diff --git a/python/vyos/util.py b/python/vyos/util.py
index 554614b30..1c4102e90 100644
--- a/python/vyos/util.py
+++ b/python/vyos/util.py
@@ -1,838 +1,843 @@
-# Copyright 2020-2021 VyOS maintainers and contributors <maintainers@vyos.io>
+# Copyright 2020-2022 VyOS maintainers and contributors <maintainers@vyos.io>
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # This library is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 # Lesser General Public License for more details.
 #
 # You should have received a copy of the GNU Lesser General Public
 # License along with this library.  If not, see <http://www.gnu.org/licenses/>.
 
 import os
 import re
 import sys
 
 #
 # NOTE: Do not import full classes here, move your import to the function
 # where it is used so it is as local as possible to the execution
 #
 
 from subprocess import Popen
 from subprocess import PIPE
 from subprocess import STDOUT
 from subprocess import DEVNULL
 
 def popen(command, flag='', shell=None, input=None, timeout=None, env=None,
           stdout=PIPE, stderr=PIPE, decode='utf-8'):
     """
     popen is a wrapper helper aound subprocess.Popen
     with it default setting it will return a tuple (out, err)
     out: the output of the program run
     err: the error code returned by the program
 
     it can be affected by the following flags:
     shell:   do not try to auto-detect if a shell is required
              for example if a pipe (|) or redirection (>, >>) is used
     input:   data to sent to the child process via STDIN
              the data should be bytes but string will be converted
     timeout: time after which the command will be considered to have failed
     env:     mapping that defines the environment variables for the new process
     stdout:  define how the output of the program should be handled
               - PIPE (default), sends stdout to the output
               - DEVNULL, discard the output
     stderr:  define how the output of the program should be handled
               - None (default), send/merge the data to/with stderr
               - PIPE, popen will append it to output
               - STDOUT, send the data to be merged with stdout
               - DEVNULL, discard the output
     decode:  specify the expected text encoding (utf-8, ascii, ...)
              the default is explicitely utf-8 which is python's own default
 
     usage:
     get both stdout and stderr: popen('command', stdout=PIPE, stderr=STDOUT)
     discard stdout and get stderr: popen('command', stdout=DEVNUL, stderr=PIPE)
     """
 
     # airbag must be left as an import in the function as otherwise we have a
     # a circual import dependency
     from vyos import debug
     from vyos import airbag
 
     # log if the flag is set, otherwise log if command is set
     if not debug.enabled(flag):
         flag = 'command'
 
     cmd_msg = f"cmd '{command}'"
     debug.message(cmd_msg, flag)
 
     use_shell = shell
     stdin = None
     if shell is None:
         use_shell = False
         if ' ' in command:
             use_shell = True
         if env:
             use_shell = True
 
     if input:
         stdin = PIPE
         input = input.encode() if type(input) is str else input
 
     p = Popen(command, stdin=stdin, stdout=stdout, stderr=stderr,
               env=env, shell=use_shell)
 
     pipe = p.communicate(input, timeout)
 
     pipe_out = b''
     if stdout == PIPE:
         pipe_out = pipe[0]
 
     pipe_err = b''
     if stderr == PIPE:
         pipe_err = pipe[1]
 
     str_out = pipe_out.decode(decode).replace('\r\n', '\n').strip()
     str_err = pipe_err.decode(decode).replace('\r\n', '\n').strip()
 
     out_msg = f"returned (out):\n{str_out}"
     if str_out:
         debug.message(out_msg, flag)
 
     if str_err:
         err_msg = f"returned (err):\n{str_err}"
         # this message will also be send to syslog via airbag
         debug.message(err_msg, flag, destination=sys.stderr)
 
         # should something go wrong, report this too via airbag
         airbag.noteworthy(cmd_msg)
         airbag.noteworthy(out_msg)
         airbag.noteworthy(err_msg)
 
     return str_out, p.returncode
 
 
 def run(command, flag='', shell=None, input=None, timeout=None, env=None,
         stdout=DEVNULL, stderr=PIPE, decode='utf-8'):
     """
     A wrapper around popen, which discard the stdout and
     will return the error code of a command
     """
     _, code = popen(
         command, flag,
         stdout=stdout, stderr=stderr,
         input=input, timeout=timeout,
         env=env, shell=shell,
         decode=decode,
     )
     return code
 
 
 def cmd(command, flag='', shell=None, input=None, timeout=None, env=None,
         stdout=PIPE, stderr=PIPE, decode='utf-8', raising=None, message='',
         expect=[0]):
     """
     A wrapper around popen, which returns the stdout and
     will raise the error code of a command
 
     raising: specify which call should be used when raising
              the class should only require a string as parameter
              (default is OSError) with the error code
     expect:  a list of error codes to consider as normal
     """
     decoded, code = popen(
         command, flag,
         stdout=stdout, stderr=stderr,
         input=input, timeout=timeout,
         env=env, shell=shell,
         decode=decode,
     )
     if code not in expect:
         feedback = message + '\n' if message else ''
         feedback += f'failed to run command: {command}\n'
         feedback += f'returned: {decoded}\n'
         feedback += f'exit code: {code}'
         if raising is None:
             # error code can be recovered with .errno
             raise OSError(code, feedback)
         else:
             raise raising(feedback)
     return decoded
 
 
 def call(command, flag='', shell=None, input=None, timeout=None, env=None,
          stdout=PIPE, stderr=PIPE, decode='utf-8'):
     """
     A wrapper around popen, which print the stdout and
     will return the error code of a command
     """
     out, code = popen(
         command, flag,
         stdout=stdout, stderr=stderr,
         input=input, timeout=timeout,
         env=env, shell=shell,
         decode=decode,
     )
     if out:
         print(out)
     return code
 
 
 def read_file(fname, defaultonfailure=None):
     """
     read the content of a file, stripping any end characters (space, newlines)
     should defaultonfailure be not None, it is returned on failure to read
     """
     try:
         """ Read a file to string """
         with open(fname, 'r') as f:
             data = f.read().strip()
         return data
     except Exception as e:
         if defaultonfailure is not None:
             return defaultonfailure
         raise e
 
 def write_file(fname, data, defaultonfailure=None, user=None, group=None):
     """
     Write content of data to given fname, should defaultonfailure be not None,
     it is returned on failure to read.
 
     If directory of file is not present, it is auto-created.
     """
     dirname = os.path.dirname(fname)
     if not os.path.isdir(dirname):
         os.makedirs(dirname, mode=0o755, exist_ok=False)
         chown(dirname, user, group)
 
     try:
         """ Write a file to string """
         bytes = 0
         with open(fname, 'w') as f:
             bytes = f.write(data)
         chown(fname, user, group)
         return bytes
     except Exception as e:
         if defaultonfailure is not None:
             return defaultonfailure
         raise e
 
 
 def read_json(fname, defaultonfailure=None):
     """
     read and json decode the content of a file
     should defaultonfailure be not None, it is returned on failure to read
     """
     import json
     try:
         with open(fname, 'r') as f:
             data = json.load(f)
         return data
     except Exception as e:
         if defaultonfailure is not None:
             return defaultonfailure
         raise e
 
 
 def chown(path, user, group):
     """ change file/directory owner """
     from pwd import getpwnam
     from grp import getgrnam
 
     if user is None or group is None:
         return False
 
     # path may also be an open file descriptor
     if not isinstance(path, int) and not os.path.exists(path):
         return False
 
     uid = getpwnam(user).pw_uid
     gid = getgrnam(group).gr_gid
     os.chown(path, uid, gid)
     return True
 
 
 def chmod(path, bitmask):
     # path may also be an open file descriptor
     if not isinstance(path, int) and not os.path.exists(path):
         return
     if bitmask is None:
         return
     os.chmod(path, bitmask)
 
 
 def chmod_600(path):
     """ make file only read/writable by owner """
     from stat import S_IRUSR, S_IWUSR
 
     bitmask = S_IRUSR | S_IWUSR
     chmod(path, bitmask)
 
 
 def chmod_750(path):
     """ make file/directory only executable to user and group """
     from stat import S_IRUSR, S_IWUSR, S_IXUSR, S_IRGRP, S_IXGRP
 
     bitmask = S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP
     chmod(path, bitmask)
 
 
 def chmod_755(path):
     """ make file executable by all """
     from stat import S_IRUSR, S_IWUSR, S_IXUSR, S_IRGRP, S_IXGRP, S_IROTH, S_IXOTH
 
     bitmask = S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | \
               S_IROTH | S_IXOTH
     chmod(path, bitmask)
 
 
 def makedir(path, user=None, group=None):
     if os.path.exists(path):
         return
     os.makedirs(path, mode=0o755)
     chown(path, user, group)
 
 
 def colon_separated_to_dict(data_string, uniquekeys=False):
     """ Converts a string containing newline-separated entries
         of colon-separated key-value pairs into a dict.
 
         Such files are common in Linux /proc filesystem
 
     Args:
         data_string (str): data string
         uniquekeys (bool): whether to insist that keys are unique or not
 
     Returns: dict
 
     Raises:
         ValueError: if uniquekeys=True and the data string has
             duplicate keys.
 
     Note:
         If uniquekeys=True, then dict entries are always strings,
         otherwise they are always lists of strings.
     """
     import re
     key_value_re = re.compile('([^:]+)\s*\:\s*(.*)')
 
     data_raw = re.split('\n', data_string)
 
     data = {}
 
     for l in data_raw:
         l = l.strip()
         if l:
             match = re.match(key_value_re, l)
             if match:
                 key = match.groups()[0].strip()
                 value = match.groups()[1].strip()
             if key in data.keys():
                 if uniquekeys:
                     raise ValueError("Data string has duplicate keys: {0}".format(key))
                 else:
                     data[key].append(value)
             else:
                 if uniquekeys:
                     data[key] = value
                 else:
                     data[key] = [value]
         else:
             pass
 
     return data
 
 def _mangle_dict_keys(data, regex, replacement, abs_path=[], no_tag_node_value_mangle=False, mod=0):
     """ Mangles dict keys according to a regex and replacement character.
     Some libraries like Jinja2 do not like certain characters in dict keys.
     This function can be used for replacing all offending characters
     with something acceptable.
 
     Args:
         data (dict): Original dict to mangle
 
     Returns: dict
     """
     from vyos.xml import is_tag
 
     new_dict = {}
 
     for key in data.keys():
         save_mod = mod
         save_path = abs_path[:]
 
         abs_path.append(key)
 
         if not is_tag(abs_path):
             new_key = re.sub(regex, replacement, key)
         else:
             if mod%2:
                 new_key = key
             else:
                 new_key = re.sub(regex, replacement, key)
             if no_tag_node_value_mangle:
                 mod += 1
 
         value = data[key]
 
         if isinstance(value, dict):
             new_dict[new_key] = _mangle_dict_keys(value, regex, replacement, abs_path=abs_path, mod=mod, no_tag_node_value_mangle=no_tag_node_value_mangle)
         else:
             new_dict[new_key] = value
 
         mod = save_mod
         abs_path = save_path[:]
 
     return new_dict
 
 def mangle_dict_keys(data, regex, replacement, abs_path=[], no_tag_node_value_mangle=False):
     return _mangle_dict_keys(data, regex, replacement, abs_path=abs_path, no_tag_node_value_mangle=no_tag_node_value_mangle, mod=0)
 
 def _get_sub_dict(d, lpath):
     k = lpath[0]
     if k not in d.keys():
         return {}
     c = {k: d[k]}
     lpath = lpath[1:]
     if not lpath:
         return c
     elif not isinstance(c[k], dict):
         return {}
     return _get_sub_dict(c[k], lpath)
 
 def get_sub_dict(source, lpath, get_first_key=False):
     """ Returns the sub-dict of a nested dict, defined by path of keys.
 
     Args:
         source (dict): Source dict to extract from
         lpath (list[str]): sequence of keys
 
     Returns: source, if lpath is empty, else
              {key : source[..]..[key]} for key the last element of lpath, if exists
              {} otherwise
     """
     if not isinstance(source, dict):
         raise TypeError("source must be of type dict")
     if not isinstance(lpath, list):
         raise TypeError("path must be of type list")
     if not lpath:
         return source
 
     ret =  _get_sub_dict(source, lpath)
 
     if get_first_key and lpath and ret:
         tmp = next(iter(ret.values()))
         if not isinstance(tmp, dict):
             raise TypeError("Data under node is not of type dict")
         ret = tmp
 
     return ret
 
 def process_running(pid_file):
     """ Checks if a process with PID in pid_file is running """
     from psutil import pid_exists
     if not os.path.isfile(pid_file):
         return False
     with open(pid_file, 'r') as f:
         pid = f.read().strip()
     return pid_exists(int(pid))
 
 
 def process_named_running(name):
     """ Checks if process with given name is running and returns its PID.
     If Process is not running, return None
     """
     from psutil import process_iter
     for p in process_iter():
         if name in p.name():
             return p.pid
     return None
 
 
 def seconds_to_human(s, separator=""):
     """ Converts number of seconds passed to a human-readable
     interval such as 1w4d18h35m59s
     """
     s = int(s)
 
     week = 60 * 60 * 24 * 7
     day = 60 * 60 * 24
     hour = 60 * 60
 
     remainder = 0
     result = ""
 
     weeks = s // week
     if weeks > 0:
         result = "{0}w".format(weeks)
         s = s % week
 
     days = s // day
     if days > 0:
         result = "{0}{1}{2}d".format(result, separator, days)
         s = s % day
 
     hours = s // hour
     if hours > 0:
         result = "{0}{1}{2}h".format(result, separator, hours)
         s = s % hour
 
     minutes = s // 60
     if minutes > 0:
         result = "{0}{1}{2}m".format(result, separator, minutes)
         s = s % 60
 
     seconds = s
     if seconds > 0:
         result = "{0}{1}{2}s".format(result, separator, seconds)
 
     return result
 
 
 def get_cfg_group_id():
     from grp import getgrnam
     from vyos.defaults import cfg_group
 
     group_data = getgrnam(cfg_group)
     return group_data.gr_gid
 
 
 def file_is_persistent(path):
     import re
     location = r'^(/config|/opt/vyatta/etc/config)'
     absolute = os.path.abspath(os.path.dirname(path))
     return re.match(location,absolute)
 
 def wait_for_inotify(file_path, pre_hook=None, event_type=None, timeout=None, sleep_interval=0.1):
     """ Waits for an inotify event to occur """
     if not os.path.dirname(file_path):
         raise ValueError(
           "File path {} does not have a directory part (required for inotify watching)".format(file_path))
     if not os.path.basename(file_path):
         raise ValueError(
           "File path {} does not have a file part, do not know what to watch for".format(file_path))
 
     from inotify.adapters import Inotify
     from time import time
     from time import sleep
 
     time_start = time()
 
     i = Inotify()
     i.add_watch(os.path.dirname(file_path))
 
     if pre_hook:
         pre_hook()
 
     for event in i.event_gen(yield_nones=True):
         if (timeout is not None) and ((time() - time_start) > timeout):
             # If the function didn't return until this point,
             # the file failed to have been written to and closed within the timeout
             raise OSError("Waiting for file {} to be written has failed".format(file_path))
 
         # Most such events don't take much time, so it's better to check right away
         # and sleep later.
         if event is not None:
             (_, type_names, path, filename) = event
             if filename == os.path.basename(file_path):
                 if event_type in type_names:
                     return
         sleep(sleep_interval)
 
 def wait_for_file_write_complete(file_path, pre_hook=None, timeout=None, sleep_interval=0.1):
     """ Waits for a process to close a file after opening it in write mode. """
     wait_for_inotify(file_path,
       event_type='IN_CLOSE_WRITE', pre_hook=pre_hook, timeout=timeout, sleep_interval=sleep_interval)
 
 def commit_in_progress():
     """ Not to be used in normal op mode scripts! """
 
     # The CStore backend locks the config by opening a file
     # The file is not removed after commit, so just checking
     # if it exists is insufficient, we need to know if it's open by anyone
 
     # There are two ways to check if any other process keeps a file open.
     # The first one is to try opening it and see if the OS objects.
     # That's faster but prone to race conditions and can be intrusive.
     # The other one is to actually check if any process keeps it open.
     # It's non-intrusive but needs root permissions, else you can't check
     # processes of other users.
     #
     # Since this will be used in scripts that modify the config outside of the CLI
     # framework, those knowingly have root permissions.
     # For everything else, we add a safeguard.
     from psutil import process_iter
     from psutil import NoSuchProcess
     from getpass import getuser
     from vyos.defaults import commit_lock
 
     if getuser() != 'root':
         raise OSError('This functions needs to be run as root to return correct results!')
 
     for proc in process_iter():
         try:
             files = proc.open_files()
             if files:
                 for f in files:
                     if f.path == commit_lock:
                         return True
         except NoSuchProcess as err:
             # Process died before we could examine it
             pass
     # Default case
     return False
 
 
 def wait_for_commit_lock():
     """ Not to be used in normal op mode scripts! """
     from time import sleep
     # Very synchronous approach to multiprocessing
     while commit_in_progress():
         sleep(1)
 
 
 def ask_yes_no(question, default=False) -> bool:
     """Ask a yes/no question via input() and return their answer."""
     from sys import stdout
     default_msg = "[Y/n]" if default else "[y/N]"
     while True:
         try:
             stdout.write("%s %s " % (question, default_msg))
             c = input().lower()
             if c == '':
                 return default
             elif c in ("y", "ye", "yes"):
                 return True
             elif c in ("n", "no"):
                 return False
             else:
                 stdout.write("Please respond with yes/y or no/n\n")
         except EOFError:
             stdout.write("\nPlease respond with yes/y or no/n\n")
 
 
 def is_admin() -> bool:
     """Look if current user is in sudo group"""
     from getpass import getuser
     from grp import getgrnam
     current_user = getuser()
     (_, _, _, admin_group_members) = getgrnam('sudo')
     return current_user in admin_group_members
 
+def is_list_equal(first: list, second: list) -> bool:
+    """ Check if 2 lists are equal and list not empty """
+    if len(first) != len(second) or len(first) == 0:
+        return False
+    return sorted(first) == sorted(second)
 
 def mac2eui64(mac, prefix=None):
     """
     Convert a MAC address to a EUI64 address or, with prefix provided, a full
     IPv6 address.
     Thankfully copied from https://gist.github.com/wido/f5e32576bb57b5cc6f934e177a37a0d3
     """
     import re
     from ipaddress import ip_network
     # http://tools.ietf.org/html/rfc4291#section-2.5.1
     eui64 = re.sub(r'[.:-]', '', mac).lower()
     eui64 = eui64[0:6] + 'fffe' + eui64[6:]
     eui64 = hex(int(eui64[0:2], 16) ^ 2)[2:].zfill(2) + eui64[2:]
 
     if prefix is None:
         return ':'.join(re.findall(r'.{4}', eui64))
     else:
         try:
             net = ip_network(prefix, strict=False)
             euil = int('0x{0}'.format(eui64), 16)
             return str(net[euil])
         except:  # pylint: disable=bare-except
             return
 
 def get_half_cpus():
     """ return 1/2 of the numbers of available CPUs """
     cpu = os.cpu_count()
     if cpu > 1:
         cpu /= 2
     return int(cpu)
 
 def check_kmod(k_mod):
     """ Common utility function to load required kernel modules on demand """
     from vyos import ConfigError
     if isinstance(k_mod, str):
         k_mod = k_mod.split()
     for module in k_mod:
         if not os.path.exists(f'/sys/module/{module}'):
             if call(f'modprobe {module}') != 0:
                 raise ConfigError(f'Loading Kernel module {module} failed')
 
 def find_device_file(device):
     """ Recurively search /dev for the given device file and return its full path.
         If no device file was found 'None' is returned """
     from fnmatch import fnmatch
 
     for root, dirs, files in os.walk('/dev'):
         for basename in files:
             if fnmatch(basename, device):
                 return os.path.join(root, basename)
 
     return None
 
 def dict_search(path, dict_object):
     """ Traverse Python dictionary (dict_object) delimited by dot (.).
     Return value of key if found, None otherwise.
     This is faster implementation then jmespath.search('foo.bar', dict_object)"""
     if not isinstance(dict_object, dict) or not path:
         return None
 
     parts = path.split('.')
     inside = parts[:-1]
     if not inside:
         if path not in dict_object:
             return None
         return dict_object[path]
     c = dict_object
     for p in parts[:-1]:
         c = c.get(p, {})
     return c.get(parts[-1], None)
 
 def get_bridge_fdb(interface):
     """ Returns the forwarding database entries for a given interface """
     if not os.path.exists(f'/sys/class/net/{interface}'):
         return None
     from json import loads
     tmp = loads(cmd(f'bridge -j fdb show dev {interface}'))
     return tmp
 
 def get_interface_config(interface):
     """ Returns the used encapsulation protocol for given interface.
         If interface does not exist, None is returned.
     """
     if not os.path.exists(f'/sys/class/net/{interface}'):
         return None
     from json import loads
     tmp = loads(cmd(f'ip -d -j link show {interface}'))[0]
     return tmp
 
 def print_error(str='', end='\n'):
     """
     Print `str` to stderr, terminated with `end`.
     Used for warnings and out-of-band messages to avoid mangling precious
      stdout output.
     """
     sys.stderr.write(str)
     sys.stderr.write(end)
     sys.stderr.flush()
 
 def make_progressbar():
     """
     Make a procedure that takes two arguments `done` and `total` and prints a
      progressbar based on the ratio thereof, whose length is determined by the
      width of the terminal.
     """
     import shutil, math
     col, _ = shutil.get_terminal_size()
     col = max(col - 15, 20)
     def print_progressbar(done, total):
         if done <= total:
             increment = total / col
             length = math.ceil(done / increment)
             percentage = str(math.ceil(100 * done / total)).rjust(3)
             print_error(f'[{length * "#"}{(col - length) * "_"}] {percentage}%', '\r')
             # Print a newline so that the subsequent prints don't overwrite the full bar.
         if done == total:
             print_error()
     return print_progressbar
 
 def make_incremental_progressbar(increment: float):
     """
     Make a generator that displays a progressbar that grows monotonically with
      every iteration.
     First call displays it at 0% and every subsequent iteration displays it
      at `increment` increments where 0.0 < `increment` < 1.0.
     Intended for FTP and HTTP transfers with stateless callbacks.
     """
     print_progressbar = make_progressbar()
     total = 0.0
     while total < 1.0:
         print_progressbar(total, 1.0)
         yield
         total += increment
     print_progressbar(1, 1)
     # Ignore further calls.
     while True:
         yield
 
 def begin(*args):
     """
     Evaluate arguments in order and return the result of the *last* argument.
     For combining multiple expressions in one statement. Useful for lambdas.
     """
     return args[-1]
 
 def begin0(*args):
     """
     Evaluate arguments in order and return the result of the *first* argument.
     For combining multiple expressions in one statement. Useful for lambdas.
     """
     return args[0]
 
 def is_systemd_service_active(service):
     """ Test is a specified systemd service is activated.
     Returns True if service is active, false otherwise.
     Copied from: https://unix.stackexchange.com/a/435317 """
     tmp = cmd(f'systemctl show --value -p ActiveState {service}')
     return bool((tmp == 'active'))
 
 def is_systemd_service_running(service):
     """ Test is a specified systemd service is actually running.
     Returns True if service is running, false otherwise.
     Copied from: https://unix.stackexchange.com/a/435317 """
     tmp = cmd(f'systemctl show --value -p SubState {service}')
     return bool((tmp == 'running'))
 
 def is_wwan_connected(interface):
     """ Determine if a given WWAN interface, e.g. wwan0 is connected to the
     carrier network or not """
     import json
 
     if not interface.startswith('wwan'):
         raise ValueError(f'Specified interface "{interface}" is not a WWAN interface')
 
     # ModemManager is required for connection(s) - if service is not running,
     # there won't be any connection at all!
     if not is_systemd_service_active('ModemManager.service'):
         return False
 
     modem = interface.lstrip('wwan')
 
     tmp = cmd(f'mmcli --modem {modem} --output-json')
     tmp = json.loads(tmp)
 
     # return True/False if interface is in connected state
     return dict_search('modem.generic.state', tmp) == 'connected'
 
 def boot_configuration_complete() -> bool:
     """ Check if the boot config loader has completed
     """
     from vyos.defaults import config_status
 
     if os.path.isfile(config_status):
         return True
     return False
 
 def sysctl_read(name):
     """ Read and return current value of sysctl() option """
     tmp = cmd(f'sysctl {name}')
     return tmp.split()[-1]
 
 def sysctl_write(name, value):
     """ Change value via sysctl() - return True if changed, False otherwise """
     tmp = cmd(f'sysctl {name}')
     # last list index contains the actual value - only write if value differs
     if sysctl_read(name) != str(value):
         call(f'sysctl -wq {name}={value}')
         return True
     return False
 
 def is_ipv6_enabled() -> bool:
     """ Check if IPv6 support on the system is enabled or not """
     return (sysctl_read('net.ipv6.conf.all.disable_ipv6') == '0')
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 7d20b3fd0..fe5898282 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -1,550 +1,551 @@
 #!/usr/bin/env python3
 #
 # Copyright (C) 2019-2022 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
 # published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import os
 import re
 
 from glob import glob
 from sys import exit
 from ipaddress import IPv4Address
 from ipaddress import IPv4Network
 from ipaddress import IPv6Address
 from ipaddress import IPv6Network
 from ipaddress import summarize_address_range
 from netifaces import interfaces
 from shutil import rmtree
 
 from vyos.config import Config
 from vyos.configdict import get_interface_dict
 from vyos.configdict import is_node_changed
 from vyos.configverify import verify_vrf
 from vyos.configverify import verify_bridge_delete
 from vyos.configverify import verify_diffie_hellman_length
 from vyos.configverify import verify_bond_bridge_member
 from vyos.ifconfig import VTunIf
 from vyos.template import render
 from vyos.template import is_ipv4
 from vyos.template import is_ipv6
 from vyos.util import call
 from vyos.util import chown
 from vyos.util import chmod_600
 from vyos.util import cmd
 from vyos.util import dict_search
+from vyos.util import is_list_equal
 from vyos.util import makedir
 from vyos.validate import is_addr_assigned
 
 from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
 
 user = 'openvpn'
 group = 'openvpn'
 
 cfg_file = '/run/openvpn/{ifname}.conf'
 service_file = '/run/systemd/system/openvpn@{ifname}.service.d/20-override.conf'
 
 def checkCertHeader(header, filename):
     """
     Verify if filename contains specified header.
     Returns True if match is found, False if no match or file is not found
     """
     if not os.path.isfile(filename):
         return False
 
     with open(filename, 'r') as f:
         for line in f:
             if re.match(header, line):
                 return True
 
     return False
 
 def get_config(config=None):
     """
     Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
     interface name will be added or a deleted flag
     """
     if config:
         conf = config
     else:
         conf = Config()
     base = ['interfaces', 'openvpn']
     openvpn = get_interface_dict(conf, base)
 
     if 'deleted' not in openvpn:
         if is_node_changed(conf, ['openvpn-option']):
             openvpn.update({'restart_required': {}})
 
     openvpn['auth_user_pass_file'] = '/run/openvpn/{ifname}.pw'.format(**openvpn)
     return openvpn
 
 def verify(openvpn):
     if 'deleted' in openvpn:
         verify_bridge_delete(openvpn)
         return None
 
     if 'mode' not in openvpn:
         raise ConfigError('Must specify OpenVPN operation mode!')
 
     #
     # OpenVPN client mode - VERIFY
     #
     if openvpn['mode'] == 'client':
         if 'local_port' in openvpn:
             raise ConfigError('Cannot specify "local-port" in client mode')
 
         if 'local_host' in openvpn:
             raise ConfigError('Cannot specify "local-host" in client mode')
 
         if 'remote_host' not in openvpn:
             raise ConfigError('Must specify "remote-host" in client mode')
 
         if openvpn['protocol'] == 'tcp-passive':
             raise ConfigError('Protocol "tcp-passive" is not valid in client mode')
 
         if dict_search('tls.dh_file', openvpn):
             raise ConfigError('Cannot specify "tls dh-file" in client mode')
 
     #
     # OpenVPN site-to-site - VERIFY
     #
     elif openvpn['mode'] == 'site-to-site':
         if 'local_address' not in openvpn and 'is_bridge_member' not in openvpn:
             raise ConfigError('Must specify "local-address" or add interface to bridge')
 
         if 'local_address' in openvpn:
             if len([addr for addr in openvpn['local_address'] if is_ipv4(addr)]) > 1:
                 raise ConfigError('Only one IPv4 local-address can be specified')
 
             if len([addr for addr in openvpn['local_address'] if is_ipv6(addr)]) > 1:
                 raise ConfigError('Only one IPv6 local-address can be specified')
 
         if openvpn['device_type'] == 'tun':
             if 'remote_address' not in openvpn:
                 raise ConfigError('Must specify "remote-address"')
 
         if 'remote_address' in openvpn:
             if len([addr for addr in openvpn['remote_address'] if is_ipv4(addr)]) > 1:
                 raise ConfigError('Only one IPv4 remote-address can be specified')
 
             if len([addr for addr in openvpn['remote_address'] if is_ipv6(addr)]) > 1:
                 raise ConfigError('Only one IPv6 remote-address can be specified')
 
             if not 'local_address' in openvpn:
                 raise ConfigError('"remote-address" requires "local-address"')
 
             v4loAddr = [addr for addr in openvpn['local_address'] if is_ipv4(addr)]
             v4remAddr = [addr for addr in openvpn['remote_address'] if is_ipv4(addr)]
             if v4loAddr and not v4remAddr:
                 raise ConfigError('IPv4 "local-address" requires IPv4 "remote-address"')
             elif v4remAddr and not v4loAddr:
                 raise ConfigError('IPv4 "remote-address" requires IPv4 "local-address"')
 
             v6remAddr = [addr for addr in openvpn['remote_address'] if is_ipv6(addr)]
             v6loAddr = [addr for addr in openvpn['local_address'] if is_ipv6(addr)]
             if v6loAddr and not v6remAddr:
                 raise ConfigError('IPv6 "local-address" requires IPv6 "remote-address"')
             elif v6remAddr and not v6loAddr:
                 raise ConfigError('IPv6 "remote-address" requires IPv6 "local-address"')
 
-            if (v4loAddr == v4remAddr) or (v6remAddr == v4remAddr):
+            if is_list_equal(v4loAddr, v4remAddr) or is_list_equal(v6loAddr, v6remAddr):
                 raise ConfigError('"local-address" and "remote-address" cannot be the same')
 
             if dict_search('local_host', openvpn) in dict_search('local_address', openvpn):
                 raise ConfigError('"local-address" cannot be the same as "local-host"')
 
             if dict_search('remote_host', openvpn) in dict_search('remote_address', openvpn):
                 raise ConfigError('"remote-address" and "remote-host" can not be the same')
 
         if openvpn['device_type'] == 'tap' and 'local_address' in openvpn:
             # we can only have one local_address, this is ensured above
             v4addr = None
             for laddr in openvpn['local_address']:
                 if is_ipv4(laddr):
                     v4addr = laddr
                     break
 
             if v4addr in openvpn['local_address'] and 'subnet_mask' not in openvpn['local_address'][v4addr]:
                 raise ConfigError('Must specify IPv4 "subnet-mask" for local-address')
 
         if dict_search('encryption.ncp_ciphers', openvpn):
             raise ConfigError('NCP ciphers can only be used in client or server mode')
 
     else:
         # checks for client-server or site-to-site bridged
         if 'local_address' in openvpn or 'remote_address' in openvpn:
             raise ConfigError('Cannot specify "local-address" or "remote-address" ' \
                               'in client/server or bridge mode')
 
     #
     # OpenVPN server mode - VERIFY
     #
     if openvpn['mode'] == 'server':
         if openvpn['protocol'] == 'tcp-active':
             raise ConfigError('Protocol "tcp-active" is not valid in server mode')
 
         if dict_search('authentication.username', openvpn) or dict_search('authentication.password', openvpn):
             raise ConfigError('Cannot specify "authentication" in server mode')
 
         if 'remote_port' in openvpn:
             raise ConfigError('Cannot specify "remote-port" in server mode')
 
         if 'remote_host' in openvpn:
             raise ConfigError('Cannot specify "remote-host" in server mode')
 
         if 'tls' in openvpn:
             if 'dh_file' not in openvpn['tls']:
                 if 'key_file' in openvpn['tls'] and not checkCertHeader('-----BEGIN EC PRIVATE KEY-----', openvpn['tls']['key_file']):
                     raise ConfigError('Must specify "tls dh-file" when not using EC keys in server mode')
 
         tmp = dict_search('server.subnet', openvpn)
         if tmp:
             v4_subnets = len([subnet for subnet in tmp if is_ipv4(subnet)])
             v6_subnets = len([subnet for subnet in tmp if is_ipv6(subnet)])
             if v4_subnets > 1:
                 raise ConfigError('Cannot specify more than 1 IPv4 server subnet')
             if v6_subnets > 1:
                 raise ConfigError('Cannot specify more than 1 IPv6 server subnet')
 
             if v6_subnets > 0 and v4_subnets == 0:
                 raise ConfigError('IPv6 server requires an IPv4 server subnet')
 
             for subnet in tmp:
                 if is_ipv4(subnet):
                     subnet = IPv4Network(subnet)
 
                     if openvpn['device_type'] == 'tun' and subnet.prefixlen > 29:
                         raise ConfigError('Server subnets smaller than /29 with device type "tun" are not supported')
                     elif openvpn['device_type'] == 'tap' and subnet.prefixlen > 30:
                         raise ConfigError('Server subnets smaller than /30 with device type "tap" are not supported')
 
                     for client in (dict_search('client', openvpn) or []):
                         if client['ip'] and not IPv4Address(client['ip'][0]) in subnet:
                             raise ConfigError(f'Client "{client["name"]}" IP {client["ip"][0]} not in server subnet {subnet}')
 
         else:
             if 'is_bridge_member' not in openvpn:
                 raise ConfigError('Must specify "server subnet" or add interface to bridge in server mode')
 
 
         for client in (dict_search('client', openvpn) or []):
             if len(client['ip']) > 1 or len(client['ipv6_ip']) > 1:
                 raise ConfigError(f'Server client "{client["name"]}": cannot specify more than 1 IPv4 and 1 IPv6 IP')
 
         if dict_search('server.client_ip_pool', openvpn):
             if not (dict_search('server.client_ip_pool.start', openvpn) and dict_search('server.client_ip_pool.stop', openvpn)):
                 raise ConfigError('Server client-ip-pool requires both start and stop addresses')
             else:
                 v4PoolStart = IPv4Address(dict_search('server.client_ip_pool.start', openvpn))
                 v4PoolStop = IPv4Address(dict_search('server.client_ip_pool.stop', openvpn))
                 if v4PoolStart > v4PoolStop:
                     raise ConfigError(f'Server client-ip-pool start address {v4PoolStart} is larger than stop address {v4PoolStop}')
 
                 v4PoolSize = int(v4PoolStop) - int(v4PoolStart)
                 if v4PoolSize >= 65536:
                     raise ConfigError(f'Server client-ip-pool is too large [{v4PoolStart} -> {v4PoolStop} = {v4PoolSize}], maximum is 65536 addresses.')
 
                 v4PoolNets = list(summarize_address_range(v4PoolStart, v4PoolStop))
                 for client in (dict_search('client', openvpn) or []):
                     if client['ip']:
                         for v4PoolNet in v4PoolNets:
                             if IPv4Address(client['ip'][0]) in v4PoolNet:
                                 print(f'Warning: Client "{client["name"]}" IP {client["ip"][0]} is in server IP pool, it is not reserved for this client.')
 
         for subnet in (dict_search('server.subnet', openvpn) or []):
             if is_ipv6(subnet):
                 tmp = dict_search('client_ipv6_pool.base', openvpn)
                 if tmp:
                     if not dict_search('server.client_ip_pool', openvpn):
                         raise ConfigError('IPv6 server pool requires an IPv4 server pool')
 
                     if int(tmp.split('/')[1]) >= 112:
                         raise ConfigError('IPv6 server pool must be larger than /112')
 
                     #
                     # todo - weird logic
                     #
                     v6PoolStart = IPv6Address(tmp)
                     v6PoolStop = IPv6Network((v6PoolStart, openvpn['server_ipv6_pool_prefixlen']), strict=False)[-1] # don't remove the parentheses, it's a 2-tuple
                     v6PoolSize = int(v6PoolStop) - int(v6PoolStart) if int(openvpn['server_ipv6_pool_prefixlen']) > 96 else 65536
                     if v6PoolSize < v4PoolSize:
                         raise ConfigError(f'IPv6 server pool must be at least as large as the IPv4 pool (current sizes: IPv6={v6PoolSize} IPv4={v4PoolSize})')
 
                     v6PoolNets = list(summarize_address_range(v6PoolStart, v6PoolStop))
                     for client in (dict_search('client', openvpn) or []):
                         if client['ipv6_ip']:
                             for v6PoolNet in v6PoolNets:
                                 if IPv6Address(client['ipv6_ip'][0]) in v6PoolNet:
                                     print(f'Warning: Client "{client["name"]}" IP {client["ipv6_ip"][0]} is in server IP pool, it is not reserved for this client.')
 
     else:
         # checks for both client and site-to-site go here
         if dict_search('server.reject_unconfigured_clients', openvpn):
             raise ConfigError('Option reject-unconfigured-clients only supported in server mode')
 
         if 'replace_default_route' in openvpn and 'remote_host' not in openvpn:
             raise ConfigError('Cannot set "replace-default-route" without "remote-host"')
 
     #
     # OpenVPN common verification section
     # not depending on any operation mode
     #
 
     # verify specified IP address is present on any interface on this system
     if 'local_host' in openvpn:
         if not is_addr_assigned(openvpn['local_host']):
             print('local-host IP address "{local_host}" not assigned' \
                   ' to any interface'.format(**openvpn))
 
     # TCP active
     if openvpn['protocol'] == 'tcp-active':
         if 'local_port' in openvpn:
             raise ConfigError('Cannot specify "local-port" with "tcp-active"')
 
         if 'remote_host' not in openvpn:
             raise ConfigError('Must specify "remote-host" with "tcp-active"')
 
     # shared secret and TLS
     if not ('shared_secret_key_file' in openvpn or 'tls' in openvpn):
         raise ConfigError('Must specify one of "shared-secret-key-file" and "tls"')
 
     if {'shared_secret_key_file', 'tls'} <= set(openvpn):
         raise ConfigError('Can only specify one of "shared-secret-key-file" and "tls"')
 
     if openvpn['mode'] in ['client', 'server']:
         if 'tls' not in openvpn:
             raise ConfigError('Must specify "tls" for server and client mode')
 
     #
     # TLS/encryption
     #
     if 'shared_secret_key_file' in openvpn:
         if dict_search('encryption.cipher', openvpn) in ['aes128gcm', 'aes192gcm', 'aes256gcm']:
             raise ConfigError('GCM encryption with shared-secret-key-file not supported')
 
         file = dict_search('shared_secret_key_file', openvpn)
         if file and not checkCertHeader('-----BEGIN OpenVPN Static key V1-----', file):
             raise ConfigError(f'Specified shared-secret-key-file "{file}" is not valid')
 
     if 'tls' in openvpn:
         if 'ca_cert_file' not in openvpn['tls']:
             raise ConfigError('Must specify "tls ca-cert-file"')
 
         if not (openvpn['mode'] == 'client' and 'authentication' in openvpn):
             if 'cert_file' not in openvpn['tls']:
                 raise ConfigError('Missing "tls cert-file"')
 
             if 'key_file' not in openvpn['tls']:
                 raise ConfigError('Missing "tls key-file"')
 
         if {'auth_file', 'crypt_file'} <= set(openvpn['tls']):
             raise ConfigError('TLS auth and crypt are mutually exclusive')
 
         file = dict_search('tls.ca_cert_file', openvpn)
         if file and not checkCertHeader('-----BEGIN CERTIFICATE-----', file):
             raise ConfigError(f'Specified ca-cert-file "{file}" is invalid')
 
         file = dict_search('tls.auth_file', openvpn)
         if file and not checkCertHeader('-----BEGIN OpenVPN Static key V1-----', file):
             raise ConfigError(f'Specified auth-file "{file}" is invalid')
 
         file = dict_search('tls.cert_file', openvpn)
         if file and not checkCertHeader('-----BEGIN CERTIFICATE-----', file):
             raise ConfigError(f'Specified cert-file "{file}" is invalid')
 
         file = dict_search('tls.key_file', openvpn)
         if file and not checkCertHeader('-----BEGIN (?:RSA |EC )?PRIVATE KEY-----', file):
             raise ConfigError(f'Specified key-file "{file}" is not valid')
 
         file = dict_search('tls.crypt_file', openvpn)
         if file and not checkCertHeader('-----BEGIN OpenVPN Static key V1-----', file):
             raise ConfigError(f'Specified TLS crypt-file "{file}" is invalid')
 
         file = dict_search('tls.crl_file', openvpn)
         if file and not checkCertHeader('-----BEGIN X509 CRL-----', file):
             raise ConfigError(f'Specified crl-file "{file} not valid')
 
         file = dict_search('tls.dh_file', openvpn)
         if file and not checkCertHeader('-----BEGIN DH PARAMETERS-----', file):
             raise ConfigError(f'Specified dh-file "{file}" is not valid')
 
         if file and not verify_diffie_hellman_length(file, 2048):
             raise ConfigError(f'Minimum DH key-size is 2048 bits')
 
         tmp = dict_search('tls.role', openvpn)
         if tmp:
             if openvpn['mode'] in ['client', 'server']:
                 if not dict_search('tls.auth_file', openvpn):
                     raise ConfigError('Cannot specify "tls role" in client-server mode')
 
             if tmp == 'active':
                 if openvpn['protocol'] == 'tcp-passive':
                     raise ConfigError('Cannot specify "tcp-passive" when "tls role" is "active"')
 
                 if dict_search('tls.dh_file', openvpn):
                     raise ConfigError('Cannot specify "tls dh-file" when "tls role" is "active"')
 
             elif tmp == 'passive':
                 if openvpn['protocol'] == 'tcp-active':
                     raise ConfigError('Cannot specify "tcp-active" when "tls role" is "passive"')
 
                 if not dict_search('tls.dh_file', openvpn):
                     raise ConfigError('Must specify "tls dh-file" when "tls role" is "passive"')
 
         file = dict_search('tls.key_file', openvpn)
         if file and checkCertHeader('-----BEGIN EC PRIVATE KEY-----', file):
             if dict_search('tls.dh_file', openvpn):
                 print('Warning: using dh-file and EC keys simultaneously will ' \
                       'lead to DH ciphers being used instead of ECDH')
 
     if dict_search('encryption.cipher', openvpn) == 'none':
         print('Warning: "encryption none" was specified!')
         print('No encryption will be performed and data is transmitted in ' \
               'plain text over the network!')
 
     #
     # Auth user/pass
     #
     if (dict_search('authentication.username', openvpn) and not
         dict_search('authentication.password', openvpn)):
             raise ConfigError('Password for authentication is missing')
 
     if (dict_search('authentication.password', openvpn) and not
         dict_search('authentication.username', openvpn)):
             raise ConfigError('Username for authentication is missing')
 
     verify_vrf(openvpn)
     verify_bond_bridge_member(openvpn)
 
     return None
 
 def generate(openvpn):
     interface = openvpn['ifname']
     directory = os.path.dirname(cfg_file.format(**openvpn))
     # create base config directory on demand
     makedir(directory, user, group)
     # enforce proper permissions on /run/openvpn
     chown(directory, user, group)
 
     # we can't know in advance which clients have been removed,
     # thus all client configs will be removed and re-added on demand
     ccd_dir = os.path.join(directory, 'ccd', interface)
     if os.path.isdir(ccd_dir):
         rmtree(ccd_dir, ignore_errors=True)
 
     # Remove systemd directories with overrides
     service_dir = os.path.dirname(service_file.format(**openvpn))
     if os.path.isdir(service_dir):
         rmtree(service_dir, ignore_errors=True)
 
     if 'deleted' in openvpn or 'disable' in openvpn:
         return None
 
     # create client config directory on demand
     makedir(ccd_dir, user, group)
 
     # Fix file permissons for site2site shared secret
     if dict_search('shared_secret_key_file', openvpn):
         chmod_600(openvpn['shared_secret_key_file'])
         chown(openvpn['shared_secret_key_file'], user, group)
 
     # Fix file permissons for TLS certificate and keys
     for tls in ['auth_file', 'ca_cert_file', 'cert_file', 'crl_file',
                 'crypt_file', 'dh_file', 'key_file']:
         if dict_search(f'tls.{tls}', openvpn):
             chmod_600(openvpn['tls'][tls])
             chown(openvpn['tls'][tls], user, group)
 
     # Generate User/Password authentication file
     if 'authentication' in openvpn:
         render(openvpn['auth_user_pass_file'], 'openvpn/auth.pw.tmpl', openvpn,
                user=user, group=group, permission=0o600)
     else:
         # delete old auth file if present
         if os.path.isfile(openvpn['auth_user_pass_file']):
             os.remove(openvpn['auth_user_pass_file'])
 
     # Generate client specific configuration
     if dict_search('server.client', openvpn):
         for client, client_config in dict_search('server.client', openvpn).items():
             client_file = os.path.join(ccd_dir, client)
 
             # Our client need's to know its subnet mask ...
             client_config['server_subnet'] = dict_search('server.subnet', openvpn)
 
             render(client_file, 'openvpn/client.conf.tmpl', client_config,
                    user=user, group=group)
 
     # we need to support quoting of raw parameters from OpenVPN CLI
     # see https://phabricator.vyos.net/T1632
     render(cfg_file.format(**openvpn), 'openvpn/server.conf.tmpl', openvpn,
            formater=lambda _: _.replace("&quot;", '"'), user=user, group=group)
 
     # Render 20-override.conf for OpenVPN service
     render(service_file.format(**openvpn), 'openvpn/service-override.conf.tmpl', openvpn,
            formater=lambda _: _.replace("&quot;", '"'), user=user, group=group)
     # Reload systemd services config to apply an override
     call(f'systemctl daemon-reload')
 
     return None
 
 def apply(openvpn):
     interface = openvpn['ifname']
 
     # Do some cleanup when OpenVPN is disabled/deleted
     if 'deleted' in openvpn or 'disable' in openvpn:
         call(f'systemctl stop openvpn@{interface}.service')
         for cleanup_file in glob(f'/run/openvpn/{interface}.*'):
             if os.path.isfile(cleanup_file):
                 os.unlink(cleanup_file)
 
         if interface in interfaces():
             VTunIf(interface).remove()
 
         return None
 
     # verify specified IP address is present on any interface on this system
     # Allow to bind service to nonlocal address, if it virtaual-vrrp address
     # or if address will be assign later
     if 'local_host' in openvpn:
         if not is_addr_assigned(openvpn['local_host']):
             cmd('sysctl -w net.ipv4.ip_nonlocal_bind=1')
 
     # No matching OpenVPN process running - maybe it got killed or none
     # existed - nevertheless, spawn new OpenVPN process
     action = 'reload-or-restart'
     if 'restart_required' in openvpn:
         action = 'restart'
     call(f'systemctl {action} openvpn@{interface}.service')
 
     conf = VTunIf.get_config()
     conf['device_type'] = openvpn['device_type']
 
     o = VTunIf(interface, **conf)
     o.update(openvpn)
 
     return None
 
 
 if __name__ == '__main__':
     try:
         c = get_config()
         verify(c)
         generate(c)
         apply(c)
     except ConfigError as e:
         print(e)
         exit(1)