewall ipv4 name WAN-LOCAL rule 2 log
set firewall ipv4 name WAN-LOCAL rule 2 state 'invalid'
set firewall ipv4 name WAN-LOCAL rule 22 action 'return'
set firewall ipv4 name WAN-LOCAL rule 22 destination port '22'
set firewall ipv4 name WAN-LOCAL rule 22 protocol 'tcp'
set firewall ipv4 name WAN-LOCAL rule 22 source group network-group 'SSH-IN-ALLOW'
-set firewall ipv4 name WAN-LOCAL rule 1990 action 'return'
-set firewall ipv4 name WAN-LOCAL rule 1990 destination port '10666'
-set firewall ipv4 name WAN-LOCAL rule 1990 protocol 'udp'
-set firewall ipv4 name WAN-LOCAL rule 1990 source address '100.64.55.1'
-set firewall ipv4 name WAN-LOCAL rule 10000 action 'return'
-set firewall ipv4 name WAN-LOCAL rule 10000 destination port '80,443'
-set firewall ipv4 name WAN-LOCAL rule 10000 protocol 'tcp'
-set firewall ipv4 name WAN-LOCAL rule 10100 action 'return'
-set firewall ipv4 name WAN-LOCAL rule 10100 destination port '10100'
-set firewall ipv4 name WAN-LOCAL rule 10100 protocol 'udp'
-set firewall ipv4 name WAN-LOCAL rule 10100 source port '10100'
-set firewall ipv4 name WAN-LOCAL rule 10200 action 'return'
-set firewall ipv4 name WAN-LOCAL rule 10200 destination port '10200'
-set firewall ipv4 name WAN-LOCAL rule 10200 protocol 'udp'
-set firewall ipv4 name WAN-LOCAL rule 10200 source address '100.64.89.98'
-set firewall ipv4 name WAN-LOCAL rule 10200 source port '10200'
set firewall ipv6 name ALLOW-ALL-6 default-action 'return'
-set firewall ipv6 name ALLOW-ALL-6 description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv6 name ALLOW-BASIC-6 default-action 'drop'
set firewall ipv6 name ALLOW-BASIC-6 default-log
-set firewall ipv6 name ALLOW-BASIC-6 description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv6 name ALLOW-BASIC-6 rule 1 action 'return'
-set firewall ipv6 name ALLOW-BASIC-6 rule 1 description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv6 name ALLOW-BASIC-6 rule 1 state 'established'
set firewall ipv6 name ALLOW-BASIC-6 rule 1 state 'related'
set firewall ipv6 name ALLOW-BASIC-6 rule 2 action 'drop'
-set firewall ipv6 name ALLOW-BASIC-6 rule 2 description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv6 name ALLOW-BASIC-6 rule 2 state 'invalid'
set firewall ipv6 name ALLOW-BASIC-6 rule 10 action 'return'
set firewall ipv6 name ALLOW-BASIC-6 rule 10 protocol 'ipv6-icmp'
+set firewall ipv6 name ALLOW-BASIC-6 rule 15 action 'return'
+set firewall ipv6 name ALLOW-BASIC-6 rule 15 icmpv6 type '1'
+set firewall ipv6 name ALLOW-BASIC-6 rule 15 protocol 'ipv6-icmp'
+set firewall ipv6 name ALLOW-BASIC-6 rule 16 action 'return'
+set firewall ipv6 name ALLOW-BASIC-6 rule 16 icmpv6 code '1'
+set firewall ipv6 name ALLOW-BASIC-6 rule 16 icmpv6 type '1'
+set firewall ipv6 name ALLOW-BASIC-6 rule 16 protocol 'ipv6-icmp'
+set firewall ipv6 name ALLOW-BASIC-6 rule 17 action 'return'
+set firewall ipv6 name ALLOW-BASIC-6 rule 17 icmpv6 type-name 'destination-unreachable'
+set firewall ipv6 name ALLOW-BASIC-6 rule 17 protocol 'ipv6-icmp'
set firewall ipv6 name ALLOW-ESTABLISHED-6 default-action 'drop'
set firewall ipv6 name ALLOW-ESTABLISHED-6 default-log
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 1 action 'return'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 1 state 'established'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 1 state 'related'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 2 action 'drop'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 2 state 'invalid'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 10 action 'return'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 10 destination group network-group 'LOCAL-ADDRESSES'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 10 protocol 'ipv6-icmp'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 10 source address 'fe80::/10'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 20 action 'return'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 20 icmpv6 type-name 'echo-request'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 20 protocol 'ipv6-icmp'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 21 action 'return'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 21 icmpv6 type-name 'destination-unreachable'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 21 protocol 'ipv6-icmp'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 22 action 'return'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 22 icmpv6 type-name 'packet-too-big'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 22 protocol 'ipv6-icmp'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 23 action 'return'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 23 icmpv6 type-name 'time-exceeded'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 23 protocol 'ipv6-icmp'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 24 action 'return'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 24 icmpv6 type-name 'parameter-problem'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 24 protocol 'ipv6-icmp'
set firewall ipv6 name WAN-LOCAL-6 default-action 'drop'
set firewall ipv6 name WAN-LOCAL-6 default-log
set firewall ipv6 name WAN-LOCAL-6 rule 1 action 'return'
set firewall ipv6 name WAN-LOCAL-6 rule 1 state 'established'
set firewall ipv6 name WAN-LOCAL-6 rule 1 state 'related'
set firewall ipv6 name WAN-LOCAL-6 rule 2 action 'drop'
set firewall ipv6 name WAN-LOCAL-6 rule 2 state 'invalid'
set firewall ipv6 name WAN-LOCAL-6 rule 10 action 'return'
set firewall ipv6 name WAN-LOCAL-6 rule 10 destination address 'ff02::/64'
set firewall ipv6 name WAN-LOCAL-6 rule 10 protocol 'ipv6-icmp'
set firewall ipv6 name WAN-LOCAL-6 rule 10 source address 'fe80::/10'
set firewall ipv6 name WAN-LOCAL-6 rule 50 action 'return'
+set firewall ipv6 name WAN-LOCAL-6 rule 50 description 'DHCPv6'
set firewall ipv6 name WAN-LOCAL-6 rule 50 destination address 'fe80::/10'
set firewall ipv6 name WAN-LOCAL-6 rule 50 destination port '546'
set firewall ipv6 name WAN-LOCAL-6 rule 50 protocol 'udp'
set firewall ipv6 name WAN-LOCAL-6 rule 50 source address 'fe80::/10'
set firewall ipv6 name WAN-LOCAL-6 rule 50 source port '547'
set firewall zone DMZ default-action 'drop'
set firewall zone DMZ from GUEST firewall name 'GUEST-DMZ'
set firewall zone DMZ from LAN firewall name 'LAN-DMZ'
set firewall zone DMZ from LOCAL firewall name 'LOCAL-DMZ'
set firewall zone DMZ from WAN firewall name 'WAN-DMZ'
set firewall zone DMZ interface 'eth0.50'
set firewall zone GUEST default-action 'drop'
set firewall zone GUEST from DMZ firewall name 'DMZ-GUEST'
+set firewall zone GUEST from IOT firewall name 'IOT-GUEST'
set firewall zone GUEST from LAN firewall name 'LAN-GUEST'
set firewall zone GUEST from LOCAL firewall ipv6-name 'ALLOW-ALL-6'
set firewall zone GUEST from LOCAL firewall name 'LOCAL-GUEST'
set firewall zone GUEST from WAN firewall ipv6-name 'ALLOW-ESTABLISHED-6'
set firewall zone GUEST from WAN firewall name 'WAN-GUEST'
-set firewall zone GUEST interface 'eth1.20'
+set firewall zone GUEST interface 'eth0.20'
+set firewall zone IOT default-action 'drop'
+set firewall zone IOT from GUEST firewall name 'GUEST-IOT'
+set firewall zone IOT from LAN firewall name 'LAN-IOT'
+set firewall zone IOT from LOCAL firewall name 'LOCAL-IOT'
+set firewall zone IOT from WAN firewall name 'WAN-IOT'
+set firewall zone IOT interface 'eth0.35'
set firewall zone LAN default-action 'drop'
set firewall zone LAN from DMZ firewall name 'DMZ-LAN'
set firewall zone LAN from GUEST firewall name 'GUEST-LAN'
+set firewall zone LAN from IOT firewall name 'IOT-LAN'
set firewall zone LAN from LOCAL firewall ipv6-name 'ALLOW-ALL-6'
set firewall zone LAN from LOCAL firewall name 'LOCAL-LAN'
set firewall zone LAN from WAN firewall ipv6-name 'ALLOW-ESTABLISHED-6'
set firewall zone LAN from WAN firewall name 'WAN-LAN'
set firewall zone LAN interface 'eth0.5'
set firewall zone LAN interface 'eth0.10'
-set firewall zone LAN interface 'wg100'
-set firewall zone LAN interface 'wg200'
+set firewall zone LAN interface 'eth0.100'
+set firewall zone LAN interface 'eth0.201'
+set firewall zone LAN interface 'eth0.202'
+set firewall zone LAN interface 'eth0.203'
+set firewall zone LAN interface 'eth0.204'
set firewall zone LOCAL default-action 'drop'
set firewall zone LOCAL from DMZ firewall name 'DMZ-LOCAL'
set firewall zone LOCAL from GUEST firewall ipv6-name 'ALLOW-ESTABLISHED-6'
set firewall zone LOCAL from GUEST firewall name 'GUEST-LOCAL'
+set firewall zone LOCAL from IOT firewall name 'IOT-LOCAL'
set firewall zone LOCAL from LAN firewall ipv6-name 'ALLOW-ALL-6'
set firewall zone LOCAL from LAN firewall name 'LAN-LOCAL'
set firewall zone LOCAL from WAN firewall ipv6-name 'WAN-LOCAL-6'
set firewall zone LOCAL from WAN firewall name 'WAN-LOCAL'
set firewall zone LOCAL local-zone
set firewall zone WAN default-action 'drop'
set firewall zone WAN from DMZ firewall name 'DMZ-WAN'
set firewall zone WAN from GUEST firewall ipv6-name 'ALLOW-ALL-6'
set firewall zone WAN from GUEST firewall name 'GUEST-WAN'
+set firewall zone WAN from IOT firewall name 'IOT-WAN'
set firewall zone WAN from LAN firewall ipv6-name 'ALLOW-ALL-6'
set firewall zone WAN from LAN firewall name 'LAN-WAN'
set firewall zone WAN from LOCAL firewall ipv6-name 'ALLOW-ALL-6'
set firewall zone WAN from LOCAL firewall name 'LOCAL-WAN'
set firewall zone WAN interface 'pppoe0'
-set firewall zone WAN interface 'wg666'
+set interfaces dummy dum0 address '172.16.254.30/32'
+set interfaces ethernet eth0 duplex 'auto'
+set interfaces ethernet eth0 speed 'auto'
+set interfaces ethernet eth0 vif 5 address '172.16.37.254/24'
+set interfaces ethernet eth0 vif 10 address '172.16.33.254/24'
+set interfaces ethernet eth0 vif 10 ip adjust-mss '1320'
+set interfaces ethernet eth0 vif 10 ipv6 adjust-mss '1300'
+set interfaces ethernet eth0 vif 20 address '172.31.0.254/24'
+set interfaces ethernet eth0 vif 35 address '172.16.35.254/24'
+set interfaces ethernet eth0 vif 50 address '172.16.36.254/24'
+set interfaces ethernet eth0 vif 100 address '172.16.100.254/24'
+set interfaces ethernet eth0 vif 201 address '172.18.201.254/24'
+set interfaces ethernet eth0 vif 202 address '172.18.202.254/24'
+set interfaces ethernet eth0 vif 203 address '172.18.203.254/24'
+set interfaces ethernet eth0 vif 204 address '172.18.204.254/24'
+set interfaces ethernet eth1 vif 7 description 'FTTH-PPPoE'
+set interfaces loopback lo address '172.16.254.30/32'
+set interfaces pppoe pppoe0 authentication password 'vyos'
+set interfaces pppoe pppoe0 authentication username 'vyos'
+set interfaces pppoe pppoe0 description 'FTTH 100/50MBit'
+set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0.10 address '1'
+set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0.10 sla-id '10'
+set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0.20 address '1'
+set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0.20 sla-id '20'
+set interfaces pppoe pppoe0 dhcpv6-options pd 0 length '56'
+set interfaces pppoe pppoe0 ip adjust-mss '1452'
+set interfaces pppoe pppoe0 ipv6 address autoconf
+set interfaces pppoe pppoe0 ipv6 adjust-mss '1432'
+set interfaces pppoe pppoe0 mtu '1492'
+set interfaces pppoe pppoe0 no-peer-dns
+set interfaces pppoe pppoe0 source-interface 'eth1.7'
+set nat destination rule 100 description 'HTTP(S)'
+set nat destination rule 100 destination port '80,443'
+set nat destination rule 100 inbound-interface name 'pppoe0'
+set nat destination rule 100 log
+set nat destination rule 100 protocol 'tcp'
+set nat destination rule 100 translation address '172.16.36.10'
+set nat destination rule 1000 destination port '3389'
+set nat destination rule 1000 disable
+set nat destination rule 1000 inbound-interface name 'pppoe0'
+set nat destination rule 1000 protocol 'tcp'
+set nat destination rule 1000 translation address '172.16.33.40'
set nat destination rule 8000 destination port '10000'
set nat destination rule 8000 inbound-interface name 'pppoe0'
+set nat destination rule 8000 log
set nat destination rule 8000 protocol 'udp'
set nat destination rule 8000 translation address '172.31.0.200'
-set nat source rule 50 outbound-interface name 'pppoe0'
-set nat source rule 50 source address '100.64.0.0/24'
-set nat source rule 50 translation address 'masquerade'
+set nat source rule 100 log
set nat source rule 100 outbound-interface name 'pppoe0'
-set nat source rule 100 source address '172.16.32.0/21'
+set nat source rule 100 source address '172.16.32.0/19'
set nat source rule 100 translation address 'masquerade'
set nat source rule 200 outbound-interface name 'pppoe0'
set nat source rule 200 source address '172.16.100.0/24'
set nat source rule 200 translation address 'masquerade'
set nat source rule 300 outbound-interface name 'pppoe0'
set nat source rule 300 source address '172.31.0.0/24'
set nat source rule 300 translation address 'masquerade'
set nat source rule 400 outbound-interface name 'pppoe0'
set nat source rule 400 source address '172.18.200.0/21'
set nat source rule 400 translation address 'masquerade'
-set nat source rule 1000 destination address '192.168.189.0/24'
-set nat source rule 1000 outbound-interface name 'wg666'
-set nat source rule 1000 source address '172.16.32.0/21'
-set nat source rule 1000 translation address '172.29.0.1'
-set nat source rule 1001 destination address '192.168.189.0/24'
-set nat source rule 1001 outbound-interface name 'wg666'
-set nat source rule 1001 source address '172.16.100.0/24'
-set nat source rule 1001 translation address '172.29.0.1'
-set policy route-map MAP-OSPF-CONNECTED rule 1 action 'deny'
-set policy route-map MAP-OSPF-CONNECTED rule 1 match interface 'eth1.20'
-set policy route-map MAP-OSPF-CONNECTED rule 20 action 'permit'
-set policy route-map MAP-OSPF-CONNECTED rule 20 match interface 'eth0.10'
-set policy route-map MAP-OSPF-CONNECTED rule 40 action 'permit'
-set policy route-map MAP-OSPF-CONNECTED rule 40 match interface 'eth0.50'
+set protocols static route 10.0.0.0/8 blackhole distance '254'
+set protocols static route 169.254.0.0/16 blackhole distance '254'
+set protocols static route 172.16.0.0/12 blackhole distance '254'
+set protocols static route 192.168.0.0/16 blackhole distance '254'
+set protocols static route6 2000::/3 interface pppoe0
set qos policy shaper QoS bandwidth '50mbit'
set qos policy shaper QoS default bandwidth '100%'
set qos policy shaper QoS default burst '15k'
set qos policy shaper QoS default queue-limit '1000'
set qos policy shaper QoS default queue-type 'fq-codel'
+set service dhcp-server shared-network-name BACKBONE authoritative
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 lease '86400'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 option default-router '172.16.37.254'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 option domain-name 'vyos.net'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 option domain-search 'vyos.net'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 option name-server '172.16.254.30'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 option ntp-server '172.16.254.30'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 range 0 start '172.16.37.120'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 range 0 stop '172.16.37.149'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP1.wue3 ip-address '172.16.37.231'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP1.wue3 mac '18:e8:29:6c:c3:a5'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 subnet-id '1'
+set service dhcp-server shared-network-name GUEST authoritative
+set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 lease '86400'
+set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 option default-router '172.31.0.254'
+set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 option domain-name 'vyos.net'
+set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 option domain-search 'vyos.net'
+set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 option name-server '172.31.0.254'
+set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 range 0 start '172.31.0.100'
+set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 range 0 stop '172.31.0.199'
+set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 static-mapping host01 ip-address '172.31.0.200'
+set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 static-mapping host01 mac '00:50:00:00:00:01'
+set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 static-mapping host02 ip-address '172.31.0.184'
+set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 static-mapping host02 mac '00:50:00:00:00:02'
+set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 subnet-id '2'
+set service dhcp-server shared-network-name IOT authoritative
+set service dhcp-server shared-network-name IOT subnet 172.16.35.0/24 lease '86400'
+set service dhcp-server shared-network-name IOT subnet 172.16.35.0/24 option default-router '172.16.35.254'
+set service dhcp-server shared-network-name IOT subnet 172.16.35.0/24 option domain-name 'vyos.net'
+set service dhcp-server shared-network-name IOT subnet 172.16.35.0/24 option domain-search 'vyos.net'
+set service dhcp-server shared-network-name IOT subnet 172.16.35.0/24 option name-server '172.16.254.30'
+set service dhcp-server shared-network-name IOT subnet 172.16.35.0/24 option ntp-server '172.16.254.30'
+set service dhcp-server shared-network-name IOT subnet 172.16.35.0/24 range 0 start '172.16.35.101'
+set service dhcp-server shared-network-name IOT subnet 172.16.35.0/24 range 0 stop '172.16.35.149'
+set service dhcp-server shared-network-name IOT subnet 172.16.35.0/24 subnet-id '3'
+set service dhcp-server shared-network-name LAN authoritative
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 lease '86400'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 option default-router '172.16.33.254'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 option domain-name 'vyos.net'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 option domain-search 'vyos.net'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 option name-server '172.16.254.30'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 option ntp-server '172.16.254.30'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 range 0 start '172.16.33.100'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 range 0 stop '172.16.33.189'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 subnet-id '4'
+set service dns forwarding allow-from '172.16.0.0/12'
+set service dns forwarding cache-size '0'
+set service dns forwarding domain 16.172.in-addr.arpa addnta
+set service dns forwarding domain 16.172.in-addr.arpa name-server 172.16.100.10
+set service dns forwarding domain 16.172.in-addr.arpa name-server 172.16.100.20
+set service dns forwarding domain 16.172.in-addr.arpa name-server 172.16.110.30
+set service dns forwarding domain 16.172.in-addr.arpa recursion-desired
+set service dns forwarding domain 18.172.in-addr.arpa addnta
+set service dns forwarding domain 18.172.in-addr.arpa name-server 172.16.100.10
+set service dns forwarding domain 18.172.in-addr.arpa name-server 172.16.100.20
+set service dns forwarding domain 18.172.in-addr.arpa name-server 172.16.110.30
+set service dns forwarding domain 18.172.in-addr.arpa recursion-desired
+set service dns forwarding domain vyos.net addnta
+set service dns forwarding domain vyos.net name-server 172.16.100.10
+set service dns forwarding domain vyos.net name-server 172.16.100.20
+set service dns forwarding domain vyos.net name-server 172.16.110.30
+set service dns forwarding domain vyos.net recursion-desired
+set service dns forwarding ignore-hosts-file
+set service dns forwarding listen-address '172.16.254.30'
+set service dns forwarding listen-address '172.31.0.254'
+set service dns forwarding negative-ttl '60'
+set service lldp legacy-protocols cdp
+set service lldp snmp
+set service mdns repeater interface 'eth0.35'
+set service mdns repeater interface 'eth0.10'
+set service ntp allow-client address '172.16.0.0/12'
+set service ntp server 0.pool.ntp.org
+set service ntp server 1.pool.ntp.org
+set service ntp server 2.pool.ntp.org
+set service router-advert interface eth0.10 prefix ::/64 preferred-lifetime '2700'
+set service router-advert interface eth0.10 prefix ::/64 valid-lifetime '5400'
+set service router-advert interface eth0.20 prefix ::/64 preferred-lifetime '2700'
+set service router-advert interface eth0.20 prefix ::/64 valid-lifetime '5400'
+set service snmp community fooBar authorization 'ro'
+set service snmp community fooBar network '172.16.100.0/24'
+set service snmp contact 'VyOS maintainers and contributors <maintainers@vyos.io>'
+set service snmp listen-address 172.16.254.30 port '161'
+set service snmp location 'The Internet'
+set service ssh disable-host-validation
+set service ssh port '22'
+set system config-management commit-revisions '200'
+set system conntrack expect-table-size '2048'
+set system conntrack hash-size '32768'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system conntrack table-size '262144'
+set system conntrack timeout
+set system console device ttyS0 speed '115200'
+set system domain-name 'vyos.net'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'
+set system login user vyos authentication plaintext-password ''
+set system name-server '172.16.254.30'
+set system option ctrl-alt-delete 'ignore'
+set system option reboot-on-panic
+set system option startup-beep
+set system syslog global facility all level 'debug'
+set system syslog global facility local7 level 'debug'
+set system syslog host 172.16.100.1 facility all level 'warning'
+set system time-zone 'Europe/Berlin'
diff --git a/smoketest/config-tests/dialup-router-medium-vpn b/smoketest/config-tests/dialup-router-medium-vpn
index 8c221707f..67af456f4 100644
--- a/smoketest/config-tests/dialup-router-medium-vpn
+++ b/smoketest/config-tests/dialup-router-medium-vpn
@@ -1,317 +1,322 @@
set firewall global-options all-ping 'enable'
set firewall global-options broadcast-ping 'disable'
set firewall global-options ip-src-route 'disable'
set firewall global-options ipv6-receive-redirects 'disable'
set firewall global-options ipv6-src-route 'disable'
set firewall global-options log-martians 'enable'
set firewall global-options receive-redirects 'disable'
set firewall global-options send-redirects 'enable'
set firewall global-options source-validation 'disable'
set firewall global-options syn-cookies 'disable'
set firewall global-options twa-hazards-protection 'enable'
set firewall ipv4 name test_tcp_flags rule 1 action 'drop'
set firewall ipv4 name test_tcp_flags rule 1 protocol 'tcp'
set firewall ipv4 name test_tcp_flags rule 1 tcp flags ack
set firewall ipv4 name test_tcp_flags rule 1 tcp flags not fin
set firewall ipv4 name test_tcp_flags rule 1 tcp flags not rst
set firewall ipv4 name test_tcp_flags rule 1 tcp flags syn
set high-availability vrrp group LAN address 192.168.0.1/24
set high-availability vrrp group LAN hello-source-address '192.168.0.250'
set high-availability vrrp group LAN interface 'eth1'
set high-availability vrrp group LAN peer-address '192.168.0.251'
set high-availability vrrp group LAN priority '200'
set high-availability vrrp group LAN vrid '1'
set high-availability vrrp sync-group failover-group member 'LAN'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 mtu '9000'
set interfaces ethernet eth0 offload gro
-set interfaces ethernet eth0 offload gso
-set interfaces ethernet eth0 offload sg
-set interfaces ethernet eth0 offload tso
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address '192.168.0.250/24'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 ip source-validation 'strict'
set interfaces ethernet eth1 mtu '9000'
set interfaces ethernet eth1 offload gro
-set interfaces ethernet eth1 offload gso
-set interfaces ethernet eth1 offload sg
-set interfaces ethernet eth1 offload tso
set interfaces ethernet eth1 speed 'auto'
set interfaces loopback lo
set interfaces openvpn vtun0 encryption ncp-ciphers 'aes256'
set interfaces openvpn vtun0 hash 'sha512'
set interfaces openvpn vtun0 ip adjust-mss '1380'
set interfaces openvpn vtun0 ip source-validation 'strict'
set interfaces openvpn vtun0 keep-alive failure-count '3'
set interfaces openvpn vtun0 keep-alive interval '30'
set interfaces openvpn vtun0 mode 'client'
set interfaces openvpn vtun0 openvpn-option 'comp-lzo adaptive'
set interfaces openvpn vtun0 openvpn-option 'fast-io'
set interfaces openvpn vtun0 openvpn-option 'persist-key'
set interfaces openvpn vtun0 openvpn-option 'reneg-sec 86400'
set interfaces openvpn vtun0 persistent-tunnel
set interfaces openvpn vtun0 remote-host '192.0.2.10'
set interfaces openvpn vtun0 tls auth-key 'openvpn_vtun0_auth'
set interfaces openvpn vtun0 tls ca-certificate 'openvpn_vtun0_1'
set interfaces openvpn vtun0 tls ca-certificate 'openvpn_vtun0_2'
set interfaces openvpn vtun0 tls certificate 'openvpn_vtun0'
set interfaces openvpn vtun1 authentication password 'vyos1'
set interfaces openvpn vtun1 authentication username 'vyos1'
set interfaces openvpn vtun1 encryption ncp-ciphers 'aes256'
set interfaces openvpn vtun1 hash 'sha1'
set interfaces openvpn vtun1 ip adjust-mss '1380'
set interfaces openvpn vtun1 keep-alive failure-count '3'
set interfaces openvpn vtun1 keep-alive interval '30'
set interfaces openvpn vtun1 mode 'client'
set interfaces openvpn vtun1 openvpn-option 'comp-lzo adaptive'
set interfaces openvpn vtun1 openvpn-option 'tun-mtu 1500'
set interfaces openvpn vtun1 openvpn-option 'tun-mtu-extra 32'
set interfaces openvpn vtun1 openvpn-option 'mssfix 1300'
set interfaces openvpn vtun1 openvpn-option 'persist-key'
set interfaces openvpn vtun1 openvpn-option 'mute 10'
set interfaces openvpn vtun1 openvpn-option 'route-nopull'
set interfaces openvpn vtun1 openvpn-option 'fast-io'
set interfaces openvpn vtun1 openvpn-option 'reneg-sec 86400'
set interfaces openvpn vtun1 persistent-tunnel
set interfaces openvpn vtun1 protocol 'udp'
set interfaces openvpn vtun1 remote-host '01.foo.com'
set interfaces openvpn vtun1 remote-port '1194'
set interfaces openvpn vtun1 tls auth-key 'openvpn_vtun1_auth'
set interfaces openvpn vtun1 tls ca-certificate 'openvpn_vtun1_1'
set interfaces openvpn vtun1 tls ca-certificate 'openvpn_vtun1_2'
set interfaces openvpn vtun2 authentication password 'vyos2'
set interfaces openvpn vtun2 authentication username 'vyos2'
set interfaces openvpn vtun2 disable
set interfaces openvpn vtun2 encryption ncp-ciphers 'aes256'
set interfaces openvpn vtun2 hash 'sha512'
set interfaces openvpn vtun2 ip adjust-mss '1380'
set interfaces openvpn vtun2 keep-alive failure-count '3'
set interfaces openvpn vtun2 keep-alive interval '30'
set interfaces openvpn vtun2 mode 'client'
set interfaces openvpn vtun2 openvpn-option 'tun-mtu 1500'
set interfaces openvpn vtun2 openvpn-option 'tun-mtu-extra 32'
set interfaces openvpn vtun2 openvpn-option 'mssfix 1300'
set interfaces openvpn vtun2 openvpn-option 'persist-key'
set interfaces openvpn vtun2 openvpn-option 'mute 10'
set interfaces openvpn vtun2 openvpn-option 'route-nopull'
set interfaces openvpn vtun2 openvpn-option 'fast-io'
set interfaces openvpn vtun2 openvpn-option 'remote-random'
set interfaces openvpn vtun2 openvpn-option 'reneg-sec 86400'
set interfaces openvpn vtun2 persistent-tunnel
set interfaces openvpn vtun2 protocol 'udp'
set interfaces openvpn vtun2 remote-host '01.myvpn.com'
set interfaces openvpn vtun2 remote-host '02.myvpn.com'
set interfaces openvpn vtun2 remote-host '03.myvpn.com'
set interfaces openvpn vtun2 remote-port '1194'
set interfaces openvpn vtun2 tls auth-key 'openvpn_vtun2_auth'
set interfaces openvpn vtun2 tls ca-certificate 'openvpn_vtun2_1'
set interfaces pppoe pppoe0 authentication password 'password'
set interfaces pppoe pppoe0 authentication username 'vyos'
set interfaces pppoe pppoe0 mtu '1500'
set interfaces pppoe pppoe0 source-interface 'eth0'
set interfaces wireguard wg0 address '192.168.10.1/24'
set interfaces wireguard wg0 ip adjust-mss '1380'
set interfaces wireguard wg0 peer blue allowed-ips '192.168.10.3/32'
set interfaces wireguard wg0 peer blue persistent-keepalive '20'
set interfaces wireguard wg0 peer blue preshared-key 'ztFDOY9UyaDvn8N3X97SFMDwIfv7EEfuUIPP2yab6UI='
set interfaces wireguard wg0 peer blue public-key 'G4pZishpMRrLmd96Kr6V7LIuNGdcUb81gWaYZ+FWkG0='
set interfaces wireguard wg0 peer green allowed-ips '192.168.10.21/32'
set interfaces wireguard wg0 peer green persistent-keepalive '25'
set interfaces wireguard wg0 peer green preshared-key 'LQ9qmlTh9G4nZu4UgElxRUwg7JB/qoV799aADJOijnY='
set interfaces wireguard wg0 peer green public-key '5iQUD3VoCDBTPXAPHOwUJ0p7xzKGHEY/wQmgvBVmaFI='
set interfaces wireguard wg0 peer pink allowed-ips '192.168.10.14/32'
set interfaces wireguard wg0 peer pink allowed-ips '192.168.10.16/32'
set interfaces wireguard wg0 peer pink persistent-keepalive '25'
set interfaces wireguard wg0 peer pink preshared-key 'Qi9Odyx0/5itLPN5C5bEy3uMX+tmdl15QbakxpKlWqQ='
set interfaces wireguard wg0 peer pink public-key 'i4qNPmxyy9EETL4tIoZOLKJF4p7IlVmpAE15gglnAk4='
set interfaces wireguard wg0 peer red allowed-ips '192.168.10.4/32'
set interfaces wireguard wg0 peer red persistent-keepalive '20'
set interfaces wireguard wg0 peer red preshared-key 'CumyXX7osvUT9AwnS+m2TEfCaL0Ptc2LfuZ78Sujuk8='
set interfaces wireguard wg0 peer red public-key 'ALGWvMJCKpHF2tVH3hEIHqUe9iFfAmZATUUok/WQzks='
set interfaces wireguard wg0 port '7777'
+set interfaces wireguard wg0 private-key 'aGx+fvW916Ej7QRnBbW3QMoldhNv1u95/WHz45zDmF0='
set interfaces wireguard wg1 address '10.89.90.2/30'
set interfaces wireguard wg1 ip adjust-mss '1380'
set interfaces wireguard wg1 peer sam address '192.0.2.45'
set interfaces wireguard wg1 peer sam allowed-ips '10.1.1.0/24'
set interfaces wireguard wg1 peer sam allowed-ips '10.89.90.1/32'
set interfaces wireguard wg1 peer sam persistent-keepalive '20'
set interfaces wireguard wg1 peer sam port '1200'
set interfaces wireguard wg1 peer sam preshared-key 'XpFtzx2Z+nR8pBv9/sSf7I94OkZkVYTz0AeU5Q/QQUE='
set interfaces wireguard wg1 peer sam public-key 'v5zfKGvH6W/lfDXJ0en96lvKo1gfFxMUWxe02+Fj5BU='
set interfaces wireguard wg1 port '7778'
+set interfaces wireguard wg1 private-key 'aGx+fvW916Ej7QRnBbW3QMoldhNv1u95/WHz45zDmF0='
set nat destination rule 50 destination port '49371'
set nat destination rule 50 inbound-interface name 'pppoe0'
set nat destination rule 50 protocol 'tcp_udp'
set nat destination rule 50 translation address '192.168.0.5'
set nat destination rule 51 destination port '58050-58051'
set nat destination rule 51 inbound-interface name 'pppoe0'
set nat destination rule 51 protocol 'tcp'
set nat destination rule 51 translation address '192.168.0.5'
set nat destination rule 52 destination port '22067-22070'
set nat destination rule 52 inbound-interface name 'pppoe0'
set nat destination rule 52 protocol 'tcp'
set nat destination rule 52 translation address '192.168.0.5'
set nat destination rule 53 destination port '34342'
set nat destination rule 53 inbound-interface name 'pppoe0'
set nat destination rule 53 protocol 'tcp_udp'
set nat destination rule 53 translation address '192.168.0.121'
set nat destination rule 54 destination port '45459'
set nat destination rule 54 inbound-interface name 'pppoe0'
set nat destination rule 54 protocol 'tcp_udp'
set nat destination rule 54 translation address '192.168.0.120'
set nat destination rule 55 destination port '22'
set nat destination rule 55 inbound-interface name 'pppoe0'
set nat destination rule 55 protocol 'tcp'
set nat destination rule 55 translation address '192.168.0.5'
set nat destination rule 56 destination port '8920'
set nat destination rule 56 inbound-interface name 'pppoe0'
set nat destination rule 56 protocol 'tcp'
set nat destination rule 56 translation address '192.168.0.5'
set nat destination rule 60 destination port '80,443'
set nat destination rule 60 inbound-interface name 'pppoe0'
set nat destination rule 60 protocol 'tcp'
set nat destination rule 60 translation address '192.168.0.5'
set nat destination rule 70 destination port '5001'
set nat destination rule 70 inbound-interface name 'pppoe0'
set nat destination rule 70 protocol 'tcp'
set nat destination rule 70 translation address '192.168.0.5'
set nat destination rule 80 destination port '25'
set nat destination rule 80 inbound-interface name 'pppoe0'
set nat destination rule 80 protocol 'tcp'
set nat destination rule 80 translation address '192.168.0.5'
set nat destination rule 90 destination port '8123'
set nat destination rule 90 inbound-interface name 'pppoe0'
set nat destination rule 90 protocol 'tcp'
set nat destination rule 90 translation address '192.168.0.7'
set nat destination rule 91 destination port '1880'
set nat destination rule 91 inbound-interface name 'pppoe0'
set nat destination rule 91 protocol 'tcp'
set nat destination rule 91 translation address '192.168.0.7'
set nat destination rule 500 destination address '!192.168.0.0/24'
set nat destination rule 500 destination port '53'
set nat destination rule 500 inbound-interface name 'eth1'
set nat destination rule 500 protocol 'tcp_udp'
set nat destination rule 500 source address '!192.168.0.1-192.168.0.5'
set nat destination rule 500 translation address '192.168.0.1'
set nat source rule 1000 outbound-interface name 'pppoe0'
set nat source rule 1000 translation address 'masquerade'
set nat source rule 2000 outbound-interface name 'vtun0'
set nat source rule 2000 source address '192.168.0.0/16'
set nat source rule 2000 translation address 'masquerade'
set nat source rule 3000 outbound-interface name 'vtun1'
set nat source rule 3000 translation address 'masquerade'
set policy prefix-list user1-routes rule 1 action 'permit'
set policy prefix-list user1-routes rule 1 prefix '192.168.0.0/24'
set policy prefix-list user2-routes rule 1 action 'permit'
set policy prefix-list user2-routes rule 1 prefix '10.1.1.0/24'
set policy route LAN-POLICY-BASED-ROUTING interface 'eth1'
set policy route LAN-POLICY-BASED-ROUTING rule 10 destination
set policy route LAN-POLICY-BASED-ROUTING rule 10 disable
set policy route LAN-POLICY-BASED-ROUTING rule 10 set table '10'
set policy route LAN-POLICY-BASED-ROUTING rule 10 source address '192.168.0.119/32'
set policy route LAN-POLICY-BASED-ROUTING rule 20 destination
set policy route LAN-POLICY-BASED-ROUTING rule 20 set table '100'
set policy route LAN-POLICY-BASED-ROUTING rule 20 source address '192.168.0.240'
set policy route-map rm-static-to-bgp rule 10 action 'permit'
set policy route-map rm-static-to-bgp rule 10 match ip address prefix-list 'user1-routes'
set policy route-map rm-static-to-bgp rule 100 action 'deny'
set policy route6 LAN6-POLICY-BASED-ROUTING interface 'eth1'
set policy route6 LAN6-POLICY-BASED-ROUTING rule 10 destination
set policy route6 LAN6-POLICY-BASED-ROUTING rule 10 disable
set policy route6 LAN6-POLICY-BASED-ROUTING rule 10 set table '10'
set policy route6 LAN6-POLICY-BASED-ROUTING rule 10 source address '2002::1'
set policy route6 LAN6-POLICY-BASED-ROUTING rule 20 destination
set policy route6 LAN6-POLICY-BASED-ROUTING rule 20 set table '100'
set policy route6 LAN6-POLICY-BASED-ROUTING rule 20 source address '2008::f'
set protocols bgp address-family ipv4-unicast redistribute connected route-map 'rm-static-to-bgp'
set protocols bgp neighbor 10.89.90.1 address-family ipv4-unicast nexthop-self
set protocols bgp neighbor 10.89.90.1 address-family ipv4-unicast prefix-list export 'user1-routes'
set protocols bgp neighbor 10.89.90.1 address-family ipv4-unicast prefix-list import 'user2-routes'
set protocols bgp neighbor 10.89.90.1 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor 10.89.90.1 password 'ericandre2020'
set protocols bgp neighbor 10.89.90.1 remote-as '64589'
set protocols bgp parameters log-neighbor-changes
set protocols bgp parameters router-id '10.89.90.2'
set protocols bgp system-as '64590'
set protocols static route 100.64.160.23/32 interface pppoe0
set protocols static route 100.64.165.25/32 interface pppoe0
set protocols static route 100.64.165.26/32 interface pppoe0
set protocols static route 100.64.198.0/24 interface vtun0
set protocols static table 10 route 0.0.0.0/0 interface vtun1
set protocols static table 100 route 0.0.0.0/0 next-hop 192.168.10.5
set service conntrack-sync accept-protocol 'tcp'
set service conntrack-sync accept-protocol 'udp'
set service conntrack-sync accept-protocol 'icmp'
set service conntrack-sync disable-external-cache
set service conntrack-sync event-listen-queue-size '8'
set service conntrack-sync expect-sync 'all'
set service conntrack-sync failover-mechanism vrrp sync-group 'failover-group'
set service conntrack-sync interface eth1 peer '192.168.0.251'
set service conntrack-sync sync-queue-size '8'
set service dhcp-server high-availability name 'DHCP02'
set service dhcp-server high-availability remote '192.168.0.251'
set service dhcp-server high-availability source-address '192.168.0.250'
set service dhcp-server high-availability status 'primary'
set service dhcp-server shared-network-name LAN authoritative
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option default-router '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option domain-name 'vyos.net'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option domain-search 'vyos.net'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option name-server '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range LANDynamic start '192.168.0.200'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range LANDynamic stop '192.168.0.240'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping Audio ip-address '192.168.0.107'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping Audio mac '00:50:01:dc:91:14'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping IPTV ip-address '192.168.0.104'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping IPTV mac '00:50:01:31:b5:f6'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping McPrintus ip-address '192.168.0.60'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping McPrintus mac '00:50:01:58:ac:95'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping Mobile01 ip-address '192.168.0.109'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping Mobile01 mac '00:50:01:bc:ac:51'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping camera1 ip-address '192.168.0.11'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping camera1 mac '00:50:01:70:b9:4d'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping camera2 ip-address '192.168.0.12'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping camera2 mac '00:50:01:70:b7:4f'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping pearTV ip-address '192.168.0.101'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping pearTV mac '00:50:01:ba:62:79'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping sand ip-address '192.168.0.110'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping sand mac '00:50:01:af:c5:d2'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 subnet-id '1'
set service dns forwarding allow-from '192.168.0.0/16'
set service dns forwarding cache-size '8192'
set service dns forwarding dnssec 'off'
set service dns forwarding listen-address '192.168.0.1'
set service dns forwarding name-server 100.64.0.1
set service dns forwarding name-server 100.64.0.2
set service ntp allow-client address '192.168.0.0/16'
set service ntp server nz.pool.ntp.org prefer
set service snmp community AwesomeCommunity authorization 'ro'
set service snmp community AwesomeCommunity client '127.0.0.1'
set service snmp community AwesomeCommunity network '192.168.0.0/24'
set service ssh access-control allow user 'vyos'
set service ssh client-keepalive-interval '60'
set service ssh listen-address '192.168.0.1'
set service ssh listen-address '192.168.10.1'
set service ssh listen-address '192.168.0.250'
set system config-management commit-revisions '100'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name 'vyos'
set system ip arp table-size '1024'
+set system login user vyos authentication encrypted-password '$6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0'
+set system login user vyos authentication plaintext-password ''
set system name-server '192.168.0.1'
set system name-server 'pppoe0'
set system option ctrl-alt-delete 'ignore'
set system option reboot-on-panic
set system option startup-beep
set system static-host-mapping host-name host60.vyos.net inet '192.168.0.60'
set system static-host-mapping host-name host104.vyos.net inet '192.168.0.104'
set system static-host-mapping host-name host107.vyos.net inet '192.168.0.107'
set system static-host-mapping host-name host109.vyos.net inet '192.168.0.109'
set system sysctl parameter net.core.default_qdisc value 'fq'
set system sysctl parameter net.ipv4.tcp_congestion_control value 'bbr'
set system syslog global facility all level 'info'
set system syslog host 192.168.0.252 facility all level 'debug'
set system syslog host 192.168.0.252 protocol 'udp'
set system task-scheduler task Update-Blacklists executable path '/config/scripts/vyos-foo-update.script'
set system task-scheduler task Update-Blacklists interval '3h'
set system time-zone 'Pacific/Auckland'
diff --git a/smoketest/config-tests/dialup-router-wireguard-ipv6 b/smoketest/config-tests/dialup-router-wireguard-ipv6
index 814a62d55..ff4bf89c2 100644
--- a/smoketest/config-tests/dialup-router-wireguard-ipv6
+++ b/smoketest/config-tests/dialup-router-wireguard-ipv6
@@ -1,674 +1,697 @@
-set interfaces dummy dum0 address '172.16.254.30/32'
-set interfaces ethernet eth0 vif 10 address '172.16.33.254/24'
-set interfaces ethernet eth0 vif 10 address '172.16.40.254/24'
-set interfaces ethernet eth0 vif 5 address '172.16.37.254/24'
-set interfaces ethernet eth0 vif 50 address '172.16.36.254/24'
-set interfaces ethernet eth0 ring-buffer rx '256'
-set interfaces ethernet eth0 ring-buffer tx '256'
-set interfaces ethernet eth1 offload gro
-set interfaces ethernet eth1 offload gso
-set interfaces ethernet eth1 offload sg
-set interfaces ethernet eth1 offload tso
-set interfaces ethernet eth1 vif 20 address '172.31.0.254/24'
-set interfaces ethernet eth2 disable
-set interfaces ethernet eth2 offload gro
-set interfaces ethernet eth2 offload gso
-set interfaces ethernet eth2 offload sg
-set interfaces ethernet eth2 offload tso
-set interfaces ethernet eth3 offload gro
-set interfaces ethernet eth3 offload gso
-set interfaces ethernet eth3 offload sg
-set interfaces ethernet eth3 offload tso
-set interfaces ethernet eth3 ring-buffer rx '256'
-set interfaces ethernet eth3 ring-buffer tx '256'
-set interfaces ethernet eth3 vif 7
-set interfaces loopback lo address '172.16.254.30/32'
-set interfaces pppoe pppoe0 authentication password 'vyos'
-set interfaces pppoe pppoe0 authentication username 'vyos'
-set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0.10 address '1'
-set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0.10 sla-id '10'
-set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth1.20 address '1'
-set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth1.20 sla-id '20'
-set interfaces pppoe pppoe0 dhcpv6-options pd 0 length '56'
-set interfaces pppoe pppoe0 ip adjust-mss '1452'
-set interfaces pppoe pppoe0 ipv6 address autoconf
-set interfaces pppoe pppoe0 ipv6 adjust-mss '1432'
-set interfaces pppoe pppoe0 no-peer-dns
-set interfaces pppoe pppoe0 source-interface 'eth3.7'
-set interfaces wireguard wg100 address '172.16.252.128/31'
-set interfaces wireguard wg100 mtu '1500'
-set interfaces wireguard wg100 peer HR6 address '100.65.151.213'
-set interfaces wireguard wg100 peer HR6 allowed-ips '0.0.0.0/0'
-set interfaces wireguard wg100 peer HR6 port '10100'
-set interfaces wireguard wg100 port '10100'
-set interfaces wireguard wg200 address '172.16.252.130/31'
-set interfaces wireguard wg200 mtu '1500'
-set interfaces wireguard wg200 peer WH56 address '80.151.69.205'
-set interfaces wireguard wg200 peer WH56 allowed-ips '0.0.0.0/0'
-set interfaces wireguard wg200 peer WH56 port '10200'
-set interfaces wireguard wg200 port '10200'
-set interfaces wireguard wg666 address '172.29.0.1/31'
-set interfaces wireguard wg666 mtu '1500'
-set interfaces wireguard wg666 peer WH34 address '100.65.55.1'
-set interfaces wireguard wg666 peer WH34 allowed-ips '0.0.0.0/0'
-set interfaces wireguard wg666 peer WH34 port '10666'
-set interfaces wireguard wg666 port '10666'
-set protocols ospf area 0 network '172.16.37.0/24'
-set protocols ospf area 0 network '172.16.254.30/32'
-set protocols ospf area 0 network '172.18.202.0/24'
-set protocols ospf area 0 network '172.18.203.0/24'
-set protocols ospf area 0 network '172.18.204.0/24'
-set protocols ospf interface eth0.5 authentication md5 key-id 10 md5-key 'ospf'
-set protocols ospf interface eth0.5 dead-interval '40'
-set protocols ospf interface eth0.5 hello-interval '10'
-set protocols ospf interface eth0.5 passive disable
-set protocols ospf interface eth0.5 priority '1'
-set protocols ospf interface eth0.5 retransmit-interval '5'
-set protocols ospf interface eth0.5 transmit-delay '1'
-set protocols ospf log-adjacency-changes detail
-set protocols ospf parameters router-id '172.16.254.30'
-set protocols ospf default-information originate always
-set protocols ospf default-information originate metric-type '2'
-set protocols ospf redistribute connected metric-type '2'
-set protocols ospf redistribute connected route-map 'MAP-OSPF-CONNECTED'
-set protocols static route 10.0.0.0/8 blackhole distance '254'
-set protocols static route 169.254.0.0/16 blackhole distance '254'
-set protocols static route 172.16.0.0/12 blackhole distance '254'
-set protocols static route 172.16.32.0/21 blackhole
-set protocols static route 172.18.0.0/16 blackhole
-set protocols static route 172.29.0.2/31 next-hop 172.29.0.0
-set protocols static route 192.168.0.0/16 blackhole distance '254'
-set protocols static route 192.168.189.0/24 next-hop 172.29.0.0
-set protocols static route6 2000::/3 interface pppoe0
-set protocols bfd peer 172.16.252.129
-set protocols bfd peer 172.16.252.131
-set protocols bfd peer 172.18.254.201
-set protocols bgp address-family ipv4-unicast network 172.16.32.0/21
-set protocols bgp address-family ipv4-unicast network 172.16.100.0/24
-set protocols bgp address-family ipv4-unicast network 172.16.252.128/31
-set protocols bgp address-family ipv4-unicast network 172.16.252.130/31
-set protocols bgp address-family ipv4-unicast network 172.16.254.30/32
-set protocols bgp address-family ipv4-unicast network 172.18.0.0/16
-set protocols bgp neighbor 172.16.252.129 peer-group 'WIREGUARD'
-set protocols bgp neighbor 172.16.252.131 peer-group 'WIREGUARD'
-set protocols bgp neighbor 172.18.254.201 address-family ipv4-unicast nexthop-self
-set protocols bgp neighbor 172.18.254.201 bfd
-set protocols bgp neighbor 172.18.254.201 remote-as '64503'
-set protocols bgp neighbor 172.18.254.201 update-source 'dum0'
-set protocols bgp parameters log-neighbor-changes
-set protocols bgp peer-group WIREGUARD address-family ipv4-unicast soft-reconfiguration inbound
-set protocols bgp peer-group WIREGUARD bfd
-set protocols bgp peer-group WIREGUARD remote-as 'external'
-set protocols bgp system-as '64503'
-set protocols bgp timers holdtime '30'
-set protocols bgp timers keepalive '10'
-set service lldp legacy-protocols cdp
-set service lldp legacy-protocols edp
-set service lldp legacy-protocols fdp
-set service lldp legacy-protocols sonmp
-set service lldp snmp
-set service ntp allow-client address '172.16.0.0/12'
-set service ntp server time1.vyos.net
-set service ntp server time2.vyos.net
-set service dhcp-server shared-network-name BACKBONE authoritative
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 lease '86400'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 option default-router '172.16.37.254'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 option domain-name 'vyos.net'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 option domain-search 'vyos.net'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 option name-server '172.16.254.30'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 option ntp-server '172.16.254.30'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 range 0 start '172.16.37.120'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 range 0 stop '172.16.37.149'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP1 ip-address '172.16.37.231'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP1 mac '02:00:00:00:ee:18'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP2 ip-address '172.16.37.232'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP2 mac '02:00:00:00:52:84'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP3 ip-address '172.16.37.233'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP3 mac '02:00:00:00:51:c0'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP4 ip-address '172.16.37.234'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP4 mac '02:00:00:00:e6:fc'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP5 ip-address '172.16.37.235'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP5 mac '02:00:00:00:c3:50'
-set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 subnet-id '1'
-set service dhcp-server shared-network-name GUEST authoritative
-set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 lease '86400'
-set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 option default-router '172.31.0.254'
-set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 option domain-name 'vyos.net'
-set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 option domain-search 'vyos.net'
-set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 option name-server '172.31.0.254'
-set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 range 0 start '172.31.0.101'
-set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 range 0 stop '172.31.0.199'
-set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 subnet-id '2'
-set service dhcp-server shared-network-name LAN authoritative
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 lease '86400'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 option default-router '172.16.33.254'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 option domain-name 'vyos.net'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 option domain-search 'vyos.net'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 option name-server '172.16.254.30'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 option ntp-server '172.16.254.30'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 range 0 start '172.16.33.100'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 range 0 stop '172.16.33.189'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping four ip-address '172.16.33.214'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping four mac '02:00:00:00:c4:33'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping one ip-address '172.16.33.221'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping one mac '02:00:00:00:eb:a6'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping three ip-address '172.16.33.212'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping three mac '02:00:00:00:12:c7'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping two ip-address '172.16.33.211'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping two mac '02:00:00:00:58:90'
-set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 subnet-id '3'
-set service dns dynamic name service-vyos-pppoe0 address interface 'pppoe0'
-set service dns dynamic name service-vyos-pppoe0 host-name 'r1.vyos.net'
-set service dns dynamic name service-vyos-pppoe0 password 'vyos'
-set service dns dynamic name service-vyos-pppoe0 protocol 'dyndns2'
-set service dns dynamic name service-vyos-pppoe0 server 'dyndns.vyos.io'
-set service dns dynamic name service-vyos-pppoe0 username 'vyos-vyos'
-set service dns forwarding allow-from '172.16.0.0/12'
-set service dns forwarding domain 16.172.in-addr.arpa addnta
-set service dns forwarding domain 16.172.in-addr.arpa name-server 172.16.100.10
-set service dns forwarding domain 16.172.in-addr.arpa name-server 172.16.100.20
-set service dns forwarding domain 16.172.in-addr.arpa recursion-desired
-set service dns forwarding domain 18.172.in-addr.arpa addnta
-set service dns forwarding domain 18.172.in-addr.arpa name-server 172.16.100.10
-set service dns forwarding domain 18.172.in-addr.arpa name-server 172.16.100.20
-set service dns forwarding domain 18.172.in-addr.arpa recursion-desired
-set service dns forwarding domain vyos.net addnta
-set service dns forwarding domain vyos.net name-server 172.16.100.10
-set service dns forwarding domain vyos.net name-server 172.16.100.20
-set service dns forwarding domain vyos.net recursion-desired
-set service dns forwarding ignore-hosts-file
-set service dns forwarding listen-address '172.16.254.30'
-set service dns forwarding listen-address '172.31.0.254'
-set service dns forwarding negative-ttl '60'
-set service router-advert interface eth0.10 prefix ::/64 preferred-lifetime '2700'
-set service router-advert interface eth0.10 prefix ::/64 valid-lifetime '5400'
-set service router-advert interface eth1.20 prefix ::/64 preferred-lifetime '2700'
-set service router-advert interface eth1.20 prefix ::/64 valid-lifetime '5400'
-set service snmp community ro-community authorization 'ro'
-set service snmp community ro-community network '172.16.100.0/24'
-set service snmp contact 'VyOS'
-set service snmp listen-address 172.16.254.30 port '161'
-set service snmp location 'CLOUD'
-set system conntrack expect-table-size '2048'
-set system conntrack hash-size '32768'
-set system conntrack table-size '262144'
-set system domain-name 'vyos.net'
-set system host-name 'r1'
-set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'
-set system login user vyos authentication plaintext-password ''
-set system option ctrl-alt-delete 'ignore'
-set system option performance 'latency'
-set system option startup-beep
-set system syslog global facility all level 'debug'
-set system syslog host 172.16.100.1 facility all level 'warning'
-set system console device ttyS0 speed '115200'
set firewall global-options all-ping 'enable'
set firewall global-options broadcast-ping 'disable'
set firewall global-options ip-src-route 'disable'
set firewall global-options ipv6-receive-redirects 'disable'
set firewall global-options ipv6-src-route 'disable'
set firewall global-options log-martians 'enable'
set firewall global-options receive-redirects 'disable'
set firewall global-options send-redirects 'enable'
set firewall global-options source-validation 'disable'
set firewall global-options syn-cookies 'enable'
set firewall global-options timeout icmp '30'
set firewall global-options timeout other '600'
set firewall global-options timeout udp other '300'
set firewall global-options timeout udp stream '300'
set firewall global-options twa-hazards-protection 'disable'
set firewall group address-group DMZ-RDP-SERVER address '172.16.33.40'
set firewall group address-group DMZ-RDP-SERVER description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall group address-group DMZ-WEBSERVER address '172.16.36.10'
set firewall group address-group DMZ-WEBSERVER address '172.16.36.40'
set firewall group address-group DMZ-WEBSERVER address '172.16.36.20'
set firewall group address-group DMZ-WEBSERVER description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall group address-group DOMAIN-CONTROLLER address '172.16.100.10'
set firewall group address-group DOMAIN-CONTROLLER address '172.16.100.20'
set firewall group address-group DOMAIN-CONTROLLER address '172.16.110.30'
set firewall group address-group VIDEO address '172.16.33.211'
set firewall group address-group VIDEO address '172.16.33.212'
set firewall group address-group VIDEO address '172.16.33.213'
set firewall group address-group VIDEO address '172.16.33.214'
set firewall group ipv6-network-group LOCAL-ADDRESSES network 'ff02::/64'
set firewall group ipv6-network-group LOCAL-ADDRESSES network 'fe80::/10'
set firewall group network-group SSH-IN-ALLOW network '100.65.150.0/23'
set firewall group network-group SSH-IN-ALLOW network '100.64.69.205/32'
set firewall group network-group SSH-IN-ALLOW network '100.64.8.67/32'
set firewall group network-group SSH-IN-ALLOW network '100.64.55.1/32'
set firewall ipv4 name DMZ-GUEST default-action 'drop'
set firewall ipv4 name DMZ-GUEST default-log
set firewall ipv4 name DMZ-GUEST rule 1 action 'return'
set firewall ipv4 name DMZ-GUEST rule 1 state 'established'
set firewall ipv4 name DMZ-GUEST rule 1 state 'related'
set firewall ipv4 name DMZ-GUEST rule 2 action 'drop'
set firewall ipv4 name DMZ-GUEST rule 2 log
set firewall ipv4 name DMZ-GUEST rule 2 state 'invalid'
set firewall ipv4 name DMZ-LAN default-action 'drop'
set firewall ipv4 name DMZ-LAN default-log
set firewall ipv4 name DMZ-LAN description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv4 name DMZ-LAN rule 1 action 'return'
set firewall ipv4 name DMZ-LAN rule 1 description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv4 name DMZ-LAN rule 1 state 'established'
set firewall ipv4 name DMZ-LAN rule 1 state 'related'
set firewall ipv4 name DMZ-LAN rule 2 action 'drop'
set firewall ipv4 name DMZ-LAN rule 2 description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv4 name DMZ-LAN rule 2 log
set firewall ipv4 name DMZ-LAN rule 2 state 'invalid'
set firewall ipv4 name DMZ-LAN rule 100 action 'return'
set firewall ipv4 name DMZ-LAN rule 100 description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv4 name DMZ-LAN rule 100 destination group address-group 'DOMAIN-CONTROLLER'
set firewall ipv4 name DMZ-LAN rule 100 destination port '123,389,636'
set firewall ipv4 name DMZ-LAN rule 100 protocol 'tcp_udp'
set firewall ipv4 name DMZ-LAN rule 300 action 'return'
set firewall ipv4 name DMZ-LAN rule 300 description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv4 name DMZ-LAN rule 300 destination group address-group 'DMZ-RDP-SERVER'
set firewall ipv4 name DMZ-LAN rule 300 destination port '3389'
set firewall ipv4 name DMZ-LAN rule 300 protocol 'tcp_udp'
set firewall ipv4 name DMZ-LAN rule 300 source address '172.16.36.20'
set firewall ipv4 name DMZ-LOCAL default-action 'drop'
set firewall ipv4 name DMZ-LOCAL default-log
set firewall ipv4 name DMZ-LOCAL description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv4 name DMZ-LOCAL rule 1 action 'return'
set firewall ipv4 name DMZ-LOCAL rule 1 state 'established'
set firewall ipv4 name DMZ-LOCAL rule 1 state 'related'
set firewall ipv4 name DMZ-LOCAL rule 2 action 'drop'
set firewall ipv4 name DMZ-LOCAL rule 2 log
set firewall ipv4 name DMZ-LOCAL rule 2 state 'invalid'
set firewall ipv4 name DMZ-LOCAL rule 50 action 'return'
set firewall ipv4 name DMZ-LOCAL rule 50 description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv4 name DMZ-LOCAL rule 50 destination address '172.16.254.30'
set firewall ipv4 name DMZ-LOCAL rule 50 destination port '53'
set firewall ipv4 name DMZ-LOCAL rule 50 protocol 'tcp_udp'
set firewall ipv4 name DMZ-LOCAL rule 123 action 'return'
set firewall ipv4 name DMZ-LOCAL rule 123 destination port '123'
set firewall ipv4 name DMZ-LOCAL rule 123 protocol 'udp'
set firewall ipv4 name DMZ-WAN default-action 'return'
set firewall ipv4 name DMZ-WAN description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv4 name GUEST-DMZ default-action 'drop'
set firewall ipv4 name GUEST-DMZ default-log
set firewall ipv4 name GUEST-DMZ rule 1 action 'return'
set firewall ipv4 name GUEST-DMZ rule 1 state 'established'
set firewall ipv4 name GUEST-DMZ rule 1 state 'related'
set firewall ipv4 name GUEST-DMZ rule 2 action 'drop'
set firewall ipv4 name GUEST-DMZ rule 2 log
set firewall ipv4 name GUEST-DMZ rule 2 state 'invalid'
set firewall ipv4 name GUEST-LAN default-action 'drop'
set firewall ipv4 name GUEST-LAN default-log
set firewall ipv4 name GUEST-LAN rule 1 action 'return'
set firewall ipv4 name GUEST-LAN rule 1 state 'established'
set firewall ipv4 name GUEST-LAN rule 1 state 'related'
set firewall ipv4 name GUEST-LAN rule 2 action 'drop'
set firewall ipv4 name GUEST-LAN rule 2 log
set firewall ipv4 name GUEST-LAN rule 2 state 'invalid'
set firewall ipv4 name GUEST-LOCAL default-action 'drop'
set firewall ipv4 name GUEST-LOCAL default-log
set firewall ipv4 name GUEST-LOCAL rule 1 action 'return'
set firewall ipv4 name GUEST-LOCAL rule 1 state 'established'
set firewall ipv4 name GUEST-LOCAL rule 1 state 'related'
set firewall ipv4 name GUEST-LOCAL rule 2 action 'drop'
set firewall ipv4 name GUEST-LOCAL rule 2 log
set firewall ipv4 name GUEST-LOCAL rule 2 state 'invalid'
set firewall ipv4 name GUEST-LOCAL rule 10 action 'return'
set firewall ipv4 name GUEST-LOCAL rule 10 destination address '172.31.0.254'
set firewall ipv4 name GUEST-LOCAL rule 10 destination port '53'
set firewall ipv4 name GUEST-LOCAL rule 10 protocol 'tcp_udp'
set firewall ipv4 name GUEST-LOCAL rule 11 action 'return'
set firewall ipv4 name GUEST-LOCAL rule 11 destination port '67'
set firewall ipv4 name GUEST-LOCAL rule 11 protocol 'udp'
set firewall ipv4 name GUEST-LOCAL rule 15 action 'return'
set firewall ipv4 name GUEST-LOCAL rule 15 destination address '172.31.0.254'
set firewall ipv4 name GUEST-LOCAL rule 15 protocol 'icmp'
set firewall ipv4 name GUEST-LOCAL rule 100 action 'return'
set firewall ipv4 name GUEST-LOCAL rule 100 destination address '172.31.0.254'
set firewall ipv4 name GUEST-LOCAL rule 100 destination port '80,443'
set firewall ipv4 name GUEST-LOCAL rule 100 protocol 'tcp'
set firewall ipv4 name GUEST-WAN default-action 'drop'
set firewall ipv4 name GUEST-WAN default-log
set firewall ipv4 name GUEST-WAN rule 1 action 'return'
set firewall ipv4 name GUEST-WAN rule 1 state 'established'
set firewall ipv4 name GUEST-WAN rule 1 state 'related'
set firewall ipv4 name GUEST-WAN rule 2 action 'drop'
set firewall ipv4 name GUEST-WAN rule 2 log
set firewall ipv4 name GUEST-WAN rule 2 state 'invalid'
set firewall ipv4 name GUEST-WAN rule 25 action 'return'
set firewall ipv4 name GUEST-WAN rule 25 destination port '25,587'
set firewall ipv4 name GUEST-WAN rule 25 protocol 'tcp'
set firewall ipv4 name GUEST-WAN rule 53 action 'return'
set firewall ipv4 name GUEST-WAN rule 53 destination port '53'
set firewall ipv4 name GUEST-WAN rule 53 protocol 'tcp_udp'
set firewall ipv4 name GUEST-WAN rule 60 action 'return'
set firewall ipv4 name GUEST-WAN rule 60 source address '172.31.0.200'
set firewall ipv4 name GUEST-WAN rule 80 action 'return'
set firewall ipv4 name GUEST-WAN rule 80 source address '172.31.0.200'
set firewall ipv4 name GUEST-WAN rule 100 action 'return'
set firewall ipv4 name GUEST-WAN rule 100 protocol 'icmp'
set firewall ipv4 name GUEST-WAN rule 110 action 'return'
set firewall ipv4 name GUEST-WAN rule 110 destination port '110,995'
set firewall ipv4 name GUEST-WAN rule 110 protocol 'tcp'
set firewall ipv4 name GUEST-WAN rule 123 action 'return'
set firewall ipv4 name GUEST-WAN rule 123 destination port '123'
set firewall ipv4 name GUEST-WAN rule 123 protocol 'udp'
set firewall ipv4 name GUEST-WAN rule 143 action 'return'
set firewall ipv4 name GUEST-WAN rule 143 destination port '143,993'
set firewall ipv4 name GUEST-WAN rule 143 protocol 'tcp'
set firewall ipv4 name GUEST-WAN rule 200 action 'return'
set firewall ipv4 name GUEST-WAN rule 200 destination port '80,443'
set firewall ipv4 name GUEST-WAN rule 200 protocol 'tcp'
set firewall ipv4 name GUEST-WAN rule 500 action 'return'
set firewall ipv4 name GUEST-WAN rule 500 destination port '500,4500'
set firewall ipv4 name GUEST-WAN rule 500 protocol 'udp'
set firewall ipv4 name GUEST-WAN rule 600 action 'return'
set firewall ipv4 name GUEST-WAN rule 600 destination port '5222-5224'
set firewall ipv4 name GUEST-WAN rule 600 protocol 'tcp'
set firewall ipv4 name GUEST-WAN rule 601 action 'return'
set firewall ipv4 name GUEST-WAN rule 601 destination port '3478-3497,4500,16384-16387,16393-16402'
set firewall ipv4 name GUEST-WAN rule 601 protocol 'udp'
set firewall ipv4 name GUEST-WAN rule 1000 action 'return'
set firewall ipv4 name GUEST-WAN rule 1000 source address '172.31.0.184'
set firewall ipv4 name LAN-DMZ default-action 'drop'
set firewall ipv4 name LAN-DMZ default-log
set firewall ipv4 name LAN-DMZ rule 1 action 'return'
set firewall ipv4 name LAN-DMZ rule 1 state 'established'
set firewall ipv4 name LAN-DMZ rule 1 state 'related'
set firewall ipv4 name LAN-DMZ rule 2 action 'drop'
set firewall ipv4 name LAN-DMZ rule 2 log
set firewall ipv4 name LAN-DMZ rule 2 state 'invalid'
set firewall ipv4 name LAN-DMZ rule 22 action 'return'
set firewall ipv4 name LAN-DMZ rule 22 destination port '22'
set firewall ipv4 name LAN-DMZ rule 22 protocol 'tcp'
set firewall ipv4 name LAN-DMZ rule 100 action 'return'
set firewall ipv4 name LAN-DMZ rule 100 destination group address-group 'DMZ-WEBSERVER'
set firewall ipv4 name LAN-DMZ rule 100 destination port '22'
set firewall ipv4 name LAN-DMZ rule 100 protocol 'tcp'
set firewall ipv4 name LAN-GUEST default-action 'drop'
set firewall ipv4 name LAN-GUEST default-log
set firewall ipv4 name LAN-GUEST rule 1 action 'return'
set firewall ipv4 name LAN-GUEST rule 1 state 'established'
set firewall ipv4 name LAN-GUEST rule 1 state 'related'
set firewall ipv4 name LAN-GUEST rule 2 action 'drop'
set firewall ipv4 name LAN-GUEST rule 2 log
set firewall ipv4 name LAN-GUEST rule 2 state 'invalid'
set firewall ipv4 name LAN-LOCAL default-action 'return'
set firewall ipv4 name LAN-WAN default-action 'return'
set firewall ipv4 name LAN-WAN rule 90 action 'return'
set firewall ipv4 name LAN-WAN rule 90 destination address '100.65.150.0/23'
set firewall ipv4 name LAN-WAN rule 90 destination port '25'
set firewall ipv4 name LAN-WAN rule 90 protocol 'tcp_udp'
set firewall ipv4 name LAN-WAN rule 90 source group address-group 'VIDEO'
set firewall ipv4 name LAN-WAN rule 100 action 'drop'
set firewall ipv4 name LAN-WAN rule 100 source group address-group 'VIDEO'
set firewall ipv4 name LOCAL-DMZ default-action 'drop'
set firewall ipv4 name LOCAL-DMZ default-log
set firewall ipv4 name LOCAL-DMZ rule 1 action 'return'
set firewall ipv4 name LOCAL-DMZ rule 1 state 'established'
set firewall ipv4 name LOCAL-DMZ rule 1 state 'related'
set firewall ipv4 name LOCAL-DMZ rule 2 action 'drop'
set firewall ipv4 name LOCAL-DMZ rule 2 log
set firewall ipv4 name LOCAL-DMZ rule 2 state 'invalid'
set firewall ipv4 name LOCAL-DMZ rule 100 action 'return'
set firewall ipv4 name LOCAL-DMZ rule 100 destination address '172.16.36.40'
set firewall ipv4 name LOCAL-DMZ rule 100 destination port '80,443'
set firewall ipv4 name LOCAL-DMZ rule 100 protocol 'tcp'
set firewall ipv4 name LOCAL-GUEST default-action 'drop'
set firewall ipv4 name LOCAL-GUEST default-log
set firewall ipv4 name LOCAL-GUEST rule 1 action 'return'
set firewall ipv4 name LOCAL-GUEST rule 1 state 'established'
set firewall ipv4 name LOCAL-GUEST rule 1 state 'related'
set firewall ipv4 name LOCAL-GUEST rule 2 action 'drop'
set firewall ipv4 name LOCAL-GUEST rule 2 log
set firewall ipv4 name LOCAL-GUEST rule 2 state 'invalid'
set firewall ipv4 name LOCAL-GUEST rule 5 action 'return'
set firewall ipv4 name LOCAL-GUEST rule 5 protocol 'icmp'
set firewall ipv4 name LOCAL-GUEST rule 300 action 'return'
set firewall ipv4 name LOCAL-GUEST rule 300 destination port '1900'
set firewall ipv4 name LOCAL-GUEST rule 300 protocol 'udp'
set firewall ipv4 name LOCAL-LAN default-action 'return'
set firewall ipv4 name LOCAL-WAN default-action 'drop'
set firewall ipv4 name LOCAL-WAN default-log
set firewall ipv4 name LOCAL-WAN rule 1 action 'return'
set firewall ipv4 name LOCAL-WAN rule 1 state 'established'
set firewall ipv4 name LOCAL-WAN rule 1 state 'related'
set firewall ipv4 name LOCAL-WAN rule 2 action 'drop'
set firewall ipv4 name LOCAL-WAN rule 2 log
set firewall ipv4 name LOCAL-WAN rule 2 state 'invalid'
set firewall ipv4 name LOCAL-WAN rule 10 action 'return'
set firewall ipv4 name LOCAL-WAN rule 10 protocol 'icmp'
set firewall ipv4 name LOCAL-WAN rule 50 action 'return'
set firewall ipv4 name LOCAL-WAN rule 50 destination port '53'
set firewall ipv4 name LOCAL-WAN rule 50 protocol 'tcp_udp'
set firewall ipv4 name LOCAL-WAN rule 80 action 'return'
set firewall ipv4 name LOCAL-WAN rule 80 destination port '80,443'
set firewall ipv4 name LOCAL-WAN rule 80 protocol 'tcp'
set firewall ipv4 name LOCAL-WAN rule 123 action 'return'
set firewall ipv4 name LOCAL-WAN rule 123 destination port '123'
set firewall ipv4 name LOCAL-WAN rule 123 protocol 'udp'
set firewall ipv4 name LOCAL-WAN rule 800 action 'return'
set firewall ipv4 name LOCAL-WAN rule 800 destination address '100.65.151.213'
set firewall ipv4 name LOCAL-WAN rule 800 protocol 'udp'
set firewall ipv4 name LOCAL-WAN rule 805 action 'return'
set firewall ipv4 name LOCAL-WAN rule 805 destination address '100.65.151.2'
set firewall ipv4 name LOCAL-WAN rule 805 protocol 'all'
set firewall ipv4 name LOCAL-WAN rule 1010 action 'return'
set firewall ipv4 name LOCAL-WAN rule 1010 destination address '100.64.69.205'
set firewall ipv4 name LOCAL-WAN rule 1010 destination port '7705'
set firewall ipv4 name LOCAL-WAN rule 1010 protocol 'udp'
set firewall ipv4 name LOCAL-WAN rule 1010 source port '7705'
set firewall ipv4 name LOCAL-WAN rule 1990 action 'return'
set firewall ipv4 name LOCAL-WAN rule 1990 destination address '100.64.55.1'
set firewall ipv4 name LOCAL-WAN rule 1990 destination port '10666'
set firewall ipv4 name LOCAL-WAN rule 1990 protocol 'udp'
set firewall ipv4 name LOCAL-WAN rule 2000 action 'return'
set firewall ipv4 name LOCAL-WAN rule 2000 destination address '100.64.39.249'
set firewall ipv4 name LOCAL-WAN rule 10200 action 'return'
set firewall ipv4 name LOCAL-WAN rule 10200 destination address '100.64.89.98'
set firewall ipv4 name LOCAL-WAN rule 10200 destination port '10200'
set firewall ipv4 name LOCAL-WAN rule 10200 protocol 'udp'
set firewall ipv4 name LOCAL-WAN rule 10200 source port '10200'
set firewall ipv4 name WAN-DMZ default-action 'drop'
set firewall ipv4 name WAN-DMZ default-log
set firewall ipv4 name WAN-DMZ rule 1 action 'return'
set firewall ipv4 name WAN-DMZ rule 1 state 'established'
set firewall ipv4 name WAN-DMZ rule 1 state 'related'
set firewall ipv4 name WAN-DMZ rule 2 action 'drop'
set firewall ipv4 name WAN-DMZ rule 2 log
set firewall ipv4 name WAN-DMZ rule 2 state 'invalid'
set firewall ipv4 name WAN-DMZ rule 100 action 'return'
set firewall ipv4 name WAN-DMZ rule 100 destination address '172.16.36.10'
set firewall ipv4 name WAN-DMZ rule 100 destination port '80,443'
set firewall ipv4 name WAN-DMZ rule 100 protocol 'tcp'
set firewall ipv4 name WAN-GUEST default-action 'drop'
set firewall ipv4 name WAN-GUEST default-log
set firewall ipv4 name WAN-GUEST rule 1 action 'return'
set firewall ipv4 name WAN-GUEST rule 1 state 'established'
set firewall ipv4 name WAN-GUEST rule 1 state 'related'
set firewall ipv4 name WAN-GUEST rule 2 action 'drop'
set firewall ipv4 name WAN-GUEST rule 2 log
set firewall ipv4 name WAN-GUEST rule 2 state 'invalid'
set firewall ipv4 name WAN-GUEST rule 1000 action 'return'
set firewall ipv4 name WAN-GUEST rule 1000 destination address '172.31.0.184'
set firewall ipv4 name WAN-GUEST rule 8000 action 'return'
set firewall ipv4 name WAN-GUEST rule 8000 destination address '172.31.0.200'
set firewall ipv4 name WAN-GUEST rule 8000 destination port '10000'
set firewall ipv4 name WAN-GUEST rule 8000 protocol 'udp'
set firewall ipv4 name WAN-LAN default-action 'drop'
set firewall ipv4 name WAN-LAN default-log
set firewall ipv4 name WAN-LAN description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv4 name WAN-LAN rule 1 action 'return'
set firewall ipv4 name WAN-LAN rule 1 description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv4 name WAN-LAN rule 1 state 'established'
set firewall ipv4 name WAN-LAN rule 1 state 'related'
set firewall ipv4 name WAN-LAN rule 2 action 'drop'
set firewall ipv4 name WAN-LAN rule 2 log
set firewall ipv4 name WAN-LAN rule 2 state 'invalid'
set firewall ipv4 name WAN-LAN rule 1000 action 'return'
set firewall ipv4 name WAN-LAN rule 1000 destination address '172.16.33.40'
set firewall ipv4 name WAN-LAN rule 1000 destination port '3389'
set firewall ipv4 name WAN-LAN rule 1000 protocol 'tcp'
set firewall ipv4 name WAN-LAN rule 1000 source group network-group 'SSH-IN-ALLOW'
set firewall ipv4 name WAN-LOCAL default-action 'drop'
set firewall ipv4 name WAN-LOCAL rule 1 action 'return'
set firewall ipv4 name WAN-LOCAL rule 1 state 'established'
set firewall ipv4 name WAN-LOCAL rule 1 state 'related'
set firewall ipv4 name WAN-LOCAL rule 2 action 'drop'
set firewall ipv4 name WAN-LOCAL rule 2 log
set firewall ipv4 name WAN-LOCAL rule 2 state 'invalid'
set firewall ipv4 name WAN-LOCAL rule 22 action 'return'
set firewall ipv4 name WAN-LOCAL rule 22 destination port '22'
set firewall ipv4 name WAN-LOCAL rule 22 protocol 'tcp'
set firewall ipv4 name WAN-LOCAL rule 22 source group network-group 'SSH-IN-ALLOW'
set firewall ipv4 name WAN-LOCAL rule 1990 action 'return'
set firewall ipv4 name WAN-LOCAL rule 1990 destination port '10666'
set firewall ipv4 name WAN-LOCAL rule 1990 protocol 'udp'
set firewall ipv4 name WAN-LOCAL rule 1990 source address '100.64.55.1'
set firewall ipv4 name WAN-LOCAL rule 10000 action 'return'
set firewall ipv4 name WAN-LOCAL rule 10000 destination port '80,443'
set firewall ipv4 name WAN-LOCAL rule 10000 protocol 'tcp'
set firewall ipv4 name WAN-LOCAL rule 10100 action 'return'
set firewall ipv4 name WAN-LOCAL rule 10100 destination port '10100'
set firewall ipv4 name WAN-LOCAL rule 10100 protocol 'udp'
set firewall ipv4 name WAN-LOCAL rule 10100 source port '10100'
set firewall ipv4 name WAN-LOCAL rule 10200 action 'return'
set firewall ipv4 name WAN-LOCAL rule 10200 destination port '10200'
set firewall ipv4 name WAN-LOCAL rule 10200 protocol 'udp'
set firewall ipv4 name WAN-LOCAL rule 10200 source address '100.64.89.98'
set firewall ipv4 name WAN-LOCAL rule 10200 source port '10200'
set firewall ipv6 name ALLOW-ALL-6 default-action 'return'
set firewall ipv6 name ALLOW-ALL-6 description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv6 name ALLOW-BASIC-6 default-action 'drop'
set firewall ipv6 name ALLOW-BASIC-6 default-log
set firewall ipv6 name ALLOW-BASIC-6 description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv6 name ALLOW-BASIC-6 rule 1 action 'return'
set firewall ipv6 name ALLOW-BASIC-6 rule 1 description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv6 name ALLOW-BASIC-6 rule 1 state 'established'
set firewall ipv6 name ALLOW-BASIC-6 rule 1 state 'related'
set firewall ipv6 name ALLOW-BASIC-6 rule 2 action 'drop'
set firewall ipv6 name ALLOW-BASIC-6 rule 2 description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'
set firewall ipv6 name ALLOW-BASIC-6 rule 2 state 'invalid'
set firewall ipv6 name ALLOW-BASIC-6 rule 10 action 'return'
set firewall ipv6 name ALLOW-BASIC-6 rule 10 protocol 'ipv6-icmp'
set firewall ipv6 name ALLOW-ESTABLISHED-6 default-action 'drop'
set firewall ipv6 name ALLOW-ESTABLISHED-6 default-log
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 1 action 'return'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 1 state 'established'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 1 state 'related'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 2 action 'drop'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 2 state 'invalid'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 10 action 'return'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 10 destination group network-group 'LOCAL-ADDRESSES'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 10 protocol 'ipv6-icmp'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 10 source address 'fe80::/10'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 20 action 'return'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 20 icmpv6 type-name 'echo-request'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 20 protocol 'ipv6-icmp'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 21 action 'return'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 21 icmpv6 type-name 'destination-unreachable'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 21 protocol 'ipv6-icmp'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 22 action 'return'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 22 icmpv6 type-name 'packet-too-big'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 22 protocol 'ipv6-icmp'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 23 action 'return'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 23 icmpv6 type-name 'time-exceeded'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 23 protocol 'ipv6-icmp'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 24 action 'return'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 24 icmpv6 type-name 'parameter-problem'
set firewall ipv6 name ALLOW-ESTABLISHED-6 rule 24 protocol 'ipv6-icmp'
set firewall ipv6 name WAN-LOCAL-6 default-action 'drop'
set firewall ipv6 name WAN-LOCAL-6 default-log
set firewall ipv6 name WAN-LOCAL-6 rule 1 action 'return'
set firewall ipv6 name WAN-LOCAL-6 rule 1 state 'established'
set firewall ipv6 name WAN-LOCAL-6 rule 1 state 'related'
set firewall ipv6 name WAN-LOCAL-6 rule 2 action 'drop'
set firewall ipv6 name WAN-LOCAL-6 rule 2 state 'invalid'
set firewall ipv6 name WAN-LOCAL-6 rule 10 action 'return'
set firewall ipv6 name WAN-LOCAL-6 rule 10 destination address 'ff02::/64'
set firewall ipv6 name WAN-LOCAL-6 rule 10 protocol 'ipv6-icmp'
set firewall ipv6 name WAN-LOCAL-6 rule 10 source address 'fe80::/10'
set firewall ipv6 name WAN-LOCAL-6 rule 50 action 'return'
set firewall ipv6 name WAN-LOCAL-6 rule 50 destination address 'fe80::/10'
set firewall ipv6 name WAN-LOCAL-6 rule 50 destination port '546'
set firewall ipv6 name WAN-LOCAL-6 rule 50 protocol 'udp'
set firewall ipv6 name WAN-LOCAL-6 rule 50 source address 'fe80::/10'
set firewall ipv6 name WAN-LOCAL-6 rule 50 source port '547'
set firewall zone DMZ default-action 'drop'
set firewall zone DMZ from GUEST firewall name 'GUEST-DMZ'
set firewall zone DMZ from LAN firewall name 'LAN-DMZ'
set firewall zone DMZ from LOCAL firewall name 'LOCAL-DMZ'
set firewall zone DMZ from WAN firewall name 'WAN-DMZ'
set firewall zone DMZ interface 'eth0.50'
set firewall zone GUEST default-action 'drop'
set firewall zone GUEST from DMZ firewall name 'DMZ-GUEST'
set firewall zone GUEST from LAN firewall name 'LAN-GUEST'
set firewall zone GUEST from LOCAL firewall ipv6-name 'ALLOW-ALL-6'
set firewall zone GUEST from LOCAL firewall name 'LOCAL-GUEST'
set firewall zone GUEST from WAN firewall ipv6-name 'ALLOW-ESTABLISHED-6'
set firewall zone GUEST from WAN firewall name 'WAN-GUEST'
set firewall zone GUEST interface 'eth1.20'
set firewall zone LAN default-action 'drop'
set firewall zone LAN from DMZ firewall name 'DMZ-LAN'
set firewall zone LAN from GUEST firewall name 'GUEST-LAN'
set firewall zone LAN from LOCAL firewall ipv6-name 'ALLOW-ALL-6'
set firewall zone LAN from LOCAL firewall name 'LOCAL-LAN'
set firewall zone LAN from WAN firewall ipv6-name 'ALLOW-ESTABLISHED-6'
set firewall zone LAN from WAN firewall name 'WAN-LAN'
set firewall zone LAN interface 'eth0.5'
set firewall zone LAN interface 'eth0.10'
set firewall zone LAN interface 'wg100'
set firewall zone LAN interface 'wg200'
set firewall zone LOCAL default-action 'drop'
set firewall zone LOCAL from DMZ firewall name 'DMZ-LOCAL'
set firewall zone LOCAL from GUEST firewall ipv6-name 'ALLOW-ESTABLISHED-6'
set firewall zone LOCAL from GUEST firewall name 'GUEST-LOCAL'
set firewall zone LOCAL from LAN firewall ipv6-name 'ALLOW-ALL-6'
set firewall zone LOCAL from LAN firewall name 'LAN-LOCAL'
set firewall zone LOCAL from WAN firewall ipv6-name 'WAN-LOCAL-6'
set firewall zone LOCAL from WAN firewall name 'WAN-LOCAL'
set firewall zone LOCAL local-zone
set firewall zone WAN default-action 'drop'
set firewall zone WAN from DMZ firewall name 'DMZ-WAN'
set firewall zone WAN from GUEST firewall ipv6-name 'ALLOW-ALL-6'
set firewall zone WAN from GUEST firewall name 'GUEST-WAN'
set firewall zone WAN from LAN firewall ipv6-name 'ALLOW-ALL-6'
set firewall zone WAN from LAN firewall name 'LAN-WAN'
set firewall zone WAN from LOCAL firewall ipv6-name 'ALLOW-ALL-6'
set firewall zone WAN from LOCAL firewall name 'LOCAL-WAN'
set firewall zone WAN interface 'pppoe0'
set firewall zone WAN interface 'wg666'
+set interfaces dummy dum0 address '172.16.254.30/32'
+set interfaces ethernet eth0 duplex 'auto'
+set interfaces ethernet eth0 offload gro
+set interfaces ethernet eth0 ring-buffer rx '256'
+set interfaces ethernet eth0 ring-buffer tx '256'
+set interfaces ethernet eth0 speed 'auto'
+set interfaces ethernet eth0 vif 5 address '172.16.37.254/24'
+set interfaces ethernet eth0 vif 10 address '172.16.33.254/24'
+set interfaces ethernet eth0 vif 10 address '172.16.40.254/24'
+set interfaces ethernet eth0 vif 50 address '172.16.36.254/24'
+set interfaces ethernet eth1 duplex 'auto'
+set interfaces ethernet eth1 offload gro
+set interfaces ethernet eth1 speed 'auto'
+set interfaces ethernet eth1 vif 20 address '172.31.0.254/24'
+set interfaces ethernet eth2 disable
+set interfaces ethernet eth2 duplex 'auto'
+set interfaces ethernet eth2 offload gro
+set interfaces ethernet eth2 speed 'auto'
+set interfaces ethernet eth3 duplex 'auto'
+set interfaces ethernet eth3 offload gro
+set interfaces ethernet eth3 ring-buffer rx '256'
+set interfaces ethernet eth3 ring-buffer tx '256'
+set interfaces ethernet eth3 speed 'auto'
+set interfaces ethernet eth3 vif 7
+set interfaces loopback lo address '172.16.254.30/32'
+set interfaces pppoe pppoe0 authentication password 'vyos'
+set interfaces pppoe pppoe0 authentication username 'vyos'
+set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0.10 address '1'
+set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0.10 sla-id '10'
+set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth1.20 address '1'
+set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth1.20 sla-id '20'
+set interfaces pppoe pppoe0 dhcpv6-options pd 0 length '56'
+set interfaces pppoe pppoe0 ip adjust-mss '1452'
+set interfaces pppoe pppoe0 ipv6 address autoconf
+set interfaces pppoe pppoe0 ipv6 adjust-mss '1432'
+set interfaces pppoe pppoe0 no-peer-dns
+set interfaces pppoe pppoe0 source-interface 'eth3.7'
+set interfaces wireguard wg100 address '172.16.252.128/31'
+set interfaces wireguard wg100 mtu '1500'
+set interfaces wireguard wg100 peer HR6 address '100.65.151.213'
+set interfaces wireguard wg100 peer HR6 allowed-ips '0.0.0.0/0'
+set interfaces wireguard wg100 peer HR6 port '10100'
+set interfaces wireguard wg100 peer HR6 public-key 'yLpi+UZuI019bmWH2h5fX3gStbpPPPLgEoYMyrdkOnQ='
+set interfaces wireguard wg100 port '10100'
+set interfaces wireguard wg100 private-key 'aGx+fvW916Ej7QRnBbW3QMoldhNv1u95/WHz45zDmF0='
+set interfaces wireguard wg200 address '172.16.252.130/31'
+set interfaces wireguard wg200 mtu '1500'
+set interfaces wireguard wg200 peer WH56 address '80.151.69.205'
+set interfaces wireguard wg200 peer WH56 allowed-ips '0.0.0.0/0'
+set interfaces wireguard wg200 peer WH56 port '10200'
+set interfaces wireguard wg200 peer WH56 public-key 'XQbkj6vnKKBJfJQyThXysU0iGxCvEOEb31kpaZgkrD8='
+set interfaces wireguard wg200 port '10200'
+set interfaces wireguard wg200 private-key 'aGx+fvW916Ej7QRnBbW3QMoldhNv1u95/WHz45zDmF0='
+set interfaces wireguard wg666 address '172.29.0.1/31'
+set interfaces wireguard wg666 mtu '1500'
+set interfaces wireguard wg666 peer WH34 address '100.65.55.1'
+set interfaces wireguard wg666 peer WH34 allowed-ips '0.0.0.0/0'
+set interfaces wireguard wg666 peer WH34 port '10666'
+set interfaces wireguard wg666 peer WH34 public-key 'yaTN4+xAafKM04D+Baeg5GWfbdaw35TE9HQivwRgAk0='
+set interfaces wireguard wg666 port '10666'
+set interfaces wireguard wg666 private-key 'aGx+fvW916Ej7QRnBbW3QMoldhNv1u95/WHz45zDmF0='
set nat destination rule 8000 destination port '10000'
set nat destination rule 8000 inbound-interface name 'pppoe0'
set nat destination rule 8000 protocol 'udp'
set nat destination rule 8000 translation address '172.31.0.200'
set nat source rule 50 outbound-interface name 'pppoe0'
set nat source rule 50 source address '100.64.0.0/24'
set nat source rule 50 translation address 'masquerade'
set nat source rule 100 outbound-interface name 'pppoe0'
set nat source rule 100 source address '172.16.32.0/21'
set nat source rule 100 translation address 'masquerade'
set nat source rule 200 outbound-interface name 'pppoe0'
set nat source rule 200 source address '172.16.100.0/24'
set nat source rule 200 translation address 'masquerade'
set nat source rule 300 outbound-interface name 'pppoe0'
set nat source rule 300 source address '172.31.0.0/24'
set nat source rule 300 translation address 'masquerade'
set nat source rule 400 outbound-interface name 'pppoe0'
set nat source rule 400 source address '172.18.200.0/21'
set nat source rule 400 translation address 'masquerade'
set nat source rule 1000 destination address '192.168.189.0/24'
set nat source rule 1000 outbound-interface name 'wg666'
set nat source rule 1000 source address '172.16.32.0/21'
set nat source rule 1000 translation address '172.29.0.1'
set nat source rule 1001 destination address '192.168.189.0/24'
set nat source rule 1001 outbound-interface name 'wg666'
set nat source rule 1001 source address '172.16.100.0/24'
set nat source rule 1001 translation address '172.29.0.1'
set policy route-map MAP-OSPF-CONNECTED rule 1 action 'deny'
set policy route-map MAP-OSPF-CONNECTED rule 1 match interface 'eth1.20'
set policy route-map MAP-OSPF-CONNECTED rule 20 action 'permit'
set policy route-map MAP-OSPF-CONNECTED rule 20 match interface 'eth0.10'
set policy route-map MAP-OSPF-CONNECTED rule 40 action 'permit'
set policy route-map MAP-OSPF-CONNECTED rule 40 match interface 'eth0.50'
+set protocols bfd peer 172.16.252.129
+set protocols bfd peer 172.16.252.131
+set protocols bfd peer 172.18.254.201
+set protocols bgp address-family ipv4-unicast network 172.16.32.0/21
+set protocols bgp address-family ipv4-unicast network 172.16.100.0/24
+set protocols bgp address-family ipv4-unicast network 172.16.252.128/31
+set protocols bgp address-family ipv4-unicast network 172.16.252.130/31
+set protocols bgp address-family ipv4-unicast network 172.16.254.30/32
+set protocols bgp address-family ipv4-unicast network 172.18.0.0/16
+set protocols bgp neighbor 172.16.252.129 peer-group 'WIREGUARD'
+set protocols bgp neighbor 172.16.252.131 peer-group 'WIREGUARD'
+set protocols bgp neighbor 172.18.254.201 address-family ipv4-unicast nexthop-self
+set protocols bgp neighbor 172.18.254.201 bfd
+set protocols bgp neighbor 172.18.254.201 remote-as '64503'
+set protocols bgp neighbor 172.18.254.201 update-source 'dum0'
+set protocols bgp parameters log-neighbor-changes
+set protocols bgp peer-group WIREGUARD address-family ipv4-unicast soft-reconfiguration inbound
+set protocols bgp peer-group WIREGUARD bfd
+set protocols bgp peer-group WIREGUARD remote-as 'external'
+set protocols bgp system-as '64503'
+set protocols bgp timers holdtime '30'
+set protocols bgp timers keepalive '10'
+set protocols ospf area 0 network '172.16.254.30/32'
+set protocols ospf area 0 network '172.16.37.0/24'
+set protocols ospf area 0 network '172.18.201.0/24'
+set protocols ospf area 0 network '172.18.202.0/24'
+set protocols ospf area 0 network '172.18.203.0/24'
+set protocols ospf area 0 network '172.18.204.0/24'
+set protocols ospf default-information originate always
+set protocols ospf default-information originate metric-type '2'
+set protocols ospf interface eth0.5 authentication md5 key-id 10 md5-key 'ospf'
+set protocols ospf interface eth0.5 dead-interval '40'
+set protocols ospf interface eth0.5 hello-interval '10'
+set protocols ospf interface eth0.5 passive disable
+set protocols ospf interface eth0.5 priority '1'
+set protocols ospf interface eth0.5 retransmit-interval '5'
+set protocols ospf interface eth0.5 transmit-delay '1'
+set protocols ospf log-adjacency-changes detail
+set protocols ospf parameters abr-type 'cisco'
+set protocols ospf parameters router-id '172.16.254.30'
+set protocols ospf passive-interface 'default'
+set protocols ospf redistribute connected metric-type '2'
+set protocols ospf redistribute connected route-map 'MAP-OSPF-CONNECTED'
+set protocols static route 10.0.0.0/8 blackhole distance '254'
+set protocols static route 169.254.0.0/16 blackhole distance '254'
+set protocols static route 172.16.0.0/12 blackhole distance '254'
+set protocols static route 172.16.32.0/21 blackhole
+set protocols static route 172.18.0.0/16 blackhole
+set protocols static route 172.29.0.2/31 next-hop 172.29.0.0
+set protocols static route 192.168.0.0/16 blackhole distance '254'
+set protocols static route 192.168.189.0/24 next-hop 172.29.0.0
+set protocols static route6 2000::/3 interface pppoe0
set qos policy shaper QoS bandwidth '50mbit'
set qos policy shaper QoS default bandwidth '100%'
set qos policy shaper QoS default burst '15k'
set qos policy shaper QoS default queue-limit '1000'
set qos policy shaper QoS default queue-type 'fq-codel'
+set service dhcp-server shared-network-name BACKBONE authoritative
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 lease '86400'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 option default-router '172.16.37.254'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 option domain-name 'vyos.net'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 option domain-search 'vyos.net'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 option name-server '172.16.254.30'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 option ntp-server '172.16.254.30'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 range 0 start '172.16.37.120'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 range 0 stop '172.16.37.149'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP1 ip-address '172.16.37.231'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP1 mac '02:00:00:00:ee:18'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP2 ip-address '172.16.37.232'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP2 mac '02:00:00:00:52:84'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP3 ip-address '172.16.37.233'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP3 mac '02:00:00:00:51:c0'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP4 ip-address '172.16.37.234'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP4 mac '02:00:00:00:e6:fc'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP5 ip-address '172.16.37.235'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 static-mapping AP5 mac '02:00:00:00:c3:50'
+set service dhcp-server shared-network-name BACKBONE subnet 172.16.37.0/24 subnet-id '1'
+set service dhcp-server shared-network-name GUEST authoritative
+set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 lease '86400'
+set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 option default-router '172.31.0.254'
+set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 option domain-name 'vyos.net'
+set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 option domain-search 'vyos.net'
+set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 option name-server '172.31.0.254'
+set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 range 0 start '172.31.0.101'
+set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 range 0 stop '172.31.0.199'
+set service dhcp-server shared-network-name GUEST subnet 172.31.0.0/24 subnet-id '2'
+set service dhcp-server shared-network-name LAN authoritative
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 lease '86400'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 option default-router '172.16.33.254'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 option domain-name 'vyos.net'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 option domain-search 'vyos.net'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 option name-server '172.16.254.30'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 option ntp-server '172.16.254.30'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 range 0 start '172.16.33.100'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 range 0 stop '172.16.33.189'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping four ip-address '172.16.33.214'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping four mac '02:00:00:00:c4:33'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping one ip-address '172.16.33.221'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping one mac '02:00:00:00:eb:a6'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping three ip-address '172.16.33.212'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping three mac '02:00:00:00:12:c7'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping two ip-address '172.16.33.211'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 static-mapping two mac '02:00:00:00:58:90'
+set service dhcp-server shared-network-name LAN subnet 172.16.33.0/24 subnet-id '3'
+set service dns dynamic name service-vyos-pppoe0 address interface 'pppoe0'
+set service dns dynamic name service-vyos-pppoe0 host-name 'r1.vyos.net'
+set service dns dynamic name service-vyos-pppoe0 password 'vyos'
+set service dns dynamic name service-vyos-pppoe0 protocol 'dyndns2'
+set service dns dynamic name service-vyos-pppoe0 server 'dyndns.vyos.io'
+set service dns dynamic name service-vyos-pppoe0 username 'vyos-vyos'
+set service dns forwarding allow-from '172.16.0.0/12'
+set service dns forwarding domain 16.172.in-addr.arpa addnta
+set service dns forwarding domain 16.172.in-addr.arpa name-server 172.16.100.10
+set service dns forwarding domain 16.172.in-addr.arpa name-server 172.16.100.20
+set service dns forwarding domain 16.172.in-addr.arpa recursion-desired
+set service dns forwarding domain 18.172.in-addr.arpa addnta
+set service dns forwarding domain 18.172.in-addr.arpa name-server 172.16.100.10
+set service dns forwarding domain 18.172.in-addr.arpa name-server 172.16.100.20
+set service dns forwarding domain 18.172.in-addr.arpa recursion-desired
+set service dns forwarding domain vyos.net addnta
+set service dns forwarding domain vyos.net name-server 172.16.100.10
+set service dns forwarding domain vyos.net name-server 172.16.100.20
+set service dns forwarding domain vyos.net recursion-desired
+set service dns forwarding ignore-hosts-file
+set service dns forwarding listen-address '172.16.254.30'
+set service dns forwarding listen-address '172.31.0.254'
+set service dns forwarding negative-ttl '60'
+set service lldp legacy-protocols cdp
+set service lldp legacy-protocols edp
+set service lldp legacy-protocols fdp
+set service lldp legacy-protocols sonmp
+set service lldp snmp
+set service ntp allow-client address '172.16.0.0/12'
+set service ntp server time1.vyos.net
+set service ntp server time2.vyos.net
+set service router-advert interface eth0.10 prefix ::/64 preferred-lifetime '2700'
+set service router-advert interface eth0.10 prefix ::/64 valid-lifetime '5400'
+set service router-advert interface eth1.20 prefix ::/64 preferred-lifetime '2700'
+set service router-advert interface eth1.20 prefix ::/64 valid-lifetime '5400'
+set service snmp community ro-community authorization 'ro'
+set service snmp community ro-community network '172.16.100.0/24'
+set service snmp contact 'VyOS'
+set service snmp listen-address 172.16.254.30 port '161'
+set service snmp location 'CLOUD'
+set service ssh disable-host-validation
+set service ssh port '22'
+set system config-management commit-revisions '200'
+set system conntrack expect-table-size '2048'
+set system conntrack hash-size '32768'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system conntrack table-size '262144'
+set system conntrack timeout
+set system console device ttyS0 speed '115200'
+set system domain-name 'vyos.net'
+set system host-name 'r1'
+set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'
+set system login user vyos authentication plaintext-password ''
+set system name-server '172.16.254.30'
+set system option ctrl-alt-delete 'ignore'
+set system option performance 'latency'
+set system option reboot-on-panic
+set system option startup-beep
+set system syslog global facility all level 'debug'
+set system syslog global facility local7 level 'debug'
+set system syslog host 172.16.100.1 facility all level 'warning'
+set system time-zone 'Europe/Berlin'
diff --git a/smoketest/config-tests/egp-igp-route-maps b/smoketest/config-tests/egp-igp-route-maps
new file mode 100644
index 000000000..fc46d25ff
--- /dev/null
+++ b/smoketest/config-tests/egp-igp-route-maps
@@ -0,0 +1,46 @@
+set interfaces ethernet eth0 address '192.0.2.1/25'
+set interfaces ethernet eth0 duplex 'auto'
+set interfaces ethernet eth0 speed 'auto'
+set interfaces ethernet eth1 address '192.0.2.129/25'
+set interfaces ethernet eth1 address '2001:db8::1234/64'
+set interfaces ethernet eth1 duplex 'auto'
+set interfaces ethernet eth1 speed 'auto'
+set interfaces loopback lo
+set policy route-map zebra-bgp rule 10 action 'permit'
+set policy route-map zebra-isis rule 10 action 'permit'
+set policy route-map zebra-ospf rule 10 action 'permit'
+set policy route-map zebra-ospfv3 rule 10 action 'permit'
+set policy route-map zebra-ripng rule 10 action 'permit'
+set policy route-map zebra-static rule 10 action 'permit'
+set protocols bgp system-as '100'
+set protocols isis interface eth0
+set protocols isis net '49.0001.1921.6800.1002.00'
+set protocols ospf area 0 network '192.0.2.0/25'
+set protocols ospf area 0 network '192.0.2.128/25'
+set protocols ospf interface eth0 passive disable
+set protocols ospf interface eth1 passive disable
+set protocols ospf log-adjacency-changes
+set protocols ospf parameters abr-type 'cisco'
+set protocols ospf parameters router-id '1.1.1.1'
+set protocols ospf passive-interface 'default'
+set protocols ospfv3 area 0
+set protocols ospfv3 interface eth1 area '0'
+set protocols ospfv3 parameters router-id '1.1.1.1'
+set protocols ripng interface eth1
+set protocols static
+set system config-management commit-revisions '100'
+set system console device ttyS0 speed '115200'
+set system host-name 'vyos'
+set system ip protocol bgp route-map 'zebra-bgp'
+set system ip protocol isis route-map 'zebra-isis'
+set system ip protocol ospf route-map 'zebra-ospf'
+set system ip protocol static route-map 'zebra-static'
+set system ipv6 protocol ospfv3 route-map 'zebra-ospfv3'
+set system ipv6 protocol ripng route-map 'zebra-ripng'
+set system login user vyos authentication encrypted-password '$6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0'
+set system login user vyos authentication plaintext-password ''
+set system logs logrotate messages max-size '1'
+set system logs logrotate messages rotate '5'
+set system name-server '192.168.0.1'
+set system syslog global facility all level 'info'
+set system time-zone 'Europe/Berlin'
diff --git a/smoketest/config-tests/igmp-pim-small b/smoketest/config-tests/igmp-pim-small
index 207c17d45..909c3d67b 100644
--- a/smoketest/config-tests/igmp-pim-small
+++ b/smoketest/config-tests/igmp-pim-small
@@ -1,17 +1,37 @@
+set interfaces ethernet eth0 duplex 'auto'
+set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address '100.64.0.1/24'
+set interfaces ethernet eth1 duplex 'auto'
+set interfaces ethernet eth1 speed 'auto'
set interfaces ethernet eth2 address '172.16.0.2/24'
+set interfaces ethernet eth2 duplex 'auto'
+set interfaces ethernet eth2 offload gro
+set interfaces ethernet eth2 speed 'auto'
set protocols pim interface eth1 igmp join 224.1.0.0 source-address '1.1.1.1'
set protocols pim interface eth1 igmp join 224.1.0.0 source-address '1.1.1.2'
set protocols pim interface eth1 igmp query-interval '1000'
set protocols pim interface eth1 igmp query-max-response-time '30'
set protocols pim interface eth1 igmp version '2'
set protocols pim interface eth2
set protocols pim rp address 172.16.255.1 group '224.0.0.0/4'
+set service ntp allow-client address '0.0.0.0/0'
+set service ntp allow-client address '::/0'
set service ntp server 0.pool.ntp.org
set service ntp server 1.pool.ntp.org
set service ntp server 2.pool.ntp.org
+set system config-management commit-revisions '200'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
set system domain-name 'vyos.io'
set system host-name 'vyos'
set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'
set system login user vyos authentication plaintext-password ''
-set system console device ttyS0 speed '115200'
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
+set system time-zone 'Europe/Berlin'
diff --git a/smoketest/config-tests/ipoe-server b/smoketest/config-tests/ipoe-server
index fb32fdb14..f4a12f502 100644
--- a/smoketest/config-tests/ipoe-server
+++ b/smoketest/config-tests/ipoe-server
@@ -1,35 +1,48 @@
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth1 address '192.168.0.1/24'
+set interfaces ethernet eth2 offload gro
set interfaces loopback lo
-set service ntp server time1.vyos.net
-set service ntp server time2.vyos.net
-set service ntp server time3.vyos.net
+set nat source rule 100 outbound-interface name 'eth0'
+set nat source rule 100 source address '192.168.0.0/24'
+set nat source rule 100 translation address 'masquerade'
set service ipoe-server authentication interface eth1 mac 08:00:27:2f:d8:06 rate-limit download '1000'
set service ipoe-server authentication interface eth1 mac 08:00:27:2f:d8:06 rate-limit upload '500'
set service ipoe-server authentication interface eth1 mac 08:00:27:2f:d8:06 vlan '100'
set service ipoe-server authentication interface eth2 mac 08:00:27:2f:d8:06
set service ipoe-server authentication mode 'local'
set service ipoe-server client-ip-pool POOL1 range '192.0.2.0/24'
set service ipoe-server client-ipv6-pool ipv6-pool delegate 2001:db8:1::/48 delegation-prefix '56'
set service ipoe-server client-ipv6-pool ipv6-pool prefix 2001:db8::/48 mask '64'
set service ipoe-server default-ipv6-pool 'ipv6-pool'
set service ipoe-server default-pool 'POOL1'
set service ipoe-server gateway-address '192.0.2.1/24'
set service ipoe-server interface eth1 mode 'l3'
set service ipoe-server interface eth1 network 'vlan'
set service ipoe-server interface eth1 vlan '100'
set service ipoe-server interface eth1 vlan '200'
set service ipoe-server interface eth1 vlan '1000-2000'
set service ipoe-server interface eth1 vlan '2500-2700'
set service ipoe-server name-server '10.10.1.1'
set service ipoe-server name-server '10.10.1.2'
set service ipoe-server name-server '2001:db8:aaa::'
set service ipoe-server name-server '2001:db8:bbb::'
+set service ntp allow-client address '0.0.0.0/0'
+set service ntp allow-client address '::/0'
+set service ntp server time1.vyos.net
+set service ntp server time2.vyos.net
+set service ntp server time3.vyos.net
+set service ssh
set system config-management commit-revisions '100'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
set system host-name 'vyos'
set system login user vyos authentication encrypted-password '$6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0'
set system login user vyos authentication plaintext-password ''
-set system console device ttyS0 speed '115200'
-set nat source rule 100 outbound-interface name 'eth0'
-set nat source rule 100 source address '192.168.0.0/24'
-set nat source rule 100 translation address 'masquerade'
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
diff --git a/smoketest/config-tests/ipv6-disable b/smoketest/config-tests/ipv6-disable
new file mode 100644
index 000000000..40e34fa0c
--- /dev/null
+++ b/smoketest/config-tests/ipv6-disable
@@ -0,0 +1,31 @@
+set interfaces ethernet eth0 duplex 'auto'
+set interfaces ethernet eth0 speed 'auto'
+set interfaces ethernet eth0 vif 201 address '172.18.201.10/24'
+set interfaces ethernet eth0 vif 202 address '172.18.202.10/24'
+set interfaces ethernet eth0 vif 203 address '172.18.203.10/24'
+set interfaces ethernet eth0 vif 204 address '172.18.204.10/24'
+set protocols static route 0.0.0.0/0 next-hop 172.18.201.254 distance '10'
+set protocols static route 0.0.0.0/0 next-hop 172.18.202.254 distance '20'
+set protocols static route 0.0.0.0/0 next-hop 172.18.203.254 distance '30'
+set protocols static route 0.0.0.0/0 next-hop 172.18.204.254 distance '40'
+set service ntp allow-client address '0.0.0.0/0'
+set service ntp allow-client address '::/0'
+set service ntp server 172.16.254.20
+set service ntp server 172.16.254.30
+set system config-management commit-revisions '200'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system domain-name 'vyos.net'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'
+set system login user vyos authentication plaintext-password ''
+set system name-server '172.16.254.20'
+set system name-server '172.16.254.30'
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
diff --git a/smoketest/config-tests/isis-small b/smoketest/config-tests/isis-small
new file mode 100644
index 000000000..b322f4e29
--- /dev/null
+++ b/smoketest/config-tests/isis-small
@@ -0,0 +1,44 @@
+set interfaces dummy dum0 address '203.0.113.1/24'
+set interfaces ethernet eth0 duplex 'auto'
+set interfaces ethernet eth0 offload sg
+set interfaces ethernet eth0 offload tso
+set interfaces ethernet eth0 speed 'auto'
+set interfaces ethernet eth1 address '192.0.2.1/24'
+set interfaces ethernet eth1 duplex 'auto'
+set interfaces ethernet eth1 offload sg
+set interfaces ethernet eth1 offload tso
+set interfaces ethernet eth1 speed 'auto'
+set interfaces ethernet eth2 duplex 'auto'
+set interfaces ethernet eth2 offload sg
+set interfaces ethernet eth2 offload tso
+set interfaces ethernet eth2 speed 'auto'
+set interfaces ethernet eth3 duplex 'auto'
+set interfaces ethernet eth3 offload sg
+set interfaces ethernet eth3 offload tso
+set interfaces ethernet eth3 speed 'auto'
+set policy prefix-list EXPORT-ISIS rule 10 action 'permit'
+set policy prefix-list EXPORT-ISIS rule 10 prefix '203.0.113.0/24'
+set policy route-map EXPORT-ISIS rule 10 action 'permit'
+set policy route-map EXPORT-ISIS rule 10 match ip address prefix-list 'EXPORT-ISIS'
+set protocols isis interface eth1 bfd
+set protocols isis net '49.0001.1921.6800.1002.00'
+set protocols isis redistribute ipv4 connected level-2 route-map 'EXPORT-ISIS'
+set system config-management commit-revisions '200'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system domain-name 'vyos.io'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'
+set system login user vyos authentication plaintext-password ''
+set service ntp server time1.vyos.net
+set service ntp server time2.vyos.net
+set service ntp server time3.vyos.net
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
+set system time-zone 'Europe/Berlin'
diff --git a/smoketest/config-tests/nat-basic b/smoketest/config-tests/nat-basic
index 9fea08b02..471add3b3 100644
--- a/smoketest/config-tests/nat-basic
+++ b/smoketest/config-tests/nat-basic
@@ -1,85 +1,88 @@
-set interfaces ethernet eth0 offload rps
+set interfaces bonding bond10 hash-policy 'layer3+4'
+set interfaces bonding bond10 member interface 'eth2'
+set interfaces bonding bond10 member interface 'eth3'
+set interfaces bonding bond10 mode '802.3ad'
+set interfaces bonding bond10 vif 50 address '192.168.189.1/24'
set interfaces ethernet eth0 disable
+set interfaces ethernet eth0 offload gro
+set interfaces ethernet eth0 offload rps
set interfaces ethernet eth1 offload gro
-set interfaces ethernet eth1 offload gso
set interfaces ethernet eth1 offload rps
-set interfaces ethernet eth1 offload sg
-set interfaces ethernet eth1 offload tso
set interfaces ethernet eth2 offload gro
-set interfaces ethernet eth2 offload gso
set interfaces ethernet eth2 offload rps
-set interfaces ethernet eth2 offload sg
-set interfaces ethernet eth2 offload tso
set interfaces ethernet eth3 offload gro
-set interfaces ethernet eth3 offload gso
set interfaces ethernet eth3 offload rps
-set interfaces ethernet eth3 offload sg
-set interfaces ethernet eth3 offload tso
-set interfaces bonding bond10 hash-policy 'layer3+4'
-set interfaces bonding bond10 member interface 'eth2'
-set interfaces bonding bond10 member interface 'eth3'
-set interfaces bonding bond10 mode '802.3ad'
-set interfaces bonding bond10 vif 50 address '192.168.189.1/24'
set interfaces loopback lo
set interfaces pppoe pppoe7 authentication password 'vyos'
set interfaces pppoe pppoe7 authentication username 'vyos'
set interfaces pppoe pppoe7 dhcpv6-options pd 0 interface bond10.50 address '1'
set interfaces pppoe pppoe7 dhcpv6-options pd 0 length '56'
set interfaces pppoe pppoe7 ip adjust-mss '1452'
set interfaces pppoe pppoe7 ipv6 address autoconf
set interfaces pppoe pppoe7 ipv6 adjust-mss '1432'
set interfaces pppoe pppoe7 mtu '1492'
set interfaces pppoe pppoe7 no-peer-dns
set interfaces pppoe pppoe7 source-interface 'eth1'
-set service lldp interface eth1 disable
-set service ntp allow-client address '192.168.189.0/24'
-set service ntp server time1.vyos.net
-set service ntp server time2.vyos.net
-set service ntp listen-address '192.168.189.1'
-set service ssh dynamic-protection
-set service dhcp-server shared-network-name LAN subnet 192.168.189.0/24 lease '604800'
-set service dhcp-server shared-network-name LAN subnet 192.168.189.0/24 option default-router '192.168.189.1'
-set service dhcp-server shared-network-name LAN subnet 192.168.189.0/24 option domain-name 'vyos.net'
-set service dhcp-server shared-network-name LAN subnet 192.168.189.0/24 option name-server '1.1.1.1'
-set service dhcp-server shared-network-name LAN subnet 192.168.189.0/24 option name-server '9.9.9.9'
-set service dhcp-server shared-network-name LAN subnet 192.168.189.0/24 range 0 start '192.168.189.20'
-set service dhcp-server shared-network-name LAN subnet 192.168.189.0/24 range 0 stop '192.168.189.254'
-set service dhcp-server shared-network-name LAN subnet 192.168.189.0/24 subnet-id '1'
-set service router-advert interface bond10.50 prefix ::/64 preferred-lifetime '2700'
-set service router-advert interface bond10.50 prefix ::/64 valid-lifetime '5400'
-set system config-management commit-revisions '100'
-set system domain-name 'vyos.net'
-set system host-name 'R1'
-set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'
-set system login user vyos authentication plaintext-password ''
-set system name-server '1.1.1.1'
-set system name-server '9.9.9.9'
-set system console device ttyS0 speed '115200'
set nat destination rule 1000 destination port '3389'
set nat destination rule 1000 inbound-interface name 'pppoe7'
set nat destination rule 1000 protocol 'tcp'
set nat destination rule 1000 translation address '192.168.189.5'
set nat destination rule 1000 translation port '3389'
set nat destination rule 10022 destination port '10022'
set nat destination rule 10022 inbound-interface name 'pppoe7'
set nat destination rule 10022 protocol 'tcp'
set nat destination rule 10022 translation address '192.168.189.2'
set nat destination rule 10022 translation port '22'
set nat destination rule 10300 destination port '10300'
set nat destination rule 10300 inbound-interface name 'pppoe7'
set nat destination rule 10300 protocol 'udp'
set nat destination rule 10300 translation address '192.168.189.2'
set nat destination rule 10300 translation port '10300'
set nat source rule 10 outbound-interface name 'eth1'
set nat source rule 10 source address '192.168.189.0/24'
set nat source rule 10 translation address 'masquerade'
set nat source rule 10 translation options port-mapping 'random'
set nat source rule 50 outbound-interface name 'pppoe7'
set nat source rule 50 protocol 'udp'
set nat source rule 50 source address '192.168.189.2'
set nat source rule 50 source port '10300'
set nat source rule 50 translation address 'masquerade'
set nat source rule 50 translation port '10300'
set nat source rule 100 outbound-interface name 'pppoe7'
set nat source rule 100 source address '192.168.189.0/24'
set nat source rule 100 translation address 'masquerade'
+set service dhcp-server shared-network-name LAN subnet 192.168.189.0/24 lease '604800'
+set service dhcp-server shared-network-name LAN subnet 192.168.189.0/24 option default-router '192.168.189.1'
+set service dhcp-server shared-network-name LAN subnet 192.168.189.0/24 option domain-name 'vyos.net'
+set service dhcp-server shared-network-name LAN subnet 192.168.189.0/24 option name-server '1.1.1.1'
+set service dhcp-server shared-network-name LAN subnet 192.168.189.0/24 option name-server '9.9.9.9'
+set service dhcp-server shared-network-name LAN subnet 192.168.189.0/24 range 0 start '192.168.189.20'
+set service dhcp-server shared-network-name LAN subnet 192.168.189.0/24 range 0 stop '192.168.189.254'
+set service dhcp-server shared-network-name LAN subnet 192.168.189.0/24 subnet-id '1'
+set service lldp interface all
+set service lldp interface eth1 disable
+set service ntp allow-client address '192.168.189.0/24'
+set service ntp listen-address '192.168.189.1'
+set service ntp server time1.vyos.net
+set service ntp server time2.vyos.net
+set service router-advert interface bond10.50 prefix ::/64 preferred-lifetime '2700'
+set service router-advert interface bond10.50 prefix ::/64 valid-lifetime '5400'
+set service ssh disable-host-validation
+set service ssh dynamic-protection
+set system config-management commit-revisions '100'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system domain-name 'vyos.net'
+set system host-name 'R1'
+set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'
+set system login user vyos authentication plaintext-password ''
+set system name-server '1.1.1.1'
+set system name-server '9.9.9.9'
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
diff --git a/smoketest/config-tests/ospf-simple b/smoketest/config-tests/ospf-simple
index 13d5e7038..355709448 100644
--- a/smoketest/config-tests/ospf-simple
+++ b/smoketest/config-tests/ospf-simple
@@ -1,20 +1,24 @@
set interfaces ethernet eth0 vif 20 address '193.201.42.173/28'
set interfaces ethernet eth0 vif 666 address '10.66.66.1/24'
+set interfaces ethernet eth1
+set interfaces ethernet eth2
set interfaces loopback lo
-set protocols ospf area 0 network '10.66.66.0/24'
-set protocols ospf area 0 network '193.201.42.160/28'
set protocols ospf area 0 area-type normal
+set protocols ospf area 0 network '193.201.42.160/28'
+set protocols ospf area 0 network '10.66.66.0/24'
set protocols ospf interface eth0.20 cost '999'
set protocols ospf interface eth0.20 dead-interval '4'
set protocols ospf interface eth0.20 hello-interval '1'
set protocols ospf interface eth0.20 priority '255'
set protocols ospf interface eth0.20 retransmit-interval '5'
set protocols ospf interface eth0.20 transmit-delay '1'
set protocols ospf interface eth0.666 passive
set protocols ospf log-adjacency-changes detail
set protocols static route 0.0.0.0/0 next-hop 193.201.42.170 distance '130'
set system config-management commit-revisions '100'
+set system console device ttyS0 speed '115200'
set system host-name 'lab-vyos-r1'
set system login user vyos authentication encrypted-password '$6$R.OnGzfXSfl6J$Iba/hl9bmjBs0VPtZ2zdW.Snh/nHuvxUwi0R6ruypgW63iKEbicJH.uUst8xZCyByURblxRtjAC1lAnYfIt.b0'
set system login user vyos authentication plaintext-password ''
-set system console device ttyS0 speed '115200'
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
diff --git a/smoketest/config-tests/ospf-small b/smoketest/config-tests/ospf-small
new file mode 100644
index 000000000..a7f8b682c
--- /dev/null
+++ b/smoketest/config-tests/ospf-small
@@ -0,0 +1,82 @@
+set interfaces dummy dum0 address '172.18.254.200/32'
+set interfaces ethernet eth0 duplex 'auto'
+set interfaces ethernet eth0 speed 'auto'
+set interfaces ethernet eth0 vif 201 address '172.18.201.9/24'
+set interfaces ethernet eth0 vif 202 address '172.18.202.9/24'
+set interfaces ethernet eth0 vif 203 address '172.18.203.9/24'
+set interfaces ethernet eth1 duplex 'auto'
+set interfaces ethernet eth1 speed 'auto'
+set protocols ospf area 0 network '172.18.201.0/24'
+set protocols ospf area 0 network '172.18.202.0/24'
+set protocols ospf area 0 network '172.18.203.0/24'
+set protocols ospf area 0 network '172.18.254.200/32'
+set protocols ospf interface eth0.201 authentication md5 key-id 10 md5-key 'OSPFVyOSNET'
+set protocols ospf interface eth0.201 dead-interval '40'
+set protocols ospf interface eth0.201 hello-interval '10'
+set protocols ospf interface eth0.201 passive disable
+set protocols ospf interface eth0.201 priority '1'
+set protocols ospf interface eth0.201 retransmit-interval '5'
+set protocols ospf interface eth0.201 transmit-delay '1'
+set protocols ospf interface eth0.202 authentication md5 key-id 10 md5-key 'OSPFVyOSNET'
+set protocols ospf interface eth0.202 dead-interval '40'
+set protocols ospf interface eth0.202 hello-interval '10'
+set protocols ospf interface eth0.202 passive disable
+set protocols ospf interface eth0.202 priority '1'
+set protocols ospf interface eth0.202 retransmit-interval '5'
+set protocols ospf interface eth0.202 transmit-delay '1'
+set protocols ospf interface eth0.203 authentication md5 key-id 10 md5-key 'OSPFVyOSNET'
+set protocols ospf interface eth0.203 dead-interval '40'
+set protocols ospf interface eth0.203 hello-interval '10'
+set protocols ospf interface eth0.203 passive disable
+set protocols ospf interface eth0.203 priority '1'
+set protocols ospf interface eth0.203 retransmit-interval '5'
+set protocols ospf interface eth0.203 transmit-delay '1'
+set protocols ospf log-adjacency-changes
+set protocols ospf parameters abr-type 'cisco'
+set protocols ospf parameters router-id '172.18.254.200'
+set protocols ospf passive-interface 'default'
+set protocols ospfv3 area 0.0.0.0
+set protocols ospfv3 interface eth0.201 area '0.0.0.0'
+set protocols ospfv3 interface eth0.201 bfd
+set protocols ospfv3 interface eth0.201 cost '40'
+set protocols ospfv3 interface eth0.202 area '0.0.0.0'
+set protocols ospfv3 interface eth0.202 bfd
+set protocols ospfv3 interface eth0.202 cost '40'
+set protocols ospfv3 interface eth0.203 area '0.0.0.0'
+set protocols ospfv3 interface eth0.203 bfd
+set protocols ospfv3 interface eth0.203 cost '40'
+set protocols ospfv3 interface eth1 area '0.0.0.0'
+set protocols ospfv3 interface eth1 bfd
+set protocols ospfv3 interface eth1 cost '60'
+set protocols ospfv3 interface eth1 mtu-ignore
+set protocols ospfv3 interface eth1 network 'broadcast'
+set protocols ospfv3 interface eth1 priority '20'
+set service ntp allow-client address '0.0.0.0/0'
+set service ntp allow-client address '::/0'
+set service ntp server time1.vyos.net
+set service ntp server time2.vyos.net
+set service ssh disable-host-validation
+set service ssh port '22'
+set system config-management commit-revisions '200'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system domain-name 'vyos.net'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'
+set system login user vyos authentication plaintext-password ''
+set system name-server '172.16.254.30'
+set system sysctl parameter net.ipv4.conf.eth0.tag value '1'
+set system sysctl parameter net.ipv4.conf.eth1.tag value '1'
+set system sysctl parameter net.ipv4.igmp_max_memberships value '5'
+set system sysctl parameter net.ipv4.ipfrag_time value '4'
+set system sysctl parameter net.mpls.default_ttl value '10'
+set system sysctl parameter net.mpls.ip_ttl_propagate value '0'
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
+set system time-zone 'Europe/Berlin'
diff --git a/smoketest/config-tests/pppoe-server b/smoketest/config-tests/pppoe-server
new file mode 100644
index 000000000..34fbea215
--- /dev/null
+++ b/smoketest/config-tests/pppoe-server
@@ -0,0 +1,47 @@
+set interfaces ethernet eth0 address 'dhcp'
+set interfaces ethernet eth1 address '192.168.0.1/24'
+set interfaces ethernet eth1 speed 'auto'
+set interfaces ethernet eth1 duplex 'auto'
+set interfaces ethernet eth2 speed 'auto'
+set interfaces ethernet eth2 duplex 'auto'
+set interfaces loopback lo
+set nat source rule 100 outbound-interface name 'eth0'
+set nat source rule 100 source address '192.168.0.0/24'
+set nat source rule 100 translation address 'masquerade'
+set service ntp allow-client address '0.0.0.0/0'
+set service ntp allow-client address '::/0'
+set service ntp server 0.pool.ntp.org
+set service ntp server 1.pool.ntp.org
+set service ntp server 2.pool.ntp.org
+set service pppoe-server access-concentrator 'ACN'
+set service pppoe-server authentication local-users username foo password 'bar'
+set service pppoe-server authentication local-users username foo rate-limit download '20480'
+set service pppoe-server authentication local-users username foo rate-limit upload '10240'
+set service pppoe-server authentication mode 'local'
+set service pppoe-server client-ip-pool default-range-pool range '10.0.0.0/24'
+set service pppoe-server client-ip-pool default-range-pool range '10.0.1.0/24'
+set service pppoe-server client-ip-pool default-range-pool range '10.0.2.0/24'
+set service pppoe-server default-pool 'default-range-pool'
+set service pppoe-server gateway-address '192.168.0.2'
+set service pppoe-server interface eth1
+set service pppoe-server interface eth2 vlan '10'
+set service pppoe-server interface eth2 vlan '20'
+set service pppoe-server interface eth2 vlan '30-40'
+set service pppoe-server interface eth2 vlan '50-60'
+set service pppoe-server name-server '192.168.0.1'
+set service pppoe-server ppp-options disable-ccp
+set service ssh
+set system config-management commit-revisions '100'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0'
+set system login user vyos authentication plaintext-password ''
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
diff --git a/smoketest/config-tests/qos-basic b/smoketest/config-tests/qos-basic
new file mode 100644
index 000000000..0e198b80c
--- /dev/null
+++ b/smoketest/config-tests/qos-basic
@@ -0,0 +1,75 @@
+set interfaces ethernet eth0 address '10.1.1.100/24'
+set interfaces ethernet eth1 address '10.2.1.1/24'
+set interfaces ethernet eth2 address '10.9.9.1/24'
+set interfaces ethernet eth2 vif 200
+set interfaces loopback lo
+set qos interface eth0 egress 'FS'
+set qos interface eth1 egress 'ISPC'
+set qos interface eth2 egress 'MY-HTB'
+set qos interface eth2.200 egress 'foo-emulate'
+set qos policy network-emulator foo-emulate bandwidth '300mbit'
+set qos policy shaper FS bandwidth 'auto'
+set qos policy shaper FS class 10 bandwidth '100%'
+set qos policy shaper FS class 10 burst '15k'
+set qos policy shaper FS class 10 match ADDRESS10 ip source address '172.17.1.2/32'
+set qos policy shaper FS class 10 queue-type 'fair-queue'
+set qos policy shaper FS class 20 bandwidth '100%'
+set qos policy shaper FS class 20 burst '15k'
+set qos policy shaper FS class 20 match ADDRESS20 ip source address '172.17.1.3/32'
+set qos policy shaper FS class 20 queue-type 'fair-queue'
+set qos policy shaper FS class 30 bandwidth '100%'
+set qos policy shaper FS class 30 burst '15k'
+set qos policy shaper FS class 30 match ADDRESS30 ip source address '172.17.1.4/32'
+set qos policy shaper FS class 30 queue-type 'fair-queue'
+set qos policy shaper FS default bandwidth '10%'
+set qos policy shaper FS default burst '15k'
+set qos policy shaper FS default ceiling '100%'
+set qos policy shaper FS default priority '7'
+set qos policy shaper FS default queue-type 'fair-queue'
+set qos policy shaper ISPC bandwidth '600mbit'
+set qos policy shaper ISPC default bandwidth '50%'
+set qos policy shaper ISPC default burst '768k'
+set qos policy shaper ISPC default ceiling '100%'
+set qos policy shaper ISPC default queue-type 'fq-codel'
+set qos policy shaper ISPC description 'Outbound Traffic Shaper - ISPC'
+set qos policy shaper MY-HTB bandwidth '10mbit'
+set qos policy shaper MY-HTB class 30 bandwidth '10%'
+set qos policy shaper MY-HTB class 30 burst '15k'
+set qos policy shaper MY-HTB class 30 ceiling '50%'
+set qos policy shaper MY-HTB class 30 match ADDRESS30 ip source address '10.1.1.0/24'
+set qos policy shaper MY-HTB class 30 priority '5'
+set qos policy shaper MY-HTB class 30 queue-type 'fair-queue'
+set qos policy shaper MY-HTB class 40 bandwidth '90%'
+set qos policy shaper MY-HTB class 40 burst '15k'
+set qos policy shaper MY-HTB class 40 ceiling '100%'
+set qos policy shaper MY-HTB class 40 match ADDRESS40 ip source address '10.2.1.0/24'
+set qos policy shaper MY-HTB class 40 priority '5'
+set qos policy shaper MY-HTB class 40 queue-type 'fair-queue'
+set qos policy shaper MY-HTB class 50 bandwidth '100%'
+set qos policy shaper MY-HTB class 50 burst '15k'
+set qos policy shaper MY-HTB class 50 match ADDRESS50 ipv6 source address '2001:db8::1/64'
+set qos policy shaper MY-HTB class 50 queue-type 'fair-queue'
+set qos policy shaper MY-HTB default bandwidth '10%'
+set qos policy shaper MY-HTB default burst '15k'
+set qos policy shaper MY-HTB default ceiling '100%'
+set qos policy shaper MY-HTB default priority '7'
+set qos policy shaper MY-HTB default queue-type 'fair-queue'
+set service ntp allow-client address '0.0.0.0/0'
+set service ntp allow-client address '::/0'
+set service ntp server time1.vyos.net
+set service ntp server time2.vyos.net
+set service ntp server time3.vyos.net
+set system config-management commit-revisions '10'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$r/Yw/07NXNY$/ZB.Rjf9jxEV.BYoDyLdH.kH14rU52pOBtrX.4S34qlPt77chflCHvpTCq9a6huLzwaMR50rEICzA5GoIRZlM0'
+set system login user vyos authentication plaintext-password ''
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
diff --git a/smoketest/config-tests/rip-router b/smoketest/config-tests/rip-router
new file mode 100644
index 000000000..829aafbd5
--- /dev/null
+++ b/smoketest/config-tests/rip-router
@@ -0,0 +1,83 @@
+set interfaces dummy dum0 address '192.0.2.0/32'
+set interfaces ethernet eth0 address '172.18.202.10/24'
+set interfaces ethernet eth0 duplex 'auto'
+set interfaces ethernet eth0 speed 'auto'
+set interfaces ethernet eth1 duplex 'auto'
+set interfaces ethernet eth1 speed 'auto'
+set interfaces ethernet eth1 vif 20
+set interfaces ethernet eth1 vif-s 200 vif-c 2000
+set interfaces ethernet eth1 vif-s 200 vif-c 3000
+set policy access-list6 198 rule 10 action 'permit'
+set policy access-list6 198 rule 10 source any
+set policy access-list6 199 rule 20 action 'deny'
+set policy access-list6 199 rule 20 source any
+set policy prefix-list6 bar-prefix rule 200 action 'deny'
+set policy prefix-list6 bar-prefix rule 200 prefix '2001:db8::/32'
+set policy prefix-list6 foo-prefix rule 100 action 'permit'
+set policy prefix-list6 foo-prefix rule 100 prefix '2001:db8::/32'
+set policy route-map FooBar123 rule 10 action 'permit'
+set protocols rip default-distance '20'
+set protocols rip default-information originate
+set protocols rip interface eth0 authentication md5 1 password 'VyOSsecure'
+set protocols rip interface eth0 split-horizon poison-reverse
+set protocols rip interface eth1.20 authentication plaintext-password 'VyOSsecure'
+set protocols rip interface eth1.20 split-horizon poison-reverse
+set protocols rip interface eth1.200 authentication md5 1 password 'VyOSsecure'
+set protocols rip interface eth1.200 split-horizon disable
+set protocols rip interface eth1.200.2000 authentication md5 1 password 'VyOSsecure'
+set protocols rip interface eth1.200.3000 split-horizon disable
+set protocols rip network '192.168.0.0/24'
+set protocols rip redistribute connected
+set protocols ripng aggregate-address '2001:db8:1000::/48'
+set protocols ripng default-information originate
+set protocols ripng default-metric '8'
+set protocols ripng distribute-list access-list in '198'
+set protocols ripng distribute-list access-list out '199'
+set protocols ripng distribute-list interface eth0 access-list in '198'
+set protocols ripng distribute-list interface eth0 access-list out '199'
+set protocols ripng distribute-list interface eth0 prefix-list in 'foo-prefix'
+set protocols ripng distribute-list interface eth0 prefix-list out 'bar-prefix'
+set protocols ripng distribute-list interface eth1 access-list in '198'
+set protocols ripng distribute-list interface eth1 access-list out '199'
+set protocols ripng distribute-list interface eth1 prefix-list in 'foo-prefix'
+set protocols ripng distribute-list interface eth1 prefix-list out 'bar-prefix'
+set protocols ripng distribute-list interface eth2 access-list in '198'
+set protocols ripng distribute-list interface eth2 access-list out '199'
+set protocols ripng distribute-list interface eth2 prefix-list in 'foo-prefix'
+set protocols ripng distribute-list interface eth2 prefix-list out 'bar-prefix'
+set protocols ripng distribute-list prefix-list in 'foo-prefix'
+set protocols ripng distribute-list prefix-list out 'bar-prefix'
+set protocols ripng interface eth0 split-horizon poison-reverse
+set protocols ripng interface eth1.20 split-horizon disable
+set protocols ripng interface eth1.200 split-horizon poison-reverse
+set protocols ripng interface eth1.200.3000 split-horizon poison-reverse
+set protocols ripng network '2001:db8:1000::/64'
+set protocols ripng network '2001:db8:1001::/64'
+set protocols ripng network '2001:db8:2000::/64'
+set protocols ripng network '2001:db8:2001::/64'
+set protocols ripng passive-interface 'default'
+set protocols ripng redistribute connected metric '8'
+set protocols ripng redistribute connected route-map 'FooBar123'
+set protocols ripng redistribute static metric '8'
+set protocols ripng redistribute static route-map 'FooBar123'
+set protocols ripng route '2001:db8:1000::/64'
+set service ntp allow-client address '0.0.0.0/0'
+set service ntp allow-client address '::/0'
+set service ntp server 0.pool.ntp.org
+set service ntp server 1.pool.ntp.org
+set service ntp server 2.pool.ntp.org
+set service ssh port '22'
+set system config-management commit-revisions '100'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0'
+set system login user vyos authentication plaintext-password ''
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
diff --git a/smoketest/config-tests/rpki-only b/smoketest/config-tests/rpki-only
index 569463b12..dcbc7673d 100644
--- a/smoketest/config-tests/rpki-only
+++ b/smoketest/config-tests/rpki-only
@@ -1,30 +1,42 @@
set interfaces ethernet eth0 address '192.0.2.1/24'
set interfaces ethernet eth0 address '2001:db8::1/64'
+set interfaces ethernet eth0 duplex 'auto'
+set interfaces ethernet eth0 speed 'auto'
set interfaces loopback lo
set pki openssh rpki-5.6.7.8 private key 'b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcnNhAAAAAwEAAQAAAQEAweDyflDFR4qyEwETbJkZ2ZZc+sJNiDTvYpwGsWIkju49lJSxHe1xKf8FhwfyMu40Snt1yDlRmmmz4CsbLgbuZGMPvXG11e34+C0pSVUvpF6aqRTeLl1pDRK7Rnjgm3su+I8SRLQR4qbLG6VXWOFuVpwiqbExLaU0hFYTPNP+dArNpsWEEKsohk6pTXdhg3VzWp3vCMjl2JTshDa3lD7p2xISSAReEY0fnfEAmQzH4Z6DIwwGdFuMWoQIg+oFBM9ARrO2/FIjRsz6AecR/WeU72JEw4aJic1/cAJQA6PiQBHwkuo3Wll1tbpxeRZoB2NQG22ETyJLvhfTaooNLT9HpQAAA8joU5dM6FOXTAAAAAdzc2gtcnNhAAABAQDB4PJ+UMVHirITARNsmRnZllz6wk2INO9inAaxYiSO7j2UlLEd7XEp/wWHB/Iy7jRKe3XIOVGaabPgKxsuBu5kYw+9cbXV7fj4LSlJVS+kXpqpFN4uXWkNErtGeOCbey74jxJEtBHipssbpVdY4W5WnCKpsTEtpTSEVhM80/50Cs2mxYQQqyiGTqlNd2GDdXNane8IyOXYlOyENreUPunbEhJIBF4RjR+d8QCZDMfhnoMjDAZ0W4xahAiD6gUEz0BGs7b8UiNGzPoB5xH9Z5TvYkTDhomJzX9wAlADo+JAEfCS6jdaWXW1unF5FmgHY1AbbYRPIku+F9Nqig0tP0elAAAAAwEAAQAAAQACkDlUjzfUhtJs6uY5WNrdJB5NmHUS+HQzzxFNlhkapK6+wKqI1UNaRUtq6iF7J+gcFf7MK2nXS098BsXguWm8fQzPuemoDvHsQhiaJhyvpSqRUrvPTB/f8t/0AhQiKiJIWgfpTaIw53inAGwjujNNxNm2eafHTThhCYxOkRT7rsT6bnSio6yeqPy5QHg7IKFztp5FXDUyiOS3aX3SvzQcDUkMXALdvzX50t1XIk+X48Rgkq72dL4VpV2oMNDu3hM6FqBUplf9Mv3s51FNSma/cibCQoVufrIfoqYjkNTjIpYFUcq4zZ0/KvgXgzSsy9VN/4TtbalrOuu7X/SHJbvhAAAAgGPFsXgONYQvXxCnK1dIueozgaZg1I/n522E2ZCOXBW4dYJVyNpppwRreDzuFzTDEe061MpNHfScjVBJCCulivFYWscL6oaGsryDbFxO3QmB4I98UBqrds2yan9/JGc6EYe299yvaHy7Y64+NC0+fN8H2RAZ61T4w10JrCaJRyvzAAAAgQDvBfuV1U7o9k/fbU+U7W2UYnWblpOZAMfi1XQP6IJJeyWs90PdTdXh+l0eIQrCawIiRJytNfxMmbD4huwTf77fWiyCcPznmALQ7ex/yJ+W5Z0V4dPGF3h7o1uiS236JhQ7mfcliCkhp/1PIklBIMPcCp0zl+s9wMv2hX7w1Pah9QAAAIEAz6YgU9Xute+J+dBwoWxEQ+igR6KE55Um7O9AvSrqnCm9r7lSFsXC2ErYOxoDSJ3yIBEV0b4XAGn6tbbVIs3jS8BnLHxclAHQecOx1PGn7PKbnPW0oJRq/X9QCIEelKYvlykpayn7uZooTXqcDaPZxfPpmPdye8chVJvdygi7kPEAAAAMY3BvQExSMS53dWUzAQIDBAUGBw=='
set pki openssh rpki-5.6.7.8 public key 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDB4PJ+UMVHirITARNsmRnZllz6wk2INO9inAaxYiSO7j2UlLEd7XEp/wWHB/Iy7jRKe3XIOVGaabPgKxsuBu5kYw+9cbXV7fj4LSlJVS+kXpqpFN4uXWkNErtGeOCbey74jxJEtBHipssbpVdY4W5WnCKpsTEtpTSEVhM80/50Cs2mxYQQqyiGTqlNd2GDdXNane8IyOXYlOyENreUPunbEhJIBF4RjR+d8QCZDMfhnoMjDAZ0W4xahAiD6gUEz0BGs7b8UiNGzPoB5xH9Z5TvYkTDhomJzX9wAlADo+JAEfCS6jdaWXW1unF5FmgHY1AbbYRPIku+F9Nqig0tP0el'
set pki openssh rpki-5.6.7.8 public type 'ssh-rsa'
set policy route-map ROUTES-IN rule 10 action 'permit'
set policy route-map ROUTES-IN rule 10 match rpki 'valid'
set policy route-map ROUTES-IN rule 10 set local-preference '300'
set policy route-map ROUTES-IN rule 20 action 'permit'
set policy route-map ROUTES-IN rule 20 match rpki 'notfound'
set policy route-map ROUTES-IN rule 20 set local-preference '125'
set policy route-map ROUTES-IN rule 30 action 'deny'
set policy route-map ROUTES-IN rule 30 match rpki 'invalid'
set protocols bgp neighbor 192.0.2.200 address-family ipv4-unicast route-map import 'ROUTES-IN'
set protocols bgp neighbor 192.0.2.200 remote-as '200'
+set protocols bgp neighbor 2001:db8::200 address-family ipv4-unicast
set protocols bgp neighbor 2001:db8::200 address-family ipv6-unicast route-map import 'ROUTES-IN'
set protocols bgp neighbor 2001:db8::200 remote-as '200'
set protocols bgp system-as '100'
set protocols rpki cache 1.2.3.4 port '3323'
set protocols rpki cache 1.2.3.4 preference '10'
set protocols rpki cache 5.6.7.8 port '2222'
set protocols rpki cache 5.6.7.8 preference '20'
set protocols rpki cache 5.6.7.8 ssh key 'rpki-5.6.7.8'
set protocols rpki cache 5.6.7.8 ssh username 'vyos'
+set system config-management commit-revisions '200'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
set system host-name 'vyos'
set system login user vyos authentication encrypted-password '$6$r/Yw/07NXNY$/ZB.Rjf9jxEV.BYoDyLdH.kH14rU52pOBtrX.4S34qlPt77chflCHvpTCq9a6huLzwaMR50rEICzA5GoIRZlM0'
set system login user vyos authentication plaintext-password ''
set system syslog global facility all level 'debug'
-set system console device ttyS0 speed '115200'
+set system syslog global facility local7 level 'debug'
diff --git a/smoketest/config-tests/tunnel-broker b/smoketest/config-tests/tunnel-broker
new file mode 100644
index 000000000..ee6301c85
--- /dev/null
+++ b/smoketest/config-tests/tunnel-broker
@@ -0,0 +1,75 @@
+set interfaces dummy dum0 address '192.0.2.0/32'
+set interfaces dummy dum1 address '192.0.2.1/32'
+set interfaces dummy dum2 address '192.0.2.2/32'
+set interfaces dummy dum3 address '192.0.2.3/32'
+set interfaces dummy dum4 address '192.0.2.4/32'
+set interfaces ethernet eth0 address '172.18.202.10/24'
+set interfaces ethernet eth0 duplex 'auto'
+set interfaces ethernet eth0 speed 'auto'
+set interfaces l2tpv3 l2tpeth10 destination-port '5010'
+set interfaces l2tpv3 l2tpeth10 encapsulation 'ip'
+set interfaces l2tpv3 l2tpeth10 peer-session-id '110'
+set interfaces l2tpv3 l2tpeth10 peer-tunnel-id '10'
+set interfaces l2tpv3 l2tpeth10 remote '172.18.202.110'
+set interfaces l2tpv3 l2tpeth10 session-id '110'
+set interfaces l2tpv3 l2tpeth10 source-address '172.18.202.10'
+set interfaces l2tpv3 l2tpeth10 source-port '5010'
+set interfaces l2tpv3 l2tpeth10 tunnel-id '10'
+set interfaces l2tpv3 l2tpeth20 destination-port '5020'
+set interfaces l2tpv3 l2tpeth20 encapsulation 'ip'
+set interfaces l2tpv3 l2tpeth20 peer-session-id '120'
+set interfaces l2tpv3 l2tpeth20 peer-tunnel-id '20'
+set interfaces l2tpv3 l2tpeth20 remote '172.18.202.120'
+set interfaces l2tpv3 l2tpeth20 session-id '120'
+set interfaces l2tpv3 l2tpeth20 source-address '172.18.202.10'
+set interfaces l2tpv3 l2tpeth20 source-port '5020'
+set interfaces l2tpv3 l2tpeth20 tunnel-id '20'
+set interfaces l2tpv3 l2tpeth30 destination-port '5030'
+set interfaces l2tpv3 l2tpeth30 encapsulation 'ip'
+set interfaces l2tpv3 l2tpeth30 peer-session-id '130'
+set interfaces l2tpv3 l2tpeth30 peer-tunnel-id '30'
+set interfaces l2tpv3 l2tpeth30 remote '172.18.202.130'
+set interfaces l2tpv3 l2tpeth30 session-id '130'
+set interfaces l2tpv3 l2tpeth30 source-address '172.18.202.10'
+set interfaces l2tpv3 l2tpeth30 source-port '5030'
+set interfaces l2tpv3 l2tpeth30 tunnel-id '30'
+set interfaces tunnel tun100 address '172.16.0.1/30'
+set interfaces tunnel tun100 encapsulation 'gretap'
+set interfaces tunnel tun100 remote '192.0.2.100'
+set interfaces tunnel tun100 source-address '192.0.2.1'
+set interfaces tunnel tun200 address '172.16.0.5/30'
+set interfaces tunnel tun200 encapsulation 'gre'
+set interfaces tunnel tun200 remote '192.0.2.101'
+set interfaces tunnel tun200 source-interface 'eth0'
+set interfaces tunnel tun300 address '172.16.0.9/30'
+set interfaces tunnel tun300 encapsulation 'ipip'
+set interfaces tunnel tun300 remote '192.0.2.102'
+set interfaces tunnel tun300 source-address '192.0.2.2'
+set interfaces tunnel tun400 address '172.16.0.13/30'
+set interfaces tunnel tun400 encapsulation 'gretap'
+set interfaces tunnel tun400 remote '192.0.2.103'
+set interfaces tunnel tun400 source-address '192.0.2.3'
+set interfaces tunnel tun500 address '172.16.0.17/30'
+set interfaces tunnel tun500 encapsulation 'gre'
+set interfaces tunnel tun500 remote '192.0.2.104'
+set interfaces tunnel tun500 source-address '192.0.2.4'
+set protocols static route 0.0.0.0/0 next-hop 172.18.202.254
+set service ntp allow-client address '0.0.0.0/0'
+set service ntp allow-client address '::/0'
+set service ntp server 0.pool.ntp.org
+set service ntp server 1.pool.ntp.org
+set service ntp server 2.pool.ntp.org
+set system config-management commit-revisions '100'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0'
+set system login user vyos authentication plaintext-password ''
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
diff --git a/smoketest/config-tests/vpn-openconnect-sstp b/smoketest/config-tests/vpn-openconnect-sstp
new file mode 100644
index 000000000..28d7d5daa
--- /dev/null
+++ b/smoketest/config-tests/vpn-openconnect-sstp
@@ -0,0 +1,35 @@
+set interfaces ethernet eth0 address '192.168.150.1/24'
+set service ntp allow-client address '0.0.0.0/0'
+set service ntp allow-client address '::/0'
+set service ntp server time1.vyos.net
+set service ntp server time2.vyos.net
+set service ntp server time3.vyos.net
+set system config-management commit-revisions '100'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'
+set system login user vyos authentication plaintext-password ''
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
+set vpn openconnect authentication local-users username test password 'test'
+set vpn openconnect authentication mode local 'password'
+set vpn openconnect network-settings client-ip-settings subnet '192.168.160.0/24'
+set vpn openconnect ssl ca-certificate 'openconnect'
+set vpn openconnect ssl certificate 'openconnect'
+set vpn openconnect tls-version-min '1.0'
+set vpn sstp authentication local-users username test password 'test'
+set vpn sstp authentication mode 'local'
+set vpn sstp authentication protocols 'mschap-v2'
+set vpn sstp client-ip-pool default-range-pool range '192.168.170.0/24'
+set vpn sstp default-pool 'default-range-pool'
+set vpn sstp gateway-address '192.168.150.1'
+set vpn sstp port '8443'
+set vpn sstp ssl ca-certificate 'sstp'
+set vpn sstp ssl certificate 'sstp'
diff --git a/smoketest/config-tests/vrf-basic b/smoketest/config-tests/vrf-basic
new file mode 100644
index 000000000..1d2874a60
--- /dev/null
+++ b/smoketest/config-tests/vrf-basic
@@ -0,0 +1,65 @@
+set interfaces ethernet eth0 address '192.0.2.1/24'
+set interfaces ethernet eth1 duplex 'auto'
+set interfaces ethernet eth1 speed 'auto'
+set interfaces ethernet eth1 vrf 'green'
+set interfaces ethernet eth2 vrf 'red'
+set protocols static route 0.0.0.0/0 next-hop 192.0.2.254 distance '10'
+set protocols static table 10 route 1.0.0.0/8 interface eth0 distance '20'
+set protocols static table 10 route 2.0.0.0/8 interface eth0 distance '20'
+set protocols static table 10 route 3.0.0.0/8 interface eth0 distance '20'
+set protocols static table 20 route 4.0.0.0/8 interface eth0 distance '20'
+set protocols static table 20 route 5.0.0.0/8 interface eth0 distance '50'
+set protocols static table 20 route 6.0.0.0/8 interface eth0 distance '60'
+set protocols static table 20 route 11.0.0.0/8 next-hop 1.1.1.1 interface 'eth0'
+set protocols static table 20 route 12.0.0.0/8 next-hop 1.1.1.1 interface 'eth0'
+set protocols static table 20 route 13.0.0.0/8 next-hop 1.1.1.1 interface 'eth0'
+set protocols static table 20 route6 2001:db8:100::/40 interface eth1 distance '20'
+set protocols static table 20 route6 2001:db8::/40 interface eth1 distance '10'
+set protocols static table 30 route 14.0.0.0/8 next-hop 2.2.1.1 interface 'eth1'
+set protocols static table 30 route 15.0.0.0/8 next-hop 2.2.1.1 interface 'eth1'
+set protocols static table 30 route6 2001:db8:200::/40 interface eth1 distance '20'
+set service ntp allow-client address '0.0.0.0/0'
+set service ntp allow-client address '::/0'
+set service ntp server 0.pool.ntp.org
+set service ntp server 1.pool.ntp.org
+set service ntp server 2.pool.ntp.org
+set system config-management commit-revisions '100'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0'
+set system login user vyos authentication plaintext-password ''
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
+set system time-zone 'Europe/Berlin'
+set vrf name green protocols static route 20.0.0.0/8 next-hop 1.1.1.1 interface 'eth1'
+set vrf name green protocols static route 20.0.0.0/8 next-hop 1.1.1.1 vrf 'default'
+set vrf name green protocols static route 21.0.0.0/8 next-hop 2.2.1.1 interface 'eth1'
+set vrf name green protocols static route 21.0.0.0/8 next-hop 2.2.1.1 vrf 'default'
+set vrf name green protocols static route 100.0.0.0/8 interface eth0 distance '200'
+set vrf name green protocols static route 100.0.0.0/8 interface eth0 vrf 'default'
+set vrf name green protocols static route 101.0.0.0/8 interface eth0 vrf 'default'
+set vrf name green protocols static route 101.0.0.0/8 interface eth1
+set vrf name green protocols static route6 2001:db8:100::/40 next-hop fe80::1 interface 'eth0'
+set vrf name green protocols static route6 2001:db8:100::/40 next-hop fe80::1 vrf 'default'
+set vrf name green protocols static route6 2001:db8:300::/40 interface eth1 distance '20'
+set vrf name green protocols static route6 2001:db8:300::/40 interface eth1 vrf 'default'
+set vrf name green table '1000'
+set vrf name red protocols static route 30.0.0.0/8 next-hop 1.1.1.1 interface 'eth1'
+set vrf name red protocols static route 40.0.0.0/8 next-hop 2.2.1.1 interface 'eth1'
+set vrf name red protocols static route 40.0.0.0/8 next-hop 2.2.1.1 vrf 'default'
+set vrf name red protocols static route 103.0.0.0/8 interface eth0 distance '201'
+set vrf name red protocols static route 103.0.0.0/8 interface eth0 vrf 'default'
+set vrf name red protocols static route 104.0.0.0/8 interface eth0 vrf 'default'
+set vrf name red protocols static route 104.0.0.0/8 interface eth1 vrf 'default'
+set vrf name red protocols static route6 2001:db8:100::/40 next-hop fe80::1 interface 'eth0'
+set vrf name red protocols static route6 2001:db8:100::/40 next-hop fe80::1 vrf 'default'
+set vrf name red protocols static route6 2001:db8:400::/40 interface eth1 distance '24'
+set vrf name red protocols static route6 2001:db8:400::/40 interface eth1 vrf 'default'
+set vrf name red table '2000'
diff --git a/smoketest/config-tests/vrf-bgp-pppoe-underlay b/smoketest/config-tests/vrf-bgp-pppoe-underlay
new file mode 100644
index 000000000..bd64c914a
--- /dev/null
+++ b/smoketest/config-tests/vrf-bgp-pppoe-underlay
@@ -0,0 +1,186 @@
+set interfaces bridge br50 address '192.168.0.1/24'
+set interfaces bridge br50 member interface eth0.50
+set interfaces bridge br50 member interface eth2
+set interfaces bridge br50 member interface eth3
+set interfaces dummy dum0 address '100.64.51.252/32'
+set interfaces dummy dum0 address '2001:db8:200:ffff::1/128'
+set interfaces dummy dum0 vrf 'vyos-test-01'
+set interfaces ethernet eth0 offload gro
+set interfaces ethernet eth0 offload rps
+set interfaces ethernet eth0 ring-buffer rx '256'
+set interfaces ethernet eth0 ring-buffer tx '256'
+set interfaces ethernet eth0 vif 5 address '2001:db8:200:f0::114/64'
+set interfaces ethernet eth0 vif 5 address '100.64.50.121/28'
+set interfaces ethernet eth0 vif 5 vrf 'vyos-test-01'
+set interfaces ethernet eth0 vif 10 address '2001:db8:200:10::ffff/64'
+set interfaces ethernet eth0 vif 10 address '2001:db8:200::ffff/64'
+set interfaces ethernet eth0 vif 10 address '100.64.50.62/26'
+set interfaces ethernet eth0 vif 10 vrf 'vyos-test-01'
+set interfaces ethernet eth0 vif 15 address '100.64.50.78/28'
+set interfaces ethernet eth0 vif 15 address '2001:db8:200:15::ffff/64'
+set interfaces ethernet eth0 vif 15 vrf 'vyos-test-01'
+set interfaces ethernet eth0 vif 50 description 'Member of bridge br50'
+set interfaces ethernet eth0 vif 110 address '100.64.51.190/27'
+set interfaces ethernet eth0 vif 110 address '100.64.51.158/28'
+set interfaces ethernet eth0 vif 110 address '2001:db8:200:101::ffff/64'
+set interfaces ethernet eth0 vif 110 vrf 'vyos-test-01'
+set interfaces ethernet eth0 vif 410 address '100.64.51.206/28'
+set interfaces ethernet eth0 vif 410 address '2001:db8:200:104::ffff/64'
+set interfaces ethernet eth0 vif 410 vrf 'vyos-test-01'
+set interfaces ethernet eth0 vif 500 address '100.64.51.238/28'
+set interfaces ethernet eth0 vif 500 address '2001:db8:200:50::ffff/64'
+set interfaces ethernet eth0 vif 500 vrf 'vyos-test-01'
+set interfaces ethernet eth0 vif 520 address '100.64.50.190/28'
+set interfaces ethernet eth0 vif 520 address '2001:db8:200:520::ffff/64'
+set interfaces ethernet eth0 vif 520 vrf 'vyos-test-01'
+set interfaces ethernet eth0 vif 666 address '2001:db8:200:ff::101:1/112'
+set interfaces ethernet eth0 vif 666 address '100.64.51.223/31'
+set interfaces ethernet eth0 vif 666 vrf 'vyos-test-01'
+set interfaces ethernet eth0 vif 800 address '2001:db8:200:ff::104:1/112'
+set interfaces ethernet eth0 vif 800 address '100.64.51.212/31'
+set interfaces ethernet eth0 vif 800 vrf 'vyos-test-01'
+set interfaces ethernet eth0 vif 810 address '100.64.51.30/27'
+set interfaces ethernet eth0 vif 810 address '2001:db8:200:102::ffff/64'
+set interfaces ethernet eth0 vif 810 vrf 'vyos-test-01'
+set interfaces ethernet eth1 offload gro
+set interfaces ethernet eth1 offload rps
+set interfaces ethernet eth1 ring-buffer rx '256'
+set interfaces ethernet eth1 ring-buffer tx '256'
+set interfaces ethernet eth2 offload gro
+set interfaces ethernet eth3 offload gro
+set interfaces loopback lo
+set interfaces pppoe pppoe7 authentication password 'vyos'
+set interfaces pppoe pppoe7 authentication username 'vyos'
+set interfaces pppoe pppoe7 dhcpv6-options pd 0 interface br50 address '1'
+set interfaces pppoe pppoe7 dhcpv6-options pd 0 length '56'
+set interfaces pppoe pppoe7 ip adjust-mss '1452'
+set interfaces pppoe pppoe7 ipv6 address autoconf
+set interfaces pppoe pppoe7 ipv6 adjust-mss '1432'
+set interfaces pppoe pppoe7 mtu '1492'
+set interfaces pppoe pppoe7 no-peer-dns
+set interfaces pppoe pppoe7 source-interface 'eth1'
+set interfaces virtual-ethernet veth0 address '100.64.51.220/31'
+set interfaces virtual-ethernet veth0 address '2001:db8:200:ff::105:1/112'
+set interfaces virtual-ethernet veth0 description 'Core: connect vyos-test-01 and default VRF'
+set interfaces virtual-ethernet veth0 peer-name 'veth1'
+set interfaces virtual-ethernet veth1 address '100.64.51.221/31'
+set interfaces virtual-ethernet veth1 address '2001:db8:200:ff::105:2/112'
+set interfaces virtual-ethernet veth1 description 'Core: connect vyos-test-01 and default VRF'
+set interfaces virtual-ethernet veth1 peer-name 'veth0'
+set interfaces virtual-ethernet veth1 vrf 'vyos-test-01'
+set interfaces wireguard wg500 address '100.64.51.209/31'
+set interfaces wireguard wg500 mtu '1500'
+set interfaces wireguard wg500 peer A address '192.0.2.1'
+set interfaces wireguard wg500 peer A allowed-ips '0.0.0.0/0'
+set interfaces wireguard wg500 peer A port '5500'
+set interfaces wireguard wg500 peer A public-key 'KGSXF4QckzGe7f7CT+r6VZ5brOD/pVYk8yvrxOQ+X0Y='
+set interfaces wireguard wg500 port '5500'
+set interfaces wireguard wg500 private-key 'iLJh6Me6AdPJtNv3dgGhUbtyFxExxmNU4v0Fs6YE2Xc='
+set interfaces wireguard wg500 vrf 'vyos-test-01'
+set interfaces wireguard wg501 address '2001:db8:200:ff::102:2/112'
+set interfaces wireguard wg501 mtu '1500'
+set interfaces wireguard wg501 peer A address '2001:db8:300::1'
+set interfaces wireguard wg501 peer A allowed-ips '::/0'
+set interfaces wireguard wg501 peer A port '5501'
+set interfaces wireguard wg501 peer A public-key 'OF+1OJ+VfQ0Yw1mgVtQ2ion4CnAdy8Bvx7yEiO4+Pn8='
+set interfaces wireguard wg501 port '5501'
+set interfaces wireguard wg501 private-key '0MP5X0PW58O4q2LDpuIXgZ0ySyAoWH8/kdpvQccCbUU='
+set interfaces wireguard wg501 vrf 'vyos-test-01'
+set interfaces wireguard wg666 address '172.29.0.0/31'
+set interfaces wireguard wg666 mtu '1500'
+set interfaces wireguard wg666 peer B allowed-ips '0.0.0.0/0'
+set interfaces wireguard wg666 peer B public-key '2HT+RfwcqJMYNYzdmtmpem8Ht0dL37o31APHVwmh024='
+set interfaces wireguard wg666 port '50666'
+set interfaces wireguard wg666 private-key 'zvPnp2MLAoX7SotuHLFLDyy4sdlD7ttbD1xNEqA3mkU='
+set nat source rule 100 outbound-interface name 'pppoe7'
+set nat source rule 100 source address '192.168.0.0/24'
+set nat source rule 100 translation address 'masquerade'
+set policy prefix-list AS100-origin-v4 rule 10 action 'permit'
+set policy prefix-list AS100-origin-v4 rule 10 prefix '100.64.0.0/12'
+set policy prefix-list AS100-origin-v4 rule 100 action 'permit'
+set policy prefix-list AS100-origin-v4 rule 100 prefix '0.0.0.0/0'
+set policy prefix-list AS200-origin-v4 rule 10 action 'permit'
+set policy prefix-list AS200-origin-v4 rule 10 prefix '10.0.0.0/8'
+set policy prefix-list AS200-origin-v4 rule 20 action 'permit'
+set policy prefix-list AS200-origin-v4 rule 20 prefix '172.16.0.0/12'
+set policy prefix-list6 AS100-origin-v6 rule 10 action 'permit'
+set policy prefix-list6 AS100-origin-v6 rule 10 prefix '2001:db8:200::/40'
+set policy prefix-list6 AS200-origin-v6 rule 10 action 'permit'
+set policy prefix-list6 AS200-origin-v6 rule 10 prefix '2001:db8:100::/40'
+set protocols static route 100.64.50.0/23 next-hop 100.64.51.221
+set protocols static route 192.0.2.255/32 interface pppoe7
+set protocols static route6 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff/128 interface pppoe7
+set qos interface pppoe7 egress 'isp-out'
+set qos policy shaper isp-out bandwidth '38mbit'
+set qos policy shaper isp-out default bandwidth '100%'
+set qos policy shaper isp-out default burst '15k'
+set qos policy shaper isp-out default queue-limit '1000'
+set qos policy shaper isp-out default queue-type 'fq-codel'
+set service router-advert interface br50 prefix ::/64 preferred-lifetime '2700'
+set service router-advert interface br50 prefix ::/64 valid-lifetime '5400'
+set service router-advert interface eth0.500 default-preference 'high'
+set service router-advert interface eth0.500 name-server '2001:db8:200::1'
+set service router-advert interface eth0.500 name-server '2001:db8:200::2'
+set service router-advert interface eth0.500 prefix 2001:db8:200:50::/64 valid-lifetime 'infinity'
+set service router-advert interface eth0.520 default-preference 'high'
+set service router-advert interface eth0.520 name-server '2001:db8:200::1'
+set service router-advert interface eth0.520 name-server '2001:db8:200::2'
+set service router-advert interface eth0.520 prefix 2001:db8:200:520::/64 valid-lifetime 'infinity'
+set service ssh disable-host-validation
+set service ssh dynamic-protection allow-from '100.64.0.0/10'
+set service ssh dynamic-protection allow-from '2001:db8:200::/40'
+set system config-management commit-revisions '100'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system domain-name 'vyos.net'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0'
+set system login user vyos authentication plaintext-password ''
+set system name-server '192.168.0.1'
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
+set system time-zone 'Europe/Berlin'
+set vrf bind-to-all
+set vrf name vyos-test-01 protocols bgp address-family ipv4-unicast network 100.64.50.0/23
+set vrf name vyos-test-01 protocols bgp address-family ipv6-unicast network 2001:db8:200:ffff::1/128
+set vrf name vyos-test-01 protocols bgp neighbor 100.64.51.208 peer-group 'AS100v4'
+set vrf name vyos-test-01 protocols bgp neighbor 100.64.51.222 address-family ipv4-unicast default-originate
+set vrf name vyos-test-01 protocols bgp neighbor 100.64.51.222 address-family ipv4-unicast maximum-prefix '10'
+set vrf name vyos-test-01 protocols bgp neighbor 100.64.51.222 address-family ipv4-unicast prefix-list export 'AS100-origin-v4'
+set vrf name vyos-test-01 protocols bgp neighbor 100.64.51.222 address-family ipv4-unicast prefix-list import 'AS200-origin-v4'
+set vrf name vyos-test-01 protocols bgp neighbor 100.64.51.222 address-family ipv4-unicast soft-reconfiguration inbound
+set vrf name vyos-test-01 protocols bgp neighbor 100.64.51.222 capability dynamic
+set vrf name vyos-test-01 protocols bgp neighbor 100.64.51.222 remote-as '200'
+set vrf name vyos-test-01 protocols bgp neighbor 100.64.51.251 peer-group 'AS100v4'
+set vrf name vyos-test-01 protocols bgp neighbor 100.64.51.251 shutdown
+set vrf name vyos-test-01 protocols bgp neighbor 100.64.51.254 peer-group 'AS100v4'
+set vrf name vyos-test-01 protocols bgp neighbor 100.64.51.254 shutdown
+set vrf name vyos-test-01 protocols bgp neighbor 2001:db8:200:ff::101:2 address-family ipv6-unicast maximum-prefix '10'
+set vrf name vyos-test-01 protocols bgp neighbor 2001:db8:200:ff::101:2 address-family ipv6-unicast prefix-list export 'AS100-origin-v6'
+set vrf name vyos-test-01 protocols bgp neighbor 2001:db8:200:ff::101:2 address-family ipv6-unicast prefix-list import 'AS200-origin-v6'
+set vrf name vyos-test-01 protocols bgp neighbor 2001:db8:200:ff::101:2 address-family ipv6-unicast soft-reconfiguration inbound
+set vrf name vyos-test-01 protocols bgp neighbor 2001:db8:200:ff::101:2 capability dynamic
+set vrf name vyos-test-01 protocols bgp neighbor 2001:db8:200:ff::101:2 remote-as '200'
+set vrf name vyos-test-01 protocols bgp neighbor 2001:db8:200:ffff::2 peer-group 'AS100v6'
+set vrf name vyos-test-01 protocols bgp neighbor 2001:db8:200:ffff::2 shutdown
+set vrf name vyos-test-01 protocols bgp neighbor 2001:db8:200:ffff::a peer-group 'AS100v6'
+set vrf name vyos-test-01 protocols bgp peer-group AS100v4 address-family ipv4-unicast nexthop-self
+set vrf name vyos-test-01 protocols bgp peer-group AS100v4 capability dynamic
+set vrf name vyos-test-01 protocols bgp peer-group AS100v4 remote-as 'internal'
+set vrf name vyos-test-01 protocols bgp peer-group AS100v4 update-source 'dum0'
+set vrf name vyos-test-01 protocols bgp peer-group AS100v6 address-family ipv6-unicast nexthop-self
+set vrf name vyos-test-01 protocols bgp peer-group AS100v6 capability dynamic
+set vrf name vyos-test-01 protocols bgp peer-group AS100v6 remote-as 'internal'
+set vrf name vyos-test-01 protocols bgp peer-group AS100v6 update-source 'dum0'
+set vrf name vyos-test-01 protocols bgp system-as '100'
+set vrf name vyos-test-01 protocols static route 100.64.50.0/23 blackhole
+set vrf name vyos-test-01 protocols static route 100.64.51.32/27 next-hop 100.64.51.5
+set vrf name vyos-test-01 protocols static route 192.168.0.0/24 next-hop 100.64.51.220
+set vrf name vyos-test-01 protocols static route6 2001:db8:2fe:ffff::/64 next-hop 2001:db8:200:102::5
+set vrf name vyos-test-01 table '1000'
diff --git a/smoketest/config-tests/vrf-ospf b/smoketest/config-tests/vrf-ospf
new file mode 100644
index 000000000..fd14615e0
--- /dev/null
+++ b/smoketest/config-tests/vrf-ospf
@@ -0,0 +1,59 @@
+set interfaces ethernet eth0 address '192.0.2.1/24'
+set interfaces ethernet eth0 offload gro
+set interfaces ethernet eth1 offload gro
+set interfaces ethernet eth1 vrf 'red'
+set interfaces ethernet eth2 offload gro
+set interfaces ethernet eth2 vrf 'blue'
+set protocols ospf area 0 network '192.0.2.0/24'
+set protocols ospf interface eth0 authentication md5 key-id 10 md5-key 'ospfkey'
+set protocols ospf interface eth0 passive disable
+set protocols ospf log-adjacency-changes
+set protocols ospf parameters abr-type 'cisco'
+set protocols ospf parameters router-id '1.2.3.4'
+set protocols ospf passive-interface 'default'
+set service ntp allow-client address '0.0.0.0/0'
+set service ntp allow-client address '::/0'
+set service ntp server 0.pool.ntp.org
+set service ntp server 1.pool.ntp.org
+set service ntp server 2.pool.ntp.org
+set system config-management commit-revisions '100'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system console device ttyS0 speed '115200'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0'
+set system login user vyos authentication plaintext-password ''
+set system syslog global facility all level 'info'
+set system syslog global facility local7 level 'debug'
+set system time-zone 'Europe/Berlin'
+set vrf name blue protocols ospf area 0 network '172.18.201.0/24'
+set vrf name blue protocols ospf interface eth2 authentication md5 key-id 30 md5-key 'vyoskey456'
+set vrf name blue protocols ospf interface eth2 dead-interval '40'
+set vrf name blue protocols ospf interface eth2 hello-interval '10'
+set vrf name blue protocols ospf interface eth2 passive disable
+set vrf name blue protocols ospf interface eth2 priority '1'
+set vrf name blue protocols ospf interface eth2 retransmit-interval '5'
+set vrf name blue protocols ospf interface eth2 transmit-delay '1'
+set vrf name blue protocols ospf log-adjacency-changes
+set vrf name blue protocols ospf parameters abr-type 'cisco'
+set vrf name blue protocols ospf parameters router-id '5.6.7.8'
+set vrf name blue protocols ospf passive-interface 'default'
+set vrf name blue table '2000'
+set vrf name red protocols ospf area 0 network '172.18.202.0/24'
+set vrf name red protocols ospf interface eth1 authentication md5 key-id 20 md5-key 'vyoskey123'
+set vrf name red protocols ospf interface eth1 dead-interval '40'
+set vrf name red protocols ospf interface eth1 hello-interval '10'
+set vrf name red protocols ospf interface eth1 passive disable
+set vrf name red protocols ospf interface eth1 priority '1'
+set vrf name red protocols ospf interface eth1 retransmit-interval '5'
+set vrf name red protocols ospf interface eth1 transmit-delay '1'
+set vrf name red protocols ospf log-adjacency-changes
+set vrf name red protocols ospf parameters abr-type 'cisco'
+set vrf name red protocols ospf parameters router-id '9.10.11.12'
+set vrf name red protocols ospf passive-interface 'default'
+set vrf name red table '1000'
diff --git a/smoketest/config-tests/wireless-basic b/smoketest/config-tests/wireless-basic
index 77db29c2f..d9e6c8fac 100644
--- a/smoketest/config-tests/wireless-basic
+++ b/smoketest/config-tests/wireless-basic
@@ -1,25 +1,25 @@
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 speed 'auto'
set interfaces wireless wlan0 address '192.168.0.1/24'
set interfaces wireless wlan0 channel '1'
set interfaces wireless wlan0 mode 'n'
set interfaces wireless wlan0 security wpa cipher 'CCMP'
set interfaces wireless wlan0 security wpa mode 'wpa2'
set interfaces wireless wlan0 security wpa passphrase '12345678'
set interfaces wireless wlan0 ssid 'VyOS'
set interfaces wireless wlan0 type 'access-point'
set interfaces wireless wlan1 address '192.168.1.1/24'
set interfaces wireless wlan1 channel '2'
set interfaces wireless wlan1 mode 'n'
set interfaces wireless wlan1 ssid 'VyOS-PUBLIC'
set interfaces wireless wlan1 type 'access-point'
set system config-management commit-revisions '200'
set system console device ttyS0 speed '115200'
set system domain-name 'dev.vyos.net'
set system host-name 'WR1'
set system login user vyos authentication encrypted-password '$6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0'
-set system wireless country-code 'es'
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'
+set system wireless country-code 'es'
diff --git a/smoketest/configs/basic-api-service b/smoketest/configs/basic-api-service
index f997ccd73..d5364d3e6 100644
--- a/smoketest/configs/basic-api-service
+++ b/smoketest/configs/basic-api-service
@@ -1,87 +1,85 @@
interfaces {
ethernet eth0 {
address 192.0.2.1/31
address 2001:db8::1234/64
}
- ethernet eth1 {
- }
loopback lo {
}
}
service {
https {
api {
keys {
id 1 {
key S3cur3
}
}
socket
}
virtual-host bar {
allow-client {
address 172.16.0.0/12
}
listen-port 5555
server-name bar
}
virtual-host baz {
allow-client {
address 192.168.0.0/16
}
listen-address "*"
listen-port 6666
server-name baz
}
virtual-host foo {
allow-client {
address 10.0.0.0/8
address 2001:db8::/32
}
listen-port 7777
server-name foo
}
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 115200
}
}
host-name vyos
login {
user vyos {
authentication {
encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/
plaintext-password ""
}
}
}
ntp {
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}
// Warning: Do not remove the following line.
// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@13:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@6:salt@1:snmp@2:ssh@2:sstp@3:system@19:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webgui@1:webproxy@2:zone-policy@1"
// Release version: 1.3-rolling-202010241631
diff --git a/smoketest/configs/bgp-dmvpn-hub b/smoketest/configs/bgp-dmvpn-hub
index fc5aadd8f..fc0be5e07 100644
--- a/smoketest/configs/bgp-dmvpn-hub
+++ b/smoketest/configs/bgp-dmvpn-hub
@@ -1,174 +1,177 @@
interfaces {
ethernet eth0 {
address 100.64.10.1/31
+ speed auto
+ duplex auto
}
ethernet eth1 {
+ speed auto
+ duplex auto
}
loopback lo {
}
tunnel tun0 {
address 192.168.254.62/26
encapsulation gre
multicast enable
parameters {
ip {
key 1
}
}
source-address 100.64.10.1
}
}
protocols {
bgp 65000 {
address-family {
ipv4-unicast {
network 172.20.0.0/16 {
}
}
}
neighbor 192.168.254.1 {
peer-group DMVPN
remote-as 65001
}
neighbor 192.168.254.2 {
peer-group DMVPN
remote-as 65002
}
neighbor 192.168.254.3 {
peer-group DMVPN
remote-as 65003
}
parameters {
default {
no-ipv4-unicast
}
log-neighbor-changes
}
peer-group DMVPN {
address-family {
ipv4-unicast {
}
}
}
timers {
holdtime 30
keepalive 10
}
}
nhrp {
tunnel tun0 {
cisco-authentication secret
holding-time 300
multicast dynamic
redirect
shortcut
}
}
static {
route 0.0.0.0/0 {
next-hop 100.64.10.0 {
}
}
route 172.20.0.0/16 {
blackhole {
distance 200
}
}
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name cpe-4
login {
user vyos {
authentication {
encrypted-password $6$r/Yw/07NXNY$/ZB.Rjf9jxEV.BYoDyLdH.kH14rU52pOBtrX.4S34qlPt77chflCHvpTCq9a6huLzwaMR50rEICzA5GoIRZlM0
plaintext-password ""
}
}
}
name-server 1.1.1.1
name-server 8.8.8.8
name-server 9.9.9.9
ntp {
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}
vpn {
ipsec {
esp-group ESP-DMVPN {
compression disable
lifetime 1800
mode transport
pfs dh-group2
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE-DMVPN {
close-action none
ikev2-reauth no
key-exchange ikev1
lifetime 3600
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
profile NHRPVPN {
authentication {
mode pre-shared-secret
pre-shared-secret VyOS-topsecret
}
bind {
tunnel tun0
}
esp-group ESP-DMVPN
ike-group IKE-DMVPN
}
}
}
// Warning: Do not remove the following line.
// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@22:ipoe-server@1:ipsec@5:isis@1:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@8:rpki@1:salt@1:snmp@2:ssh@2:sstp@3:system@21:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1"
// Release version: 1.3.0-epa3
-
diff --git a/smoketest/configs/bgp-evpn-l3vpn-pe-router b/smoketest/configs/bgp-evpn-l3vpn-pe-router
index b1ca7fae3..c676463b8 100644
--- a/smoketest/configs/bgp-evpn-l3vpn-pe-router
+++ b/smoketest/configs/bgp-evpn-l3vpn-pe-router
@@ -1,312 +1,312 @@
interfaces {
bridge br2000 {
address 10.1.1.1/24
description "customer blue"
member {
interface eth4 {
}
interface vxlan2000 {
}
}
vrf blue
}
bridge br3000 {
address 10.2.1.1/24
description "customer red"
member {
interface eth5 {
}
interface vxlan3000 {
}
}
vrf red
}
bridge br4000 {
address 10.3.1.1/24
description "customer green"
member {
interface eth6 {
}
interface vxlan4000 {
}
}
vrf green
}
dummy dum0 {
address 172.29.255.1/32
}
ethernet eth0 {
address 192.0.2.59/27
address 2001:db8:ffff::59/64
- description "out-of-band management"
+ description "Out-of-Band Managament Port"
vrf mgmt
}
ethernet eth1 {
address 172.29.0.2/31
description "link to pe2"
mtu 1600
}
ethernet eth2 {
disable
}
ethernet eth3 {
address 172.29.0.6/31
description "link to pe3"
mtu 1600
}
ethernet eth4 {
description "customer blue"
}
ethernet eth5 {
description "customer red"
}
ethernet eth6 {
description "customer green"
}
loopback lo {
}
vxlan vxlan2000 {
mtu 1500
parameters {
nolearning
}
port 4789
source-address 172.29.255.1
vni 2000
}
vxlan vxlan3000 {
mtu 1500
parameters {
nolearning
}
port 4789
source-address 172.29.255.1
vni 3000
}
vxlan vxlan4000 {
mtu 1500
parameters {
nolearning
}
port 4789
source-address 172.29.255.1
vni 4000
}
}
protocols {
bgp {
address-family {
l2vpn-evpn {
advertise {
ipv4 {
unicast {
}
}
}
advertise-all-vni
}
}
local-as 100
neighbor 172.29.255.2 {
peer-group ibgp
}
neighbor 172.29.255.3 {
peer-group ibgp
}
parameters {
default {
no-ipv4-unicast
}
log-neighbor-changes
router-id 172.29.255.1
}
peer-group ibgp {
address-family {
l2vpn-evpn {
}
}
remote-as 100
update-source dum0
}
}
ospf {
area 0 {
network 172.29.0.2/31
network 172.29.0.6/31
}
interface eth1 {
network point-to-point
}
interface eth3 {
network point-to-point
}
log-adjacency-changes {
detail
}
parameters {
abr-type cisco
router-id 172.29.255.1
}
passive-interface default
passive-interface-exclude eth1
passive-interface-exclude eth3
redistribute {
connected {
}
}
}
}
service {
lldp {
interface all {
}
}
ssh {
disable-host-validation
port 22
vrf mgmt
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 115200
}
}
domain-name vyos.net
host-name vyos
login {
user vyos {
authentication {
encrypted-password $6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0
plaintext-password ""
}
}
}
name-server 192.0.2.251
name-server 192.0.2.252
name-server 2001:db8::1
ntp {
listen-address 192.0.2.59
listen-address 2001:db8:ffff::59
server 192.0.2.251 {
}
server 192.0.2.252 {
}
server 2001:db8::251 {
}
server 2001:db8::252 {
}
vrf mgmt
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}
vrf {
name blue {
protocols {
bgp {
address-family {
ipv4-unicast {
redistribute {
connected {
}
}
}
l2vpn-evpn {
advertise {
ipv4 {
unicast {
}
}
}
}
}
local-as 100
}
}
table 2000
vni 2000
}
name green {
protocols {
bgp {
address-family {
ipv4-unicast {
redistribute {
connected {
}
}
}
l2vpn-evpn {
advertise {
ipv4 {
unicast {
}
}
}
}
}
local-as 100
}
}
table 4000
vni 4000
}
name mgmt {
protocols {
static {
route 0.0.0.0/0 {
next-hop 192.0.2.62 {
}
}
route6 ::/0 {
next-hop 2001:db8:ffff::1 {
}
}
}
}
table 1000
}
name red {
protocols {
bgp {
address-family {
ipv4-unicast {
redistribute {
connected {
}
}
}
l2vpn-evpn {
advertise {
ipv4 {
unicast {
}
}
}
}
}
local-as 100
}
}
table 3000
vni 3000
}
}
// Warning: Do not remove the following line.
// vyos-config-version: "bgp@1:broadcast-relay@1:cluster@1:config-management@1:conntrack@2:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@20:ipoe-server@1:ipsec@5:isis@1:l2tp@3:lldp@1:mdns@1:nat@5:nat66@1:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@9:rpki@1:salt@1:snmp@2:ssh@2:sstp@3:system@20:vrf@2:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1"
// Release version: 1.4-rolling-202104091411
diff --git a/smoketest/configs/bgp-rpki b/smoketest/configs/bgp-rpki
index dffab4c69..5588f15c9 100644
--- a/smoketest/configs/bgp-rpki
+++ b/smoketest/configs/bgp-rpki
@@ -1,123 +1,124 @@
interfaces {
ethernet eth0 {
address 192.0.2.100/25
address 2001:db8::ffff/64
}
ethernet eth1 {
+ address 100.64.0.1/24
}
loopback lo {
}
}
policy {
route-map ebgp-transit-rpki {
rule 10 {
action deny
match {
rpki invalid
}
}
rule 20 {
action permit
match {
rpki notfound
}
set {
local-preference 20
}
}
rule 30 {
action permit
match {
rpki valid
}
set {
local-preference 100
}
}
rule 40 {
action permit
set {
extcommunity-rt 192.0.2.100:100
extcommunity-soo 64500:100
}
}
}
}
protocols {
bgp 64500 {
neighbor 1.2.3.4 {
address-family {
ipv4-unicast {
nexthop-self {
}
route-map {
import ebgp-transit-rpki
}
}
}
remote-as 10
}
}
rpki {
cache routinator {
address 192.0.2.10
port 3323
}
}
static {
route 0.0.0.0/0 {
next-hop 192.0.2.1 {
}
}
route6 ::/0 {
next-hop 2001:db8::1 {
}
}
}
}
service {
ssh {
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 115200
}
}
host-name vyos
login {
user vyos {
authentication {
encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/
plaintext-password ""
}
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}
// Warning: Do not remove the following line.
// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@13:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@6:salt@1:snmp@2:ssh@2:sstp@3:system@19:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webgui@1:webproxy@2:zone-policy@1"
// Release version: 1.3-rolling-202010241631
diff --git a/smoketest/configs/isis-small b/smoketest/configs/isis-small
index 5a4201988..79a2f042f 100644
--- a/smoketest/configs/isis-small
+++ b/smoketest/configs/isis-small
@@ -1,103 +1,130 @@
interfaces {
dummy dum0 {
address 203.0.113.1/24
}
ethernet eth0 {
duplex auto
+ offload {
+ sg
+ tso
+ }
speed auto
}
ethernet eth1 {
address 192.0.2.1/24
duplex auto
+ offload {
+ sg
+ tso
+ }
speed auto
}
ethernet eth2 {
duplex auto
+ offload {
+ sg
+ tso
+ }
speed auto
}
ethernet eth3 {
duplex auto
+ offload {
+ sg
+ tso
+ }
speed auto
}
}
policy {
prefix-list EXPORT-ISIS {
rule 10 {
action permit
prefix 203.0.113.0/24
}
}
route-map EXPORT-ISIS {
rule 10 {
action permit
match {
ip {
address {
prefix-list EXPORT-ISIS
}
}
}
}
}
}
protocols {
- isis FOO {
+ isis {
interface eth1 {
- bfd
+ bfd
}
net 49.0001.1921.6800.1002.00
redistribute {
ipv4 {
connected {
level-2 {
route-map EXPORT-ISIS
}
}
}
}
}
}
system {
config-management {
commit-revisions 200
}
+ conntrack {
+ modules {
+ ftp
+ h323
+ nfs
+ pptp
+ sip
+ sqlnet
+ tftp
+ }
+ }
console {
device ttyS0 {
speed 115200
}
}
domain-name vyos.io
host-name vyos
login {
user vyos {
authentication {
encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/
plaintext-password ""
}
}
}
ntp {
- server 0.pool.ntp.org {
+ server time1.vyos.net {
}
- server 1.pool.ntp.org {
+ server time2.vyos.net {
}
- server 2.pool.ntp.org {
+ server time3.vyos.net {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
time-zone Europe/Berlin
}
// Warning: Do not remove the following line.
-// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@18:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@7:rpki@1:salt@1:snmp@2:ssh@2:sstp@3:system@20:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1"
-// Release version: 1.3.0-rc1
+// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@22:ipoe-server@1:ipsec@5:isis@1:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@8:rpki@1:salt@1:snmp@2:ssh@2:sstp@3:system@21:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1"
+// Release version: 1.3.0
diff --git a/smoketest/configs/pppoe-server b/smoketest/configs/pppoe-server
index ff5815e29..a01a45115 100644
--- a/smoketest/configs/pppoe-server
+++ b/smoketest/configs/pppoe-server
@@ -1,101 +1,105 @@
interfaces {
ethernet eth0 {
address dhcp
}
ethernet eth1 {
address 192.168.0.1/24
+ speed auto
+ duplex auto
}
ethernet eth2 {
+ speed auto
+ duplex auto
}
loopback lo {
}
}
nat {
source {
rule 100 {
outbound-interface eth0
source {
address 192.168.0.0/24
}
translation {
address masquerade
}
}
}
}
service {
pppoe-server {
access-concentrator ACN
authentication {
local-users {
username foo {
password bar
rate-limit {
download 20480
upload 10240
}
}
}
mode local
}
client-ip-pool {
subnet 10.0.0.0/24
subnet 10.0.1.0/24
subnet 10.0.2.0/24
}
gateway-address 192.168.0.2
interface eth1 {
}
interface eth2 {
vlan-id 10
vlan-id 20
vlan-range 30-40
vlan-range 50-60
}
name-server 192.168.0.1
}
ssh {
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 115200
}
}
host-name vyos
login {
user vyos {
authentication {
encrypted-password $6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0
plaintext-password ""
}
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}
// Warning: Do not remove the following line.
// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@13:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@6:salt@1:snmp@2:ssh@2:sstp@3:system@19:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webgui@1:webproxy@2:zone-policy@1"
// Release version: 1.3-rolling-202010260127
diff --git a/smoketest/scripts/cli/test_vpn_openconnect.py b/smoketest/scripts/cli/test_vpn_openconnect.py
index a2e426dc7..dcce229e2 100755
--- a/smoketest/scripts/cli/test_vpn_openconnect.py
+++ b/smoketest/scripts/cli/test_vpn_openconnect.py
@@ -1,268 +1,268 @@
#!/usr/bin/env python3
#
# Copyright (C) 2020-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import unittest
from base_vyostest_shim import VyOSUnitTestSHIM
from vyos.configsession import ConfigSessionError
from vyos.template import ip_from_cidr
from vyos.utils.process import process_named_running
from vyos.utils.file import read_file
OCSERV_CONF = '/run/ocserv/ocserv.conf'
base_path = ['vpn', 'openconnect']
pki_path = ['pki']
cert_name = 'OCServ'
cert_data = """
MIIDsTCCApmgAwIBAgIURNQMaYmRIP/d+/OPWPWmuwkYHbswDQYJKoZIhvcNAQEL
BQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcM
CVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0y
NDA0MDIxNjQxMTRaFw0yNTA0MDIxNjQxMTRaMFcxCzAJBgNVBAYTAkdCMRMwEQYD
VQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5
T1MxEDAOBgNVBAMMB3Z5b3MuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDFeexWVV70fBLOxGofWYlcNxJ9JyLviAZZDXrBIYfQnSrYp51yMKRPTH1e
Sjr7gIxVArAqLoYFgo7frRDkCKg8/izTopxtBTV2XJkLqDGA7DOrtBhgj0zjmF0A
WWIWi83WHc+sTHSvIqNLCDAZgnnzf1ch3W/na10hBTnFX4Yv6CJ4I7doSIyWzaQr
RvUXfaNYnvege+RrG5LzkVGxD2EhHyBqfQ2mxvlgqICqKSZkL56a3c/MHAm+7MKl
2KbSGxwNDs+SpHrCgWVIsl9w0bN2NSAu6GzyfW7V+V1dkiCggLlxXGhGncPMiQ7T
M7GKQULnQl5o/15GkW72Tg6wUdDpAgMBAAGjdTBzMAwGA1UdEwEB/wQCMAAwDgYD
VR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBTtil1X
c6dXA6kxZtZCgjx9QPzeLDAfBgNVHSMEGDAWgBTKMZvYAW1thn/uxX1fpcbP5vKq
dzANBgkqhkiG9w0BAQsFAAOCAQEARjS+QYJDz+XTdwK/lMF1GhSdacGnOIWRsbRx
N7odsyBV7Ud5W+Py79n+/PRirw2+jAaGXFmmgdxrcjlM+dZnlO3X0QCIuNdODggD
0J/u1ICPdm9TcJ2lEdbIE2vm2Q9P5RdQ7En7zg8Wu+rcNPlIxd3pHFOMX79vOcgi
RkWWII6tyeeT9COYgXUbg37wf2LkVv4b5PcShrfkWZVFWKDKr1maJ+iMwcIlosOe
Gj3SKe7gKBuPbMRwtocqKAYbW1GH12tA49DNkvxVKxVqnP4nHkwgfOJdpcZAjlyb
gLkzVKInZwg5EvJ7qtSJirDap9jyuLTfr5TmxbcdEhmAqeS41A==
"""
cert_key_data = """
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDFeexWVV70fBLO
xGofWYlcNxJ9JyLviAZZDXrBIYfQnSrYp51yMKRPTH1eSjr7gIxVArAqLoYFgo7f
rRDkCKg8/izTopxtBTV2XJkLqDGA7DOrtBhgj0zjmF0AWWIWi83WHc+sTHSvIqNL
CDAZgnnzf1ch3W/na10hBTnFX4Yv6CJ4I7doSIyWzaQrRvUXfaNYnvege+RrG5Lz
kVGxD2EhHyBqfQ2mxvlgqICqKSZkL56a3c/MHAm+7MKl2KbSGxwNDs+SpHrCgWVI
sl9w0bN2NSAu6GzyfW7V+V1dkiCggLlxXGhGncPMiQ7TM7GKQULnQl5o/15GkW72
Tg6wUdDpAgMBAAECggEACbR8bHZv9GT/9EshNLQ3n3a8wQuCLd0fWWi5A90sKbun
pj5/6uOVbP5DL7Xx4HgIrYmJyIZBI5aEg11Oi15vjOZ9o9MF4V0UVmJQ9TU0EEl2
H/X5uA54MWaaCiaFFGWU3UqEG8wldJFSZCFyt7Y6scBW3b0JFF7+6dyyDPoCWWqh
cNR41Hv0T0eqfXGOXX1JcBlLbqy0QXXeFoLlxV3ouIgWgkKJk7u3vDWCVM/ofP0m
/GyZYWCEA2JljEQZaVgtk1afFoamrjM4doMiirk+Tix4yGno94HLJdDUynqdLNAd
ZdKunFVAJau17b1VVPyfgIvIaPRvSGQVQoXH6TuB2QKBgQD5LRYTxsd8WsOwlB2R
SBYdzDff7c3VuNSAYTp7O2MqWrsoXm2MxLzEJLJUen+jQphL6ti/ObdrSOnKF2So
SizYeJ1Irx4M4BPSdy/Yt3T/+e+Y4K7iQ7Pdvdc/dlZ5XuNHYzuA/F7Ft/9rhUy9
jSdQYANX+7h8vL7YrEjvhMMMZQKBgQDK4mG4D7XowLlBWv1fK4n/ErWvYSxH/X+A
VVnLv4z4aZHyRS2nTfQnb8PKbHJ/65x9yZs8a+6HqE4CAH+0LfZuOI8qn9OksxPZ
7GuQk/FiVyGXtu18hzlfhzmb0ZTjAalZ5b68DOIhyZIHVketebhljXaB5bfwdIgt
7vTOfotANQKBgQCWiA5WVDgfgBXIjzJtmkcCKWV3+onnG4oFJLfXysDVzYpTkPhN
mm0PcbvqHTcOwiSPeIkIvS15usrCM++zW1xMSlF6n5Bf5t8Svr5BBlPAcJW2ncYJ
Gy2GQDHRPQRwvko/zkscWVpHyCieJCGAQc4GWHqspH2Hnd8Ntsc5K9NJoQKBgFR1
5/5rM+yghr7pdT9wbbNtg4tuZbPWmYTAg3Bp3vLvaB22pOnYbwMX6SdU/Fm6qVxI
WMLPn+6Dp2337TICTGvYSemRvdb74hC/9ouquzuYUFjLg5Rq6vyU2+u9VUEnyOuu
1DePGXi9ZHh/d7mFSbmlKaesDWYh7StKJknsrmXdAoGBAOm+FnzryKkhIq/ELyT9
8v4wr0lxCcAP3nNb/P5ocv3m7hRLIkf4S9k/gAL+gE/OtdesomQKjOz7noLO+I2H
rj6ZfC/lhPIRJ4XK5BqgqqH53Zcl/HDoaUjbpmyMvZVoQfUHLut8Y912R6mfm65z
qXl1L7EdHTY+SdoThNJTpmWb
"""
ca_name = 'VyOS-CA'
ca_data = """
MIIDnTCCAoWgAwIBAgIUFVRURZXSbQ7F0DiSZYfqY0gQORMwDQYJKoZIhvcNAQEL
BQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcM
CVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0y
NDA0MDIxNjQxMDFaFw0yOTA0MDExNjQxMDFaMFcxCzAJBgNVBAYTAkdCMRMwEQYD
VQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5
T1MxEDAOBgNVBAMMB3Z5b3MuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCg7Mjl6+rs8Bdkjqgl2QDuHfrH2mTDCeB7WuNTnIz0BPDtlmwIdqhU7LdC
B/zUSABAa6LBe/Z/bKWCRKyq8fU2/4uWECe975IMXOfFdYT6KA78DROvOi32JZml
n0LAXV+538eb+g19xNtoBhPO8igiNevfkV+nJehRK/41ATj+assTOv87vaSX7Wqy
aP/ZqkIdQD9Kc3cqB4JsYjkWcniHL9yk4oY3cjKK8PJ1pi4FqgFHt2hA+Ic+NvbA
hc47K9otP8FM4jkSii3MZfHA6Czb43BtbR+YEiWPzBhzE2bCuIgeRUumMF1Z+CAT
6U7Cpx3XPh+Ac2RnDa8wKeQ1eqE1AgMBAAGjYTBfMA8GA1UdEwEB/wQFMAMBAf8w
DgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAd
BgNVHQ4EFgQUyjGb2AFtbYZ/7sV9X6XGz+byqncwDQYJKoZIhvcNAQELBQADggEB
AArGXCq92vtaUZt528lC34ENPL9bQ7nRAS/ojplAzM9reW3o56sfYWf1M8iwRsJT
LbAwSnVB929RLlDolNpLwpzd1XaMt61Zcx4MFQmQCd+40dfuvMhluZaxt+F9bC1Z
cA7uwe/2HrAIULq3sga9LzSph6dNuyd1rGchr4xHCJ7u4WcF0kqi0Hjcn9S/ppEc
ba2L3rRqZmCbe6Yngx+MS06jonGw0z8F6e8LMkcvJUlNMEC76P+5Byjp4xZGP+y3
DtIfsfijpb+t1OUe75YmWflTFnHR9GlybNYTxGAl49mFw6LlS1kefXyPtfuReLmv
n+vZdJAWTq76zAPT3n9FClo=
"""
ca_key_data = """
- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCg7Mjl6+rs8Bd
- kjqgl2QDuHfrH2mTDCeB7WuNTnIz0BPDtlmwIdqhU7LdCB/zUSABAa6LBe/Z/bK
- WCRKyq8fU2/4uWECe975IMXOfFdYT6KA78DROvOi32JZmln0LAXV+538eb+g19x
- NtoBhPO8igiNevfkV+nJehRK/41ATj+assTOv87vaSX7WqyaP/ZqkIdQD9Kc3cq
- B4JsYjkWcniHL9yk4oY3cjKK8PJ1pi4FqgFHt2hA+Ic+NvbAhc47K9otP8FM4jk
- Sii3MZfHA6Czb43BtbR+YEiWPzBhzE2bCuIgeRUumMF1Z+CAT6U7Cpx3XPh+Ac2
- RnDa8wKeQ1eqE1AgMBAAECggEAEDDaoqVqmMWsONoQiWRMr2h1RZvPxP7OpuKVW
- iF3XgrMOb9HZc+Ybpj1dC+NDMekvNaHhMuF2Lqz6UgjDjzzVMH/x4yfDwFWUqeb
- SxbglvGmVk4zg48JNkmArLT6GJQccD1XXjZZmqSOhagM4KalCpIdxfvgoZbTCa2
- xMSCLHS+1HCDcmpCoeXM6ZBPTn0NbjRDAqIzCwcq2veG7RSz040obk8h7nrdv7j
- hxRGmtPmPFzKgGLNn6GnL7AwYVMiidjj/ntvM4B1OMs9MwUYbtpg98TWcWyu+ZR
- akUrnVf9z2aIHCKyuJvke/PNqMgw+L8KV4/478XxWhXfl7K1F3nMQKBgQDRBUDY
- NFH0wC4MMWsA+RGwyz7RlzACChDJCMtA/agbW06gUoE9UYf8KtLQQQYljlLJHxH
- GD72QnuM+sowGGXnbD4BabA9TQiQUG5c6boznTy1uU1gt8T0Zl0mmC7vIMoMBVd
- 5bb0qrZvuR123kDGYn6crug9uvMIYSSlhGmBGTJQKBgQDFGC3vfkCyXzLoYy+RI
- s/rXgyBF1PUYQtyDgL0N811L0H7a8JhFnt4FvodUbxv2ob+1kIc9e3yXT6FsGyO
- 7IDOnqgeQKy74bYqVPZZuf1FOFb9fuxf00pn1FmhAF4OuSWkhVhrKkyrZwdD8Ar
- jLK253J94dogjdKAYfN1csaOA0QKBgD0zUZI8d4a3QoRVb+RACTr/t6v8nZTrR5
- DlX0XvP2qLKJFutuKyXaOrEkDh2R/j9T9oNncMos+WhikUdEVQ7koC1u0i2LXjF
- tdAYN4+Akmz+DRmeNoy2VYF4w2YP+pVR+B7OPkCtBVNuPkx3743Fy42mTGPMCKy
- jX8Lf59j5Tl1AoGBAI3sk2dZqozHMIlWovIH92CtIKP0gFD2cJ94p3fklvZDSWg
- aeKYg4lffc8uZB/AjlAH9ly3ziZx0uIjcOc/RTg96/+SI/dls9xgUhjCmVVJ692
- ki9GMsau/JYaEl+pTvjcOiocDJfNwQHJM3Tx+3FII59DtyXyXo3T/E6kHNSMeBA
- oGAR9M48DTspv9OH1S7X6yR6MtMY5ltsBmB3gPhQFxiDKBvARkIkAPqObQ9TG/V
- uOz2Purq0Oz7SHsY2jiFDd2KEGo6JfG61NDdIhiQC99ztSgt7NtvSCnX22SfVDW
- oFxSK+tek7tvDVXAXCNy4ZESMEUGJ6NDHImb80aF+xZ3wYKw=
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCg7Mjl6+rs8Bdk
+jqgl2QDuHfrH2mTDCeB7WuNTnIz0BPDtlmwIdqhU7LdCB/zUSABAa6LBe/Z/bKWC
+RKyq8fU2/4uWECe975IMXOfFdYT6KA78DROvOi32JZmln0LAXV+538eb+g19xNto
+BhPO8igiNevfkV+nJehRK/41ATj+assTOv87vaSX7WqyaP/ZqkIdQD9Kc3cqB4Js
+YjkWcniHL9yk4oY3cjKK8PJ1pi4FqgFHt2hA+Ic+NvbAhc47K9otP8FM4jkSii3M
+ZfHA6Czb43BtbR+YEiWPzBhzE2bCuIgeRUumMF1Z+CAT6U7Cpx3XPh+Ac2RnDa8w
+KeQ1eqE1AgMBAAECggEAEDDaoqVqmMWsONoQiWRMr2h1RZvPxP7OpuKVWiF3XgrM
+Ob9HZc+Ybpj1dC+NDMekvNaHhMuF2Lqz6UgjDjzzVMH/x4yfDwFWUqebSxbglvGm
+Vk4zg48JNkmArLT6GJQccD1XXjZZmqSOhagM4KalCpIdxfvgoZbTCa2xMSCLHS+1
+HCDcmpCoeXM6ZBPTn0NbjRDAqIzCwcq2veG7RSz040obk8h7nrdv7jhxRGmtPmPF
+zKgGLNn6GnL7AwYVMiidjj/ntvM4B1OMs9MwUYbtpg98TWcWyu+ZRakUrnVf9z2a
+IHCKyuJvke/PNqMgw+L8KV4/478XxWhXfl7K1F3nMQKBgQDRBUDYNFH0wC4MMWsA
++RGwyz7RlzACChDJCMtA/agbW06gUoE9UYf8KtLQQQYljlLJHxHGD72QnuM+sowG
+GXnbD4BabA9TQiQUG5c6boznTy1uU1gt8T0Zl0mmC7vIMoMBVd5bb0qrZvuR123k
+DGYn6crug9uvMIYSSlhGmBGTJQKBgQDFGC3vfkCyXzLoYy+RIs/rXgyBF1PUYQty
+DgL0N811L0H7a8JhFnt4FvodUbxv2ob+1kIc9e3yXT6FsGyO7IDOnqgeQKy74bYq
+VPZZuf1FOFb9fuxf00pn1FmhAF4OuSWkhVhrKkyrZwdD8ArjLK253J94dogjdKAY
+fN1csaOA0QKBgD0zUZI8d4a3QoRVb+RACTr/t6v8nZTrR5DlX0XvP2qLKJFutuKy
+XaOrEkDh2R/j9T9oNncMos+WhikUdEVQ7koC1u0i2LXjFtdAYN4+Akmz+DRmeNoy
+2VYF4w2YP+pVR+B7OPkCtBVNuPkx3743Fy42mTGPMCKyjX8Lf59j5Tl1AoGBAI3s
+k2dZqozHMIlWovIH92CtIKP0gFD2cJ94p3fklvZDSWgaeKYg4lffc8uZB/AjlAH9
+ly3ziZx0uIjcOc/RTg96/+SI/dls9xgUhjCmVVJ692ki9GMsau/JYaEl+pTvjcOi
+ocDJfNwQHJM3Tx+3FII59DtyXyXo3T/E6kHNSMeBAoGAR9M48DTspv9OH1S7X6yR
+6MtMY5ltsBmB3gPhQFxiDKBvARkIkAPqObQ9TG/VuOz2Purq0Oz7SHsY2jiFDd2K
+EGo6JfG61NDdIhiQC99ztSgt7NtvSCnX22SfVDWoFxSK+tek7tvDVXAXCNy4ZESM
+EUGJ6NDHImb80aF+xZ3wYKw=
"""
PROCESS_NAME = 'ocserv-main'
config_file = '/run/ocserv/ocserv.conf'
auth_file = '/run/ocserv/ocpasswd'
otp_file = '/run/ocserv/users.oath'
listen_if = 'dum116'
listen_address = '100.64.0.1/32'
class TestVPNOpenConnect(VyOSUnitTestSHIM.TestCase):
@classmethod
def setUpClass(cls):
super(TestVPNOpenConnect, cls).setUpClass()
# ensure we can also run this test on a live system - so lets clean
# out the current configuration :)
cls.cli_delete(cls, base_path)
cls.cli_set(cls, ['interfaces', 'dummy', listen_if, 'address', listen_address])
cls.cli_set(cls, pki_path + ['ca', cert_name, 'certificate', ca_data.replace('\n','')])
cls.cli_set(cls, pki_path + ['ca', cert_name, 'private', 'key', ca_key_data.replace('\n','')])
cls.cli_set(cls, pki_path + ['certificate', cert_name, 'certificate', cert_data.replace('\n','')])
cls.cli_set(cls, pki_path + ['certificate', cert_name, 'private', 'key', cert_key_data.replace('\n','')])
@classmethod
def tearDownClass(cls):
cls.cli_delete(cls, pki_path)
cls.cli_delete(cls, ['interfaces', 'dummy', listen_if])
super(TestVPNOpenConnect, cls).tearDownClass()
def tearDown(self):
self.assertTrue(process_named_running(PROCESS_NAME))
self.cli_delete(base_path)
self.cli_commit()
self.assertFalse(process_named_running(PROCESS_NAME))
def test_ocserv(self):
user = 'vyos_user'
password = 'vyos_pass'
otp = '37500000026900000000200000000000'
v4_subnet = '192.0.2.0/24'
v6_prefix = '2001:db8:1000::/64'
v6_len = '126'
name_server = ['1.2.3.4', '1.2.3.5', '2001:db8::1']
split_dns = ['vyos.net', 'vyos.io']
self.cli_set(base_path + ['authentication', 'local-users', 'username', user, 'password', password])
self.cli_set(base_path + ['authentication', 'local-users', 'username', user, 'otp', 'key', otp])
self.cli_set(base_path + ['authentication', 'mode', 'local', 'password-otp'])
self.cli_set(base_path + ['network-settings', 'client-ip-settings', 'subnet', v4_subnet])
self.cli_set(base_path + ['network-settings', 'client-ipv6-pool', 'prefix', v6_prefix])
self.cli_set(base_path + ['network-settings', 'client-ipv6-pool', 'mask', v6_len])
for ns in name_server:
self.cli_set(base_path + ['network-settings', 'name-server', ns])
for domain in split_dns:
self.cli_set(base_path + ['network-settings', 'split-dns', domain])
# SSL certificates are mandatory
with self.assertRaises(ConfigSessionError):
self.cli_commit()
self.cli_set(base_path + ['ssl', 'ca-certificate', cert_name])
self.cli_set(base_path + ['ssl', 'certificate', cert_name])
listen_ip_no_cidr = ip_from_cidr(listen_address)
self.cli_set(base_path + ['listen-address', listen_ip_no_cidr])
self.cli_commit()
# Verify configuration
daemon_config = read_file(config_file)
# Verify TLS string (with default setting)
self.assertIn('tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1"', daemon_config)
# authentication mode local password-otp
self.assertIn(f'auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]"', daemon_config)
self.assertIn(f'listen-host = {listen_ip_no_cidr}', daemon_config)
self.assertIn(f'ipv4-network = {v4_subnet}', daemon_config)
self.assertIn(f'ipv6-network = {v6_prefix}', daemon_config)
self.assertIn(f'ipv6-subnet-prefix = {v6_len}', daemon_config)
# defaults
self.assertIn(f'tcp-port = 443', daemon_config)
self.assertIn(f'udp-port = 443', daemon_config)
for ns in name_server:
self.assertIn(f'dns = {ns}', daemon_config)
for domain in split_dns:
self.assertIn(f'split-dns = {domain}', daemon_config)
auth_config = read_file(auth_file)
self.assertIn(f'{user}:*:$', auth_config)
otp_config = read_file(otp_file)
self.assertIn(f'HOTP/T30/6 {user} - {otp}', otp_config)
# Verify HTTP security headers
self.cli_set(base_path + ['http-security-headers'])
self.cli_commit()
daemon_config = read_file(config_file)
self.assertIn('included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains', daemon_config)
self.assertIn('included-http-headers = X-Frame-Options: deny', daemon_config)
self.assertIn('included-http-headers = X-Content-Type-Options: nosniff', daemon_config)
self.assertIn('included-http-headers = Content-Security-Policy: default-src "none"', daemon_config)
self.assertIn('included-http-headers = X-Permitted-Cross-Domain-Policies: none', daemon_config)
self.assertIn('included-http-headers = Referrer-Policy: no-referrer', daemon_config)
self.assertIn('included-http-headers = Clear-Site-Data: "cache","cookies","storage"', daemon_config)
self.assertIn('included-http-headers = Cross-Origin-Embedder-Policy: require-corp', daemon_config)
self.assertIn('included-http-headers = Cross-Origin-Opener-Policy: same-origin', daemon_config)
self.assertIn('included-http-headers = Cross-Origin-Resource-Policy: same-origin', daemon_config)
self.assertIn('included-http-headers = X-XSS-Protection: 0', daemon_config)
self.assertIn('included-http-headers = Pragma: no-cache', daemon_config)
self.assertIn('included-http-headers = Cache-control: no-store, no-cache', daemon_config)
# Set TLS version to the highest security (v1.3 min)
self.cli_set(base_path + ['tls-version-min', '1.3'])
self.cli_commit()
# Verify TLS string
daemon_config = read_file(config_file)
self.assertIn('tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2"', daemon_config)
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/src/tests/helper.py b/src/tests/helper.py
index f7033148a..cc0710494 100644
--- a/src/tests/helper.py
+++ b/src/tests/helper.py
@@ -1,24 +1,22 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2018 VyOS maintainers and contributors
+# Copyright (C) 2018-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import sys
import importlib.util
def prepare_module(file_path='', module_name=''):
spec = importlib.util.spec_from_file_location(module_name, file_path)
module = importlib.util.module_from_spec(spec)
spec.loader.exec_module(module)
sys.modules[module_name] = module
diff --git a/src/tests/test_config_diff.py b/src/tests/test_config_diff.py
index 61a2f3487..39e17613a 100644
--- a/src/tests/test_config_diff.py
+++ b/src/tests/test_config_diff.py
@@ -1,69 +1,67 @@
-#!/usr/bin/env python3
-#
# Copyright (C) 2023-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import vyos.configtree
from unittest import TestCase
class TestConfigDiff(TestCase):
def setUp(self):
with open('tests/data/config.left', 'r') as f:
config_string = f.read()
self.config_left = vyos.configtree.ConfigTree(config_string)
with open('tests/data/config.right', 'r') as f:
config_string = f.read()
self.config_right = vyos.configtree.ConfigTree(config_string)
self.config_null = vyos.configtree.ConfigTree('')
def test_unit(self):
diff = vyos.configtree.DiffTree(self.config_left, self.config_null)
sub = diff.sub
self.assertEqual(sub.to_string(), self.config_left.to_string())
diff = vyos.configtree.DiffTree(self.config_null, self.config_left)
add = diff.add
self.assertEqual(add.to_string(), self.config_left.to_string())
def test_symmetry(self):
lr_diff = vyos.configtree.DiffTree(self.config_left,
self.config_right)
rl_diff = vyos.configtree.DiffTree(self.config_right,
self.config_left)
sub = lr_diff.sub
add = rl_diff.add
self.assertEqual(sub.to_string(), add.to_string())
add = lr_diff.add
sub = rl_diff.sub
self.assertEqual(add.to_string(), sub.to_string())
def test_identity(self):
lr_diff = vyos.configtree.DiffTree(self.config_left,
self.config_right)
sub = lr_diff.sub
inter = lr_diff.inter
add = lr_diff.add
r_union = vyos.configtree.union(add, inter)
l_union = vyos.configtree.union(sub, inter)
self.assertEqual(r_union.to_string(),
self.config_right.to_string(ordered_values=True))
self.assertEqual(l_union.to_string(),
self.config_left.to_string(ordered_values=True))
diff --git a/src/tests/test_config_parser.py b/src/tests/test_config_parser.py
index c69732daa..9a4f02859 100644
--- a/src/tests/test_config_parser.py
+++ b/src/tests/test_config_parser.py
@@ -1,55 +1,53 @@
-#!/usr/bin/env python3
-#
# Copyright (C) 2018-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import vyos.configtree
from unittest import TestCase
class TestConfigParser(TestCase):
def setUp(self):
with open('tests/data/config.valid', 'r') as f:
config_string = f.read()
self.config = vyos.configtree.ConfigTree(config_string)
def test_top_level_valueless(self):
self.assertTrue(self.config.exists(["top-level-valueless-node"]))
def test_top_level_leaf(self):
self.assertTrue(self.config.exists(["top-level-leaf-node"]))
self.assertEqual(self.config.return_value(["top-level-leaf-node"]), "foo")
def test_top_level_tag(self):
self.assertTrue(self.config.exists(["top-level-tag-node"]))
# Sorting is now intentional, during parsing of config
self.assertEqual(self.config.list_nodes(["top-level-tag-node"]), ["bar", "foo"])
def test_copy(self):
self.config.copy(["top-level-tag-node", "bar"], ["top-level-tag-node", "baz"])
print(self.config.to_string())
self.assertTrue(self.config.exists(["top-level-tag-node", "baz"]))
def test_copy_duplicate(self):
with self.assertRaises(vyos.configtree.ConfigTreeError):
self.config.copy(["top-level-tag-node", "foo"], ["top-level-tag-node", "bar"])
def test_rename(self):
self.config.rename(["top-level-tag-node", "bar"], "quux")
print(self.config.to_string())
self.assertTrue(self.config.exists(["top-level-tag-node", "quux"]))
def test_rename_duplicate(self):
with self.assertRaises(vyos.configtree.ConfigTreeError):
self.config.rename(["top-level-tag-node", "foo"], "bar")
diff --git a/smoketest/scripts/cli/test_configd_inspect.py b/src/tests/test_configd_inspect.py
old mode 100755
new mode 100644
similarity index 90%
rename from smoketest/scripts/cli/test_configd_inspect.py
rename to src/tests/test_configd_inspect.py
index af46c6148..98552c8f3
--- a/smoketest/scripts/cli/test_configd_inspect.py
+++ b/src/tests/test_configd_inspect.py
@@ -1,110 +1,105 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2020 VyOS maintainers and contributors
+# Copyright (C) 2020-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import re
import json
-import unittest
+
import warnings
import importlib.util
-from inspect import signature, getsource
+from inspect import signature
+from inspect import getsource
from functools import wraps
+from unittest import TestCase
-from vyos.defaults import directories
-
-INC_FILE = '/usr/share/vyos/configd-include.json'
-CONF_DIR = directories['conf_mode']
+INC_FILE = 'data/configd-include.json'
+CONF_DIR = 'src/conf_mode'
f_list = ['get_config', 'verify', 'generate', 'apply']
def import_script(s):
path = os.path.join(CONF_DIR, s)
name = os.path.splitext(s)[0].replace('-', '_')
spec = importlib.util.spec_from_file_location(name, path)
module = importlib.util.module_from_spec(spec)
spec.loader.exec_module(module)
return module
# importing conf_mode scripts imports jinja2 with deprecation warning
def ignore_deprecation_warning(f):
@wraps(f)
def decorated_function(*args, **kwargs):
with warnings.catch_warnings():
warnings.simplefilter("ignore")
f(*args, **kwargs)
return decorated_function
-class TestConfigdInclude(unittest.TestCase):
+class TestConfigdInspect(TestCase):
def setUp(self):
with open(INC_FILE) as f:
self.inc_list = json.load(f)
@ignore_deprecation_warning
def test_signatures(self):
for s in self.inc_list:
m = import_script(s)
for i in f_list:
f = getattr(m, i, None)
if not f:
continue
sig = signature(f)
par = sig.parameters
l = len(par)
self.assertEqual(l, 1,
f"'{s}': '{i}' incorrect signature")
if i == 'get_config':
for p in par.values():
self.assertTrue(p.default is None,
f"'{s}': '{i}' incorrect signature")
@ignore_deprecation_warning
def test_function_instance(self):
for s in self.inc_list:
m = import_script(s)
for i in f_list:
f = getattr(m, i, None)
if not f:
continue
str_f = getsource(f)
# Regex not XXXConfig() T3108
n = len(re.findall(r'[^a-zA-Z]Config\(\)', str_f))
if i == 'get_config':
self.assertEqual(n, 1,
f"'{s}': '{i}' no instance of Config")
if i != 'get_config':
self.assertEqual(n, 0,
f"'{s}': '{i}' instance of Config")
@ignore_deprecation_warning
def test_file_instance(self):
for s in self.inc_list:
m = import_script(s)
str_m = getsource(m)
# Regex not XXXConfig T3108
n = len(re.findall(r'[^a-zA-Z]Config\(\)', str_m))
self.assertEqual(n, 1,
f"'{s}' more than one instance of Config")
@ignore_deprecation_warning
def test_config_modification(self):
for s in self.inc_list:
m = import_script(s)
str_m = getsource(m)
n = str_m.count('my_set')
self.assertEqual(n, 0, f"'{s}' modifies config")
-
-if __name__ == '__main__':
- unittest.main(verbosity=2)
diff --git a/src/tests/test_configverify.py b/src/tests/test_configverify.py
index 15ccdf13d..f1ec65cd2 100644
--- a/src/tests/test_configverify.py
+++ b/src/tests/test_configverify.py
@@ -1,33 +1,31 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2020 VyOS maintainers and contributors
+# Copyright (C) 2020-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from unittest import TestCase
from vyos.configverify import verify_diffie_hellman_length
from vyos.utils.process import cmd
dh_file = '/tmp/dh.pem'
class TestDictSearch(TestCase):
def setUp(self):
pass
def test_dh_key_none(self):
self.assertFalse(verify_diffie_hellman_length('/tmp/non_existing_file', '1024'))
def test_dh_key_512(self):
key_len = '512'
cmd(f'openssl dhparam -out {dh_file} {key_len}')
self.assertTrue(verify_diffie_hellman_length(dh_file, key_len))
diff --git a/src/tests/test_dependency_graph.py b/src/tests/test_dependency_graph.py
index f682e87bb..f3f1db376 100644
--- a/src/tests/test_dependency_graph.py
+++ b/src/tests/test_dependency_graph.py
@@ -1,31 +1,29 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2023 VyOS maintainers and contributors
+# Copyright (C) 2023-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
from vyos.configdep import check_dependency_graph
_here = os.path.dirname(__file__)
ddir = os.path.join(_here, '../../data/config-mode-dependencies')
from unittest import TestCase
class TestDependencyGraph(TestCase):
def setUp(self):
pass
def test_acyclic(self):
res = check_dependency_graph(dependency_dir=ddir)
self.assertTrue(res)
diff --git a/src/tests/test_dict_search.py b/src/tests/test_dict_search.py
index 2435d89c7..6b4bc933a 100644
--- a/src/tests/test_dict_search.py
+++ b/src/tests/test_dict_search.py
@@ -1,84 +1,82 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2020 VyOS maintainers and contributors
+# Copyright (C) 2020-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from unittest import TestCase
from vyos.utils.dict import dict_search
from vyos.utils.dict import dict_search_recursive
data = {
'string': 'fooo',
'nested': {'string': 'bar', 'empty': '', 'list': ['foo', 'bar']},
'non': {},
'list': ['bar', 'baz'],
'dict': {'key_1': {}, 'key_2': 'vyos'},
'interfaces': {'dummy': {'dum0': {'address': ['192.0.2.17/29']}},
'ethernet': {'eth0': {'address': ['2001:db8::1/64', '192.0.2.1/29'],
'description': 'Test123',
'duplex': 'auto',
'hw_id': '00:00:00:00:00:01',
'speed': 'auto'},
'eth1': {'address': ['192.0.2.9/29'],
'description': 'Test456',
'duplex': 'auto',
'hw_id': '00:00:00:00:00:02',
'speed': 'auto'}}}
}
class TestDictSearch(TestCase):
def setUp(self):
pass
def test_non_existing_keys(self):
# TestDictSearch: Return False when querying for non-existent key
self.assertEqual(dict_search('non_existing', data), None)
self.assertEqual(dict_search('non.existing.fancy.key', data), None)
def test_string(self):
# TestDictSearch: Return value when querying string
self.assertEqual(dict_search('string', data), data['string'])
def test_list(self):
# TestDictSearch: Return list items when querying list
self.assertEqual(dict_search('list', data), data['list'])
def test_dict_key_value(self):
# TestDictSearch: Return dictionary keys value when value is present
self.assertEqual(dict_search('dict.key_2', data), data['dict']['key_2'])
def test_nested_dict_key_value(self):
# TestDictSearch: Return string value of last key when querying for a nested string
self.assertEqual(dict_search('nested.string', data), data['nested']['string'])
def test_nested_dict_key_empty(self):
# TestDictSearch: Return False when querying for a nested string whose last key is empty
self.assertEqual(dict_search('nested.empty', data), '')
self.assertFalse(dict_search('nested.empty', data))
def test_nested_list(self):
# TestDictSearch: Return list items when querying nested list
self.assertEqual(dict_search('nested.list', data), data['nested']['list'])
def test_invalid_input(self):
# TestDictSearch: Return list items when querying nested list
self.assertEqual(dict_search('nested.list', None), None)
self.assertEqual(dict_search(None, data), None)
def test_dict_search_recursive(self):
# Test nested search in dictionary
tmp = list(dict_search_recursive(data, 'hw_id'))
self.assertEqual(len(tmp), 2)
tmp = list(dict_search_recursive(data, 'address'))
self.assertEqual(len(tmp), 3)
diff --git a/src/tests/test_find_device_file.py b/src/tests/test_find_device_file.py
old mode 100755
new mode 100644
index f18043d65..21fc113f9
--- a/src/tests/test_find_device_file.py
+++ b/src/tests/test_find_device_file.py
@@ -1,35 +1,33 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2020 VyOS maintainers and contributors
+# Copyright (C) 2020-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from unittest import TestCase
from vyos.utils.system import find_device_file
class TestDeviceFile(TestCase):
""" used to find USB devices on target """
def setUp(self):
pass
def test_null(self):
self.assertEqual(find_device_file('null'), '/dev/null')
def test_zero(self):
self.assertEqual(find_device_file('zero'), '/dev/zero')
def test_input_event(self):
self.assertEqual(find_device_file('event0'), '/dev/input/event0')
def test_non_existing(self):
self.assertFalse(find_device_file('vyos'))
diff --git a/src/tests/test_initial_setup.py b/src/tests/test_initial_setup.py
index f85bf1265..4cd5fb169 100644
--- a/src/tests/test_initial_setup.py
+++ b/src/tests/test_initial_setup.py
@@ -1,101 +1,99 @@
-#!/usr/bin/env python3
-#
# Copyright (C) 2018-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import unittest
import vyos.configtree
import vyos.initialsetup as vis
from unittest import TestCase
from vyos.xml_ref import definition
from vyos.xml_ref.pkg_cache.vyos_1x_cache import reference
class TestInitialSetup(TestCase):
def setUp(self):
with open('tests/data/config.boot.default', 'r') as f:
config_string = f.read()
self.config = vyos.configtree.ConfigTree(config_string)
self.xml = definition.Xml()
self.xml.define(reference)
def test_set_user_password(self):
vis.set_user_password(self.config, 'vyos', 'vyosvyos')
# Old password hash from the default config
old_pw = '$6$QxPS.uk6mfo$9QBSo8u1FkH16gMyAVhus6fU3LOzvLR9Z9.82m3tiHFAxTtIkhaZSWssSgzt4v4dGAL8rhVQxTg0oAG9/q11h/'
new_pw = self.config.return_value(["system", "login", "user", "vyos", "authentication", "encrypted-password"])
# Just check it changed the hash, don't try to check if hash is good
self.assertNotEqual(old_pw, new_pw)
def test_disable_user_password(self):
vis.disable_user_password(self.config, 'vyos')
new_pw = self.config.return_value(["system", "login", "user", "vyos", "authentication", "encrypted-password"])
self.assertEqual(new_pw, '!')
def test_set_ssh_key_with_name(self):
test_ssh_key = " ssh-rsa fakedata vyos@vyos "
vis.set_user_ssh_key(self.config, 'vyos', test_ssh_key)
key_type = self.config.return_value(["system", "login", "user", "vyos", "authentication", "public-keys", "vyos@vyos", "type"])
key_data = self.config.return_value(["system", "login", "user", "vyos", "authentication", "public-keys", "vyos@vyos", "key"])
self.assertEqual(key_type, 'ssh-rsa')
self.assertEqual(key_data, 'fakedata')
self.assertTrue(self.xml.is_tag(["system", "login", "user", "vyos", "authentication", "public-keys"]))
def test_set_ssh_key_without_name(self):
# If key file doesn't include a name, the function will use user name for the key name
test_ssh_key = " ssh-rsa fakedata "
vis.set_user_ssh_key(self.config, 'vyos', test_ssh_key)
key_type = self.config.return_value(["system", "login", "user", "vyos", "authentication", "public-keys", "vyos", "type"])
key_data = self.config.return_value(["system", "login", "user", "vyos", "authentication", "public-keys", "vyos", "key"])
self.assertEqual(key_type, 'ssh-rsa')
self.assertEqual(key_data, 'fakedata')
self.assertTrue(self.xml.is_tag(["system", "login", "user", "vyos", "authentication", "public-keys"]))
def test_create_user(self):
vis.create_user(self.config, 'jrandomhacker', password='qwerty', key=" ssh-rsa fakedata jrandomhacker@foovax ")
self.assertTrue(self.config.exists(["system", "login", "user", "jrandomhacker"]))
self.assertTrue(self.config.exists(["system", "login", "user", "jrandomhacker", "authentication", "public-keys", "jrandomhacker@foovax"]))
self.assertTrue(self.config.exists(["system", "login", "user", "jrandomhacker", "authentication", "encrypted-password"]))
self.assertEqual(self.config.return_value(["system", "login", "user", "jrandomhacker", "level"]), "admin")
def test_set_hostname(self):
vis.set_host_name(self.config, "vyos-test")
self.assertEqual(self.config.return_value(["system", "host-name"]), "vyos-test")
def test_set_name_servers(self):
vis.set_name_servers(self.config, ["192.0.2.10", "203.0.113.20"])
servers = self.config.return_values(["system", "name-server"])
self.assertIn("192.0.2.10", servers)
self.assertIn("203.0.113.20", servers)
def test_set_gateway(self):
vis.set_default_gateway(self.config, '192.0.2.1')
self.assertTrue(self.config.exists(['protocols', 'static', 'route', '0.0.0.0/0', 'next-hop', '192.0.2.1']))
self.assertTrue(self.xml.is_tag(['protocols', 'static', 'multicast', 'route', '0.0.0.0/0', 'next-hop']))
self.assertTrue(self.xml.is_tag(['protocols', 'static', 'multicast', 'route']))
if __name__ == "__main__":
unittest.main()
diff --git a/src/tests/test_op_mode.py b/src/tests/test_op_mode.py
index 90963b3c5..23f709653 100644
--- a/src/tests/test_op_mode.py
+++ b/src/tests/test_op_mode.py
@@ -1,65 +1,62 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2022 VyOS maintainers and contributors
+# Copyright (C) 2022-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from unittest import TestCase
import vyos.opmode
class TestVyOSOpMode(TestCase):
def test_field_name_normalization(self):
from vyos.opmode import _normalize_field_name
self.assertEqual(_normalize_field_name(" foo bar "), "foo_bar")
self.assertEqual(_normalize_field_name("foo-bar"), "foo_bar")
self.assertEqual(_normalize_field_name("foo (bar) baz"), "foo_bar_baz")
self.assertEqual(_normalize_field_name("load%"), "load_percentage")
def test_dict_fields_normalization_non_unique(self):
from vyos.opmode import _normalize_field_names
# Space and dot are both replaced by an underscore,
# so dicts like this cannor be normalized uniquely
data = {"foo bar": True, "foo.bar": False}
with self.assertRaises(vyos.opmode.InternalError):
_normalize_field_names(data)
def test_dict_fields_normalization_simple_dict(self):
from vyos.opmode import _normalize_field_names
data = {"foo bar": True, "Bar-Baz": False}
self.assertEqual(_normalize_field_names(data), {"foo_bar": True, "bar_baz": False})
def test_dict_fields_normalization_nested_dict(self):
from vyos.opmode import _normalize_field_names
data = {"foo bar": True, "bar-baz": {"baz-quux": {"quux-xyzzy": False}}}
self.assertEqual(_normalize_field_names(data),
{"foo_bar": True, "bar_baz": {"baz_quux": {"quux_xyzzy": False}}})
def test_dict_fields_normalization_mixed(self):
from vyos.opmode import _normalize_field_names
data = [{"foo bar": True, "bar-baz": [{"baz-quux": {"quux-xyzzy": [False]}}]}]
self.assertEqual(_normalize_field_names(data),
[{"foo_bar": True, "bar_baz": [{"baz_quux": {"quux_xyzzy": [False]}}]}])
def test_dict_fields_normalization_primitive(self):
from vyos.opmode import _normalize_field_names
data = [1, False, "foo"]
self.assertEqual(_normalize_field_names(data), [1, False, "foo"])
-
diff --git a/src/tests/test_task_scheduler.py b/src/tests/test_task_scheduler.py
index 130f825e6..795ffeb9d 100644
--- a/src/tests/test_task_scheduler.py
+++ b/src/tests/test_task_scheduler.py
@@ -1,129 +1,127 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2018-2023 VyOS maintainers and contributors
+# Copyright (C) 2018-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import tempfile
import unittest
import importlib
from vyos import ConfigError
try:
task_scheduler = importlib.import_module("src.conf_mode.system_task-scheduler")
except ModuleNotFoundError: # for unittest.main()
import sys
sys.path.append(os.path.join(os.path.dirname(__file__), '../..'))
task_scheduler = importlib.import_module("src.conf_mode.system_task-scheduler")
class TestUpdateCrontab(unittest.TestCase):
def test_verify(self):
tests = [
{'name': 'one_task',
'tasks': [{'name': 'aaa', 'interval': '60m', 'spec': '', 'executable': '/bin/ls', 'args': '-l'}],
'expected': None
},
{'name': 'has_interval_and_spec',
'tasks': [{'name': 'aaa', 'interval': '60m', 'spec': '0 * * * *', 'executable': '/bin/ls', 'args': '-l'}],
'expected': ConfigError
},
{'name': 'has_no_interval_and_spec',
'tasks': [{'name': 'aaa', 'interval': '', 'spec': '', 'executable': '/bin/ls', 'args': '-l'}],
'expected': ConfigError
},
{'name': 'invalid_interval',
'tasks': [{'name': 'aaa', 'interval': '1y', 'spec': '', 'executable': '/bin/ls', 'args': '-l'}],
'expected': ConfigError
},
{'name': 'invalid_interval_min',
'tasks': [{'name': 'aaa', 'interval': '61m', 'spec': '', 'executable': '/bin/ls', 'args': '-l'}],
'expected': ConfigError
},
{'name': 'invalid_interval_hour',
'tasks': [{'name': 'aaa', 'interval': '25h', 'spec': '', 'executable': '/bin/ls', 'args': '-l'}],
'expected': ConfigError
},
{'name': 'invalid_interval_day',
'tasks': [{'name': 'aaa', 'interval': '32d', 'spec': '', 'executable': '/bin/ls', 'args': '-l'}],
'expected': ConfigError
},
{'name': 'no_executable',
'tasks': [{'name': 'aaa', 'interval': '60m', 'spec': '', 'executable': '', 'args': ''}],
'expected': ConfigError
},
{'name': 'invalid_executable',
'tasks': [{'name': 'aaa', 'interval': '60m', 'spec': '', 'executable': '/bin/aaa', 'args': ''}],
'expected': ConfigError
}
]
for t in tests:
with self.subTest(msg=t['name'], tasks=t['tasks'], expected=t['expected']):
if t['expected'] is not None:
with self.assertRaises(t['expected']):
task_scheduler.verify(t['tasks'])
else:
task_scheduler.verify(t['tasks'])
def test_generate(self):
tests = [
{'name': 'zero_task',
'tasks': [],
'expected': []
},
{'name': 'one_task',
'tasks': [{'name': 'aaa', 'interval': '60m', 'spec': '', 'executable': '/bin/ls', 'args': '-l'}],
'expected': [
'### Generated by vyos-update-crontab.py ###',
'*/60 * * * * root sg vyattacfg \"/bin/ls -l\"']
},
{'name': 'one_task_with_hour',
'tasks': [{'name': 'aaa', 'interval': '10h', 'spec': '', 'executable': '/bin/ls', 'args': '-l'}],
'expected': [
'### Generated by vyos-update-crontab.py ###',
'0 */10 * * * root sg vyattacfg \"/bin/ls -l\"']
},
{'name': 'one_task_with_day',
'tasks': [{'name': 'aaa', 'interval': '10d', 'spec': '', 'executable': '/bin/ls', 'args': '-l'}],
'expected': [
'### Generated by vyos-update-crontab.py ###',
'0 0 */10 * * root sg vyattacfg \"/bin/ls -l\"']
},
{'name': 'multiple_tasks',
'tasks': [{'name': 'aaa', 'interval': '60m', 'spec': '', 'executable': '/bin/ls', 'args': '-l'},
{'name': 'bbb', 'interval': '', 'spec': '0 0 * * *', 'executable': '/bin/ls', 'args': '-ltr'}
],
'expected': [
'### Generated by vyos-update-crontab.py ###',
'*/60 * * * * root sg vyattacfg \"/bin/ls -l\"',
'0 0 * * * root sg vyattacfg \"/bin/ls -ltr\"']
}
]
for t in tests:
with self.subTest(msg=t['name'], tasks=t['tasks'], expected=t['expected']):
task_scheduler.crontab_file = tempfile.mkstemp()[1]
task_scheduler.generate(t['tasks'])
if len(t['expected']) > 0:
self.assertTrue(os.path.isfile(task_scheduler.crontab_file))
with open(task_scheduler.crontab_file) as f:
actual = f.read()
self.assertEqual(t['expected'], actual.splitlines())
os.remove(task_scheduler.crontab_file)
else:
self.assertFalse(os.path.isfile(task_scheduler.crontab_file))
if __name__ == "__main__":
unittest.main()
diff --git a/src/tests/test_template.py b/src/tests/test_template.py
index dbb86b40b..6377f6da5 100644
--- a/src/tests/test_template.py
+++ b/src/tests/test_template.py
@@ -1,194 +1,192 @@
-#!/usr/bin/env python3
-#
# Copyright (C) 2020-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import vyos.template
from vyos.utils.network import interface_exists
from ipaddress import ip_network
from unittest import TestCase
class TestVyOSTemplate(TestCase):
def setUp(self):
pass
def test_is_interface(self):
for interface in ['lo', 'eth0']:
if interface_exists(interface):
self.assertTrue(vyos.template.is_interface(interface))
else:
self.assertFalse(vyos.template.is_interface(interface))
self.assertFalse(vyos.template.is_interface('non-existent'))
def test_is_ip(self):
self.assertTrue(vyos.template.is_ip('192.0.2.1'))
self.assertTrue(vyos.template.is_ip('2001:db8::1'))
self.assertFalse(vyos.template.is_ip('VyOS'))
def test_is_ipv4(self):
self.assertTrue(vyos.template.is_ipv4('192.0.2.1'))
self.assertTrue(vyos.template.is_ipv4('192.0.2.0/24'))
self.assertTrue(vyos.template.is_ipv4('192.0.2.1/32'))
self.assertFalse(vyos.template.is_ipv4('2001:db8::1'))
self.assertFalse(vyos.template.is_ipv4('2001:db8::/64'))
self.assertFalse(vyos.template.is_ipv4('VyOS'))
def test_is_ipv6(self):
self.assertTrue(vyos.template.is_ipv6('2001:db8::1'))
self.assertTrue(vyos.template.is_ipv6('2001:db8::/64'))
self.assertTrue(vyos.template.is_ipv6('2001:db8::1/64'))
self.assertFalse(vyos.template.is_ipv6('192.0.2.1'))
self.assertFalse(vyos.template.is_ipv6('192.0.2.0/24'))
self.assertFalse(vyos.template.is_ipv6('192.0.2.1/32'))
self.assertFalse(vyos.template.is_ipv6('VyOS'))
def test_address_from_cidr(self):
self.assertEqual(vyos.template.address_from_cidr('192.0.2.0/24'), '192.0.2.0')
self.assertEqual(vyos.template.address_from_cidr('2001:db8::/48'), '2001:db8::')
with self.assertRaises(ValueError):
# ValueError: 192.0.2.1/24 has host bits set
self.assertEqual(vyos.template.address_from_cidr('192.0.2.1/24'), '192.0.2.1')
with self.assertRaises(ValueError):
# ValueError: 2001:db8::1/48 has host bits set
self.assertEqual(vyos.template.address_from_cidr('2001:db8::1/48'), '2001:db8::1')
network_v4 = '192.0.2.0/26'
self.assertEqual(vyos.template.address_from_cidr(network_v4), str(ip_network(network_v4).network_address))
def test_netmask_from_cidr(self):
self.assertEqual(vyos.template.netmask_from_cidr('192.0.2.0/24'), '255.255.255.0')
self.assertEqual(vyos.template.netmask_from_cidr('192.0.2.128/25'), '255.255.255.128')
self.assertEqual(vyos.template.netmask_from_cidr('2001:db8::/48'), 'ffff:ffff:ffff::')
with self.assertRaises(ValueError):
# ValueError: 192.0.2.1/24 has host bits set
self.assertEqual(vyos.template.netmask_from_cidr('192.0.2.1/24'), '255.255.255.0')
with self.assertRaises(ValueError):
# ValueError: 2001:db8:1:/64 has host bits set
self.assertEqual(vyos.template.netmask_from_cidr('2001:db8:1:/64'), 'ffff:ffff:ffff:ffff::')
network_v4 = '192.0.2.0/26'
self.assertEqual(vyos.template.netmask_from_cidr(network_v4), str(ip_network(network_v4).netmask))
def test_first_host_address(self):
self.assertEqual(vyos.template.first_host_address('10.0.0.0/24'), '10.0.0.1')
self.assertEqual(vyos.template.first_host_address('10.0.0.10/24'), '10.0.0.1')
self.assertEqual(vyos.template.first_host_address('10.0.0.255/24'), '10.0.0.1')
self.assertEqual(vyos.template.first_host_address('10.0.0.128/25'), '10.0.0.129')
self.assertEqual(vyos.template.first_host_address('2001:db8::/64'), '2001:db8::1')
self.assertEqual(vyos.template.first_host_address('2001:db8::1000/64'), '2001:db8::1')
self.assertEqual(vyos.template.first_host_address('2001:db8::ffff:ffff:ffff:ffff/64'), '2001:db8::1')
def test_last_host_address(self):
self.assertEqual(vyos.template.last_host_address('10.0.0.0/24'), '10.0.0.254')
self.assertEqual(vyos.template.last_host_address('10.0.0.128/25'), '10.0.0.254')
self.assertEqual(vyos.template.last_host_address('2001:db8::/64'), '2001:db8::ffff:ffff:ffff:ffff')
def test_increment_ip(self):
self.assertEqual(vyos.template.inc_ip('10.0.0.0/24', '2'), '10.0.0.2')
self.assertEqual(vyos.template.inc_ip('10.0.0.0', '2'), '10.0.0.2')
self.assertEqual(vyos.template.inc_ip('10.0.0.0', '10'), '10.0.0.10')
self.assertEqual(vyos.template.inc_ip('2001:db8::/64', '2'), '2001:db8::2')
self.assertEqual(vyos.template.inc_ip('2001:db8::', '10'), '2001:db8::a')
def test_decrement_ip(self):
self.assertEqual(vyos.template.dec_ip('10.0.0.100/24', '1'), '10.0.0.99')
self.assertEqual(vyos.template.dec_ip('10.0.0.90', '10'), '10.0.0.80')
self.assertEqual(vyos.template.dec_ip('2001:db8::b/64', '10'), '2001:db8::1')
self.assertEqual(vyos.template.dec_ip('2001:db8::f', '5'), '2001:db8::a')
def test_is_network(self):
self.assertFalse(vyos.template.is_ip_network('192.0.2.0'))
self.assertFalse(vyos.template.is_ip_network('192.0.2.1/24'))
self.assertTrue(vyos.template.is_ip_network('192.0.2.0/24'))
self.assertFalse(vyos.template.is_ip_network('2001:db8::'))
self.assertFalse(vyos.template.is_ip_network('2001:db8::ffff'))
self.assertTrue(vyos.template.is_ip_network('2001:db8::/48'))
self.assertTrue(vyos.template.is_ip_network('2001:db8:1000::/64'))
def test_is_network(self):
self.assertTrue(vyos.template.compare_netmask('10.0.0.0/8', '20.0.0.0/8'))
self.assertTrue(vyos.template.compare_netmask('10.0.0.0/16', '20.0.0.0/16'))
self.assertFalse(vyos.template.compare_netmask('10.0.0.0/8', '20.0.0.0/16'))
self.assertFalse(vyos.template.compare_netmask('10.0.0.1', '20.0.0.0/16'))
self.assertTrue(vyos.template.compare_netmask('2001:db8:1000::/48', '2001:db8:2000::/48'))
self.assertTrue(vyos.template.compare_netmask('2001:db8:1000::/64', '2001:db8:2000::/64'))
self.assertFalse(vyos.template.compare_netmask('2001:db8:1000::/48', '2001:db8:2000::/64'))
def test_cipher_to_string(self):
ESP_DEFAULT = 'aes256gcm128-sha256-ecp256,aes128ccm64-sha256-ecp256'
IKEv2_DEFAULT = 'aes256gcm128-sha256-ecp256,aes128ccm128-md5_128-modp1024'
data = {
'esp_group': {
'ESP_DEFAULT': {
'compression': 'disable',
'lifetime': '3600',
'mode': 'tunnel',
'pfs': 'dh-group19',
'proposal': {
'10': {
'encryption': 'aes256gcm128',
'hash': 'sha256',
},
'20': {
'encryption': 'aes128ccm64',
'hash': 'sha256',
}
}
}
},
'ike_group': {
'IKEv2_DEFAULT': {
'close_action': 'none',
'dead_peer_detection': {
'action': 'hold',
'interval': '30',
'timeout': '120'
},
'ikev2_reauth': 'no',
'key_exchange': 'ikev2',
'lifetime': '10800',
'mobike': 'disable',
'proposal': {
'10': {
'dh_group': '19',
'encryption': 'aes256gcm128',
'hash': 'sha256'
},
'20': {
'dh_group': '2',
'encryption': 'aes128ccm128',
'hash': 'md5_128'
},
}
}
},
}
for group_name, group_config in data['esp_group'].items():
ciphers = vyos.template.get_esp_ike_cipher(group_config)
self.assertIn(ESP_DEFAULT, ','.join(ciphers))
for group_name, group_config in data['ike_group'].items():
ciphers = vyos.template.get_esp_ike_cipher(group_config)
self.assertIn(IKEv2_DEFAULT, ','.join(ciphers))
diff --git a/src/tests/test_utils.py b/src/tests/test_utils.py
index 9ae329ced..7bfd2618e 100644
--- a/src/tests/test_utils.py
+++ b/src/tests/test_utils.py
@@ -1,28 +1,26 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2020-2023 VyOS maintainers and contributors
+# Copyright (C) 2020-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from unittest import TestCase
class TestVyOSUtils(TestCase):
def test_key_mangling(self):
from vyos.utils.dict import mangle_dict_keys
data = {"foo-bar": {"baz-quux": None}}
expected_data = {"foo_bar": {"baz_quux": None}}
new_data = mangle_dict_keys(data, '-', '_')
self.assertEqual(new_data, expected_data)
def test_sysctl_read(self):
from vyos.utils.system import sysctl_read
self.assertEqual(sysctl_read('net.ipv4.conf.lo.forwarding'), '1')
diff --git a/src/tests/test_utils_network.py b/src/tests/test_utils_network.py
index 5a6dc2586..d68dec16f 100644
--- a/src/tests/test_utils_network.py
+++ b/src/tests/test_utils_network.py
@@ -1,50 +1,45 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2020-2023 VyOS maintainers and contributors
+# Copyright (C) 2020-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import vyos.utils.network
from unittest import TestCase
class TestVyOSUtilsNetwork(TestCase):
def setUp(self):
pass
def test_is_addr_assigned(self):
self.assertTrue(vyos.utils.network.is_addr_assigned('127.0.0.1'))
self.assertTrue(vyos.utils.network.is_addr_assigned('::1'))
self.assertFalse(vyos.utils.network.is_addr_assigned('127.251.255.123'))
def test_is_ipv6_link_local(self):
self.assertFalse(vyos.utils.network.is_ipv6_link_local('169.254.0.1'))
self.assertTrue(vyos.utils.network.is_ipv6_link_local('fe80::'))
self.assertTrue(vyos.utils.network.is_ipv6_link_local('fe80::affe:1'))
self.assertTrue(vyos.utils.network.is_ipv6_link_local('fe80::affe:1%eth0'))
self.assertFalse(vyos.utils.network.is_ipv6_link_local('2001:db8::'))
self.assertFalse(vyos.utils.network.is_ipv6_link_local('2001:db8::%eth0'))
self.assertFalse(vyos.utils.network.is_ipv6_link_local('VyOS'))
self.assertFalse(vyos.utils.network.is_ipv6_link_local('::1'))
self.assertFalse(vyos.utils.network.is_ipv6_link_local('::1%lo'))
def test_is_ipv6_link_local(self):
self.assertTrue(vyos.utils.network.is_loopback_addr('127.0.0.1'))
self.assertTrue(vyos.utils.network.is_loopback_addr('127.0.1.1'))
self.assertTrue(vyos.utils.network.is_loopback_addr('127.1.1.1'))
self.assertTrue(vyos.utils.network.is_loopback_addr('::1'))
self.assertFalse(vyos.utils.network.is_loopback_addr('::2'))
self.assertFalse(vyos.utils.network.is_loopback_addr('192.0.2.1'))
-
-
-