diff --git a/data/templates/frr/zebra.route-map.frr.j2 b/data/templates/frr/zebra.route-map.frr.j2 index 8e18abbde..669d58354 100644 --- a/data/templates/frr/zebra.route-map.frr.j2 +++ b/data/templates/frr/zebra.route-map.frr.j2 @@ -1,9 +1,14 @@ ! +{% if nht.no_resolve_via_default is vyos_defined %} +no {{ afi }} nht resolve-via-default +{% endif %} +! {% if protocol is vyos_defined %} {% for protocol_name, protocol_config in protocol.items() %} {% if protocol_name is vyos_defined('ospfv3') %} {% set protocol_name = 'ospf6' %} {% endif %} {{ afi }} protocol {{ protocol_name }} route-map {{ protocol_config.route_map }} {% endfor %} {% endif %} +! diff --git a/interface-definitions/include/system-ip-nht.xml.i b/interface-definitions/include/system-ip-nht.xml.i new file mode 100644 index 000000000..4074043cd --- /dev/null +++ b/interface-definitions/include/system-ip-nht.xml.i @@ -0,0 +1,15 @@ +<!-- include start from syslog-facility.xml.i --> +<node name="nht"> + <properties> + <help>Filter Next Hop tracking route resolution</help> + </properties> + <children> + <leafNode name="no-resolve-via-default"> + <properties> + <help>Do not resolve via default route</help> + <valueless/> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/system_ip.xml.in b/interface-definitions/system_ip.xml.in index 6e3b7d5d0..015eb270f 100644 --- a/interface-definitions/system_ip.xml.in +++ b/interface-definitions/system_ip.xml.in @@ -1,114 +1,115 @@ <?xml version="1.0"?> <interfaceDefinition> <node name="system"> <children> <node name="ip" owner="${vyos_conf_scripts_dir}/system_ip.py"> <properties> <help>IPv4 Settings</help> <!-- must be before any interface, check /opt/vyatta/sbin/priority.pl --> <priority>290</priority> </properties> <children> <node name="arp"> <properties> <help>Parameters for ARP cache</help> </properties> <children> #include <include/arp-ndp-table-size.xml.i> </children> </node> <leafNode name="disable-forwarding"> <properties> <help>Disable IPv4 forwarding on all interfaces</help> <valueless/> </properties> </leafNode> <leafNode name="disable-directed-broadcast"> <properties> <help>Disable IPv4 directed broadcast forwarding on all interfaces</help> <valueless/> </properties> </leafNode> <node name="multipath"> <properties> <help>IPv4 multipath settings</help> </properties> <children> <leafNode name="ignore-unreachable-nexthops"> <properties> <help>Ignore next hops that are not in the ARP table</help> <valueless/> </properties> </leafNode> <leafNode name="layer4-hashing"> <properties> <help>Use layer 4 information for ECMP hashing</help> <valueless/> </properties> </leafNode> </children> </node> + #include <include/system-ip-nht.xml.i> <node name="tcp"> <properties> <help>IPv4 TCP parameters</help> </properties> <children> <node name="mss"> <properties> <help>IPv4 TCP MSS probing options</help> </properties> <children> <leafNode name="probing"> <properties> <help>Attempt to lower the MSS if TCP connections fail to establish</help> <completionHelp> <list>on-icmp-black-hole force</list> </completionHelp> <valueHelp> <format>on-icmp-black-hole</format> <description>Attempt TCP MSS probing when an ICMP black hole is detected</description> </valueHelp> <valueHelp> <format>force</format> <description>Attempt TCP MSS probing by default</description> </valueHelp> <constraint> <regex>(on-icmp-black-hole|force)</regex> </constraint> <constraintErrorMessage>Must be on-icmp-black-hole or force</constraintErrorMessage> </properties> </leafNode> <leafNode name="base"> <properties> <help>Base MSS to start probing from (applicable to "probing force")</help> <valueHelp> <format>u32:48-1460</format> <description>Base MSS value for probing (default: 1024)</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 48-1460"/> </constraint> </properties> </leafNode> <leafNode name="floor"> <properties> <help>Minimum MSS to stop probing at (default: 48)</help> <valueHelp> <format>u32:48-1460</format> <description>Minimum MSS value to probe</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 48-1460"/> </constraint> </properties> </leafNode> </children> </node> </children> </node> #include <include/system-ip-protocol.xml.i> </children> </node> </children> </node> </interfaceDefinition> diff --git a/interface-definitions/system_ipv6.xml.in b/interface-definitions/system_ipv6.xml.in index 8957cb6a7..dda00af38 100644 --- a/interface-definitions/system_ipv6.xml.in +++ b/interface-definitions/system_ipv6.xml.in @@ -1,50 +1,51 @@ <?xml version="1.0"?> <interfaceDefinition> <node name="system"> <children> <node name="ipv6" owner="${vyos_conf_scripts_dir}/system_ipv6.py"> <properties> <help>IPv6 Settings</help> <!-- must be before any interface, check /opt/vyatta/sbin/priority.pl --> <priority>290</priority> </properties> <children> <leafNode name="disable-forwarding"> <properties> <help>Disable IPv6 forwarding on all interfaces</help> <valueless/> </properties> </leafNode> <node name="multipath"> <properties> <help>IPv6 multipath settings</help> </properties> <children> <leafNode name="layer4-hashing"> <properties> <help>Use layer 4 information for ECMP hashing</help> <valueless/> </properties> </leafNode> </children> </node> <node name="neighbor"> <properties> <help>Parameters for neighbor discovery cache</help> </properties> <children> #include <include/arp-ndp-table-size.xml.i> </children> </node> + #include <include/system-ip-nht.xml.i> #include <include/system-ipv6-protocol.xml.i> <leafNode name="strict-dad"> <properties> <help>Disable IPv6 operation on interface when DAD fails on LL addr</help> <valueless/> </properties> </leafNode> </children> </node> </children> </node> </interfaceDefinition> diff --git a/smoketest/scripts/cli/test_system_ip.py b/smoketest/scripts/cli/test_system_ip.py index 567416774..ac8b74236 100755 --- a/smoketest/scripts/cli/test_system_ip.py +++ b/smoketest/scripts/cli/test_system_ip.py @@ -1,124 +1,137 @@ #!/usr/bin/env python3 # -# Copyright (C) 2020-2023 VyOS maintainers and contributors +# Copyright (C) 2020-2024 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. import unittest from base_vyostest_shim import VyOSUnitTestSHIM from vyos.configsession import ConfigSessionError from vyos.utils.file import read_file base_path = ['system', 'ip'] class TestSystemIP(VyOSUnitTestSHIM.TestCase): def tearDown(self): self.cli_delete(base_path) self.cli_commit() def test_system_ip_forwarding(self): # Test if IPv4 forwarding can be disabled globally, default is '1' # which means forwarding enabled all_forwarding = '/proc/sys/net/ipv4/conf/all/forwarding' self.assertEqual(read_file(all_forwarding), '1') self.cli_set(base_path + ['disable-forwarding']) self.cli_commit() self.assertEqual(read_file(all_forwarding), '0') def test_system_ip_directed_broadcast_forwarding(self): # Test if IPv4 directed broadcast forwarding can be disabled globally, # default is '1' which means forwarding enabled bc_forwarding = '/proc/sys/net/ipv4/conf/all/bc_forwarding' self.assertEqual(read_file(bc_forwarding), '1') self.cli_set(base_path + ['disable-directed-broadcast']) self.cli_commit() self.assertEqual(read_file(bc_forwarding), '0') def test_system_ip_multipath(self): # Test IPv4 multipathing options, options default to off -> '0' use_neigh = '/proc/sys/net/ipv4/fib_multipath_use_neigh' hash_policy = '/proc/sys/net/ipv4/fib_multipath_hash_policy' self.assertEqual(read_file(use_neigh), '0') self.assertEqual(read_file(hash_policy), '0') self.cli_set(base_path + ['multipath', 'ignore-unreachable-nexthops']) self.cli_set(base_path + ['multipath', 'layer4-hashing']) self.cli_commit() self.assertEqual(read_file(use_neigh), '1') self.assertEqual(read_file(hash_policy), '1') def test_system_ip_arp_table_size(self): # Maximum number of entries to keep in the ARP cache, the # default is 8k gc_thresh3 = '/proc/sys/net/ipv4/neigh/default/gc_thresh3' gc_thresh2 = '/proc/sys/net/ipv4/neigh/default/gc_thresh2' gc_thresh1 = '/proc/sys/net/ipv4/neigh/default/gc_thresh1' self.assertEqual(read_file(gc_thresh3), '8192') self.assertEqual(read_file(gc_thresh2), '4096') self.assertEqual(read_file(gc_thresh1), '1024') for size in [1024, 2048, 4096, 8192, 16384, 32768]: self.cli_set(base_path + ['arp', 'table-size', str(size)]) self.cli_commit() self.assertEqual(read_file(gc_thresh3), str(size)) self.assertEqual(read_file(gc_thresh2), str(size // 2)) self.assertEqual(read_file(gc_thresh1), str(size // 8)) def test_system_ip_protocol_route_map(self): protocols = ['any', 'babel', 'bgp', 'connected', 'eigrp', 'isis', 'kernel', 'ospf', 'rip', 'static', 'table'] for protocol in protocols: self.cli_set(['policy', 'route-map', f'route-map-{protocol}', 'rule', '10', 'action', 'permit']) self.cli_set(base_path + ['protocol', protocol, 'route-map', f'route-map-{protocol}']) self.cli_commit() # Verify route-map properly applied to FRR frrconfig = self.getFRRconfig('ip protocol', end='', daemon='zebra') for protocol in protocols: self.assertIn(f'ip protocol {protocol} route-map route-map-{protocol}', frrconfig) # Delete route-maps self.cli_delete(['policy', 'route-map']) self.cli_delete(base_path + ['protocol']) self.cli_commit() # Verify route-map properly applied to FRR frrconfig = self.getFRRconfig('ip protocol', end='', daemon='zebra') self.assertNotIn(f'ip protocol', frrconfig) def test_system_ip_protocol_non_existing_route_map(self): non_existing = 'non-existing' self.cli_set(base_path + ['protocol', 'static', 'route-map', non_existing]) # VRF does yet not exist - an error must be thrown with self.assertRaises(ConfigSessionError): self.cli_commit() self.cli_set(['policy', 'route-map', non_existing, 'rule', '10', 'action', 'deny']) # Commit again self.cli_commit() + def test_system_ip_nht(self): + self.cli_set(base_path + ['nht', 'no-resolve-via-default']) + self.cli_commit() + # Verify CLI config applied to FRR + frrconfig = self.getFRRconfig('', end='', daemon='zebra') + self.assertIn(f'no ip nht resolve-via-default', frrconfig) + + self.cli_delete(base_path + ['nht', 'no-resolve-via-default']) + self.cli_commit() + # Verify CLI config removed to FRR + frrconfig = self.getFRRconfig('', end='', daemon='zebra') + self.assertNotIn(f'no ip nht resolve-via-default', frrconfig) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_system_ipv6.py b/smoketest/scripts/cli/test_system_ipv6.py index 225c2d666..bc0f7aa8c 100755 --- a/smoketest/scripts/cli/test_system_ipv6.py +++ b/smoketest/scripts/cli/test_system_ipv6.py @@ -1,135 +1,148 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021-2023 VyOS maintainers and contributors +# Copyright (C) 2021-2024 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. import unittest from base_vyostest_shim import VyOSUnitTestSHIM from vyos.configsession import ConfigSessionError from vyos.template import is_ipv4 from vyos.utils.file import read_file from vyos.utils.network import get_interface_config from vyos.utils.network import is_intf_addr_assigned base_path = ['system', 'ipv6'] file_forwarding = '/proc/sys/net/ipv6/conf/all/forwarding' file_disable = '/proc/sys/net/ipv6/conf/all/disable_ipv6' file_dad = '/proc/sys/net/ipv6/conf/all/accept_dad' file_multipath = '/proc/sys/net/ipv6/fib_multipath_hash_policy' class TestSystemIPv6(VyOSUnitTestSHIM.TestCase): def tearDown(self): self.cli_delete(base_path) self.cli_commit() def test_system_ipv6_forwarding(self): # Test if IPv6 forwarding can be disabled globally, default is '1' # which means forwearding enabled self.assertEqual(read_file(file_forwarding), '1') self.cli_set(base_path + ['disable-forwarding']) self.cli_commit() self.assertEqual(read_file(file_forwarding), '0') def test_system_ipv6_strict_dad(self): # This defaults to 1 self.assertEqual(read_file(file_dad), '1') # Do not assign any IPv6 address on interfaces, this requires a reboot # which can not be tested, but we can read the config file :) self.cli_set(base_path + ['strict-dad']) self.cli_commit() # Verify configuration file self.assertEqual(read_file(file_dad), '2') def test_system_ipv6_multipath(self): # This defaults to 0 self.assertEqual(read_file(file_multipath), '0') # Do not assign any IPv6 address on interfaces, this requires a reboot # which can not be tested, but we can read the config file :) self.cli_set(base_path + ['multipath', 'layer4-hashing']) self.cli_commit() # Verify configuration file self.assertEqual(read_file(file_multipath), '1') def test_system_ipv6_neighbor_table_size(self): # Maximum number of entries to keep in the ARP cache, the # default is 8192 gc_thresh3 = '/proc/sys/net/ipv6/neigh/default/gc_thresh3' gc_thresh2 = '/proc/sys/net/ipv6/neigh/default/gc_thresh2' gc_thresh1 = '/proc/sys/net/ipv6/neigh/default/gc_thresh1' self.assertEqual(read_file(gc_thresh3), '8192') self.assertEqual(read_file(gc_thresh2), '4096') self.assertEqual(read_file(gc_thresh1), '1024') for size in [1024, 2048, 4096, 8192, 16384, 32768]: self.cli_set(base_path + ['neighbor', 'table-size', str(size)]) self.cli_commit() self.assertEqual(read_file(gc_thresh3), str(size)) self.assertEqual(read_file(gc_thresh2), str(size // 2)) self.assertEqual(read_file(gc_thresh1), str(size // 8)) def test_system_ipv6_protocol_route_map(self): protocols = ['any', 'babel', 'bgp', 'connected', 'isis', 'kernel', 'ospfv3', 'ripng', 'static', 'table'] for protocol in protocols: route_map = 'route-map-' + protocol.replace('ospfv3', 'ospf6') self.cli_set(['policy', 'route-map', route_map, 'rule', '10', 'action', 'permit']) self.cli_set(base_path + ['protocol', protocol, 'route-map', route_map]) self.cli_commit() # Verify route-map properly applied to FRR frrconfig = self.getFRRconfig('ipv6 protocol', end='', daemon='zebra') for protocol in protocols: # VyOS and FRR use a different name for OSPFv3 (IPv6) if protocol == 'ospfv3': protocol = 'ospf6' self.assertIn(f'ipv6 protocol {protocol} route-map route-map-{protocol}', frrconfig) # Delete route-maps self.cli_delete(['policy', 'route-map']) self.cli_delete(base_path + ['protocol']) self.cli_commit() # Verify route-map properly applied to FRR frrconfig = self.getFRRconfig('ipv6 protocol', end='', daemon='zebra') self.assertNotIn(f'ipv6 protocol', frrconfig) def test_system_ipv6_protocol_non_existing_route_map(self): non_existing = 'non-existing6' self.cli_set(base_path + ['protocol', 'static', 'route-map', non_existing]) # VRF does yet not exist - an error must be thrown with self.assertRaises(ConfigSessionError): self.cli_commit() self.cli_set(['policy', 'route-map', non_existing, 'rule', '10', 'action', 'deny']) # Commit again self.cli_commit() + def test_system_ipv6_nht(self): + self.cli_set(base_path + ['nht', 'no-resolve-via-default']) + self.cli_commit() + # Verify CLI config applied to FRR + frrconfig = self.getFRRconfig('', end='', daemon='zebra') + self.assertIn(f'no ipv6 nht resolve-via-default', frrconfig) + + self.cli_delete(base_path + ['nht', 'no-resolve-via-default']) + self.cli_commit() + # Verify CLI config removed to FRR + frrconfig = self.getFRRconfig('', end='', daemon='zebra') + self.assertNotIn(f'no ipv6 nht resolve-via-default', frrconfig) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/src/conf_mode/system_ip.py b/src/conf_mode/system_ip.py index 7612e2c0d..833f89554 100755 --- a/src/conf_mode/system_ip.py +++ b/src/conf_mode/system_ip.py @@ -1,143 +1,144 @@ #!/usr/bin/env python3 # # Copyright (C) 2019-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. from sys import exit from vyos.config import Config from vyos.configdict import dict_merge from vyos.configverify import verify_route_map from vyos.template import render_to_string from vyos.utils.dict import dict_search from vyos.utils.file import write_file from vyos.utils.process import call from vyos.utils.process import is_systemd_service_active from vyos.utils.system import sysctl_write from vyos import ConfigError from vyos import frr from vyos import airbag airbag.enable() def get_config(config=None): if config: conf = config else: conf = Config() base = ['system', 'ip'] opt = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, with_recursive_defaults=True) # When working with FRR we need to know the corresponding address-family opt['afi'] = 'ip' # We also need the route-map information from the config # # XXX: one MUST always call this without the key_mangling() option! See # vyos.configverify.verify_common_route_maps() for more information. tmp = {'policy' : {'route-map' : conf.get_config_dict(['policy', 'route-map'], get_first_key=True)}} # Merge policy dict into "regular" config dict opt = dict_merge(tmp, opt) return opt def verify(opt): if 'protocol' in opt: for protocol, protocol_options in opt['protocol'].items(): if 'route_map' in protocol_options: verify_route_map(protocol_options['route_map'], opt) return def generate(opt): opt['frr_zebra_config'] = render_to_string('frr/zebra.route-map.frr.j2', opt) return def apply(opt): # Apply ARP threshold values # table_size has a default value - thus the key always exists size = int(dict_search('arp.table_size', opt)) # Amount upon reaching which the records begin to be cleared immediately sysctl_write('net.ipv4.neigh.default.gc_thresh3', size) # Amount after which the records begin to be cleaned after 5 seconds sysctl_write('net.ipv4.neigh.default.gc_thresh2', size // 2) # Minimum number of stored records is indicated which is not cleared sysctl_write('net.ipv4.neigh.default.gc_thresh1', size // 8) # enable/disable IPv4 forwarding tmp = dict_search('disable_forwarding', opt) value = '0' if (tmp != None) else '1' write_file('/proc/sys/net/ipv4/conf/all/forwarding', value) # enable/disable IPv4 directed broadcast forwarding tmp = dict_search('disable_directed_broadcast', opt) value = '0' if (tmp != None) else '1' write_file('/proc/sys/net/ipv4/conf/all/bc_forwarding', value) # configure multipath tmp = dict_search('multipath.ignore_unreachable_nexthops', opt) value = '1' if (tmp != None) else '0' sysctl_write('net.ipv4.fib_multipath_use_neigh', value) tmp = dict_search('multipath.layer4_hashing', opt) value = '1' if (tmp != None) else '0' sysctl_write('net.ipv4.fib_multipath_hash_policy', value) # configure TCP options (defaults as of Linux 6.4) tmp = dict_search('tcp.mss.probing', opt) if tmp is None: value = 0 elif tmp == 'on-icmp-black-hole': value = 1 elif tmp == 'force': value = 2 else: # Shouldn't happen raise ValueError("TCP MSS probing is neither 'on-icmp-black-hole' nor 'force'!") sysctl_write('net.ipv4.tcp_mtu_probing', value) tmp = dict_search('tcp.mss.base', opt) value = '1024' if (tmp is None) else tmp sysctl_write('net.ipv4.tcp_base_mss', value) tmp = dict_search('tcp.mss.floor', opt) value = '48' if (tmp is None) else tmp sysctl_write('net.ipv4.tcp_mtu_probe_floor', value) # During startup of vyos-router that brings up FRR, the service is not yet # running when this script is called first. Skip this part and wait for initial # commit of the configuration to trigger this statement if is_systemd_service_active('frr.service'): zebra_daemon = 'zebra' # Save original configuration prior to starting any commit actions frr_cfg = frr.FRRConfig() # The route-map used for the FIB (zebra) is part of the zebra daemon frr_cfg.load_configuration(zebra_daemon) + frr_cfg.modify_section(r'no ip nht resolve-via-default') frr_cfg.modify_section(r'ip protocol \w+ route-map [-a-zA-Z0-9.]+', stop_pattern='(\s|!)') if 'frr_zebra_config' in opt: frr_cfg.add_before(frr.default_add_before, opt['frr_zebra_config']) frr_cfg.commit_configuration(zebra_daemon) if __name__ == '__main__': try: c = get_config() verify(c) generate(c) apply(c) except ConfigError as e: print(e) exit(1) diff --git a/src/conf_mode/system_ipv6.py b/src/conf_mode/system_ipv6.py index 90a1a8087..00d440e35 100755 --- a/src/conf_mode/system_ipv6.py +++ b/src/conf_mode/system_ipv6.py @@ -1,120 +1,121 @@ #!/usr/bin/env python3 # # Copyright (C) 2019-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. import os from sys import exit from vyos.config import Config from vyos.configdict import dict_merge from vyos.configverify import verify_route_map from vyos.template import render_to_string from vyos.utils.dict import dict_search from vyos.utils.file import write_file from vyos.utils.process import is_systemd_service_active from vyos.utils.system import sysctl_write from vyos import ConfigError from vyos import frr from vyos import airbag airbag.enable() def get_config(config=None): if config: conf = config else: conf = Config() base = ['system', 'ipv6'] opt = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, with_recursive_defaults=True) # When working with FRR we need to know the corresponding address-family opt['afi'] = 'ipv6' # We also need the route-map information from the config # # XXX: one MUST always call this without the key_mangling() option! See # vyos.configverify.verify_common_route_maps() for more information. tmp = {'policy' : {'route-map' : conf.get_config_dict(['policy', 'route-map'], get_first_key=True)}} # Merge policy dict into "regular" config dict opt = dict_merge(tmp, opt) return opt def verify(opt): if 'protocol' in opt: for protocol, protocol_options in opt['protocol'].items(): if 'route_map' in protocol_options: verify_route_map(protocol_options['route_map'], opt) return def generate(opt): opt['frr_zebra_config'] = render_to_string('frr/zebra.route-map.frr.j2', opt) return def apply(opt): # configure multipath tmp = dict_search('multipath.layer4_hashing', opt) value = '1' if (tmp != None) else '0' sysctl_write('net.ipv6.fib_multipath_hash_policy', value) # Apply ND threshold values # table_size has a default value - thus the key always exists size = int(dict_search('neighbor.table_size', opt)) # Amount upon reaching which the records begin to be cleared immediately sysctl_write('net.ipv6.neigh.default.gc_thresh3', size) # Amount after which the records begin to be cleaned after 5 seconds sysctl_write('net.ipv6.neigh.default.gc_thresh2', size // 2) # Minimum number of stored records is indicated which is not cleared sysctl_write('net.ipv6.neigh.default.gc_thresh1', size // 8) # enable/disable IPv6 forwarding tmp = dict_search('disable_forwarding', opt) value = '0' if (tmp != None) else '1' write_file('/proc/sys/net/ipv6/conf/all/forwarding', value) # configure IPv6 strict-dad tmp = dict_search('strict_dad', opt) value = '2' if (tmp != None) else '1' for root, dirs, files in os.walk('/proc/sys/net/ipv6/conf'): for name in files: if name == 'accept_dad': write_file(os.path.join(root, name), value) # During startup of vyos-router that brings up FRR, the service is not yet # running when this script is called first. Skip this part and wait for initial # commit of the configuration to trigger this statement if is_systemd_service_active('frr.service'): zebra_daemon = 'zebra' # Save original configuration prior to starting any commit actions frr_cfg = frr.FRRConfig() # The route-map used for the FIB (zebra) is part of the zebra daemon frr_cfg.load_configuration(zebra_daemon) + frr_cfg.modify_section(r'no ipv6 nht resolve-via-default') frr_cfg.modify_section(r'ipv6 protocol \w+ route-map [-a-zA-Z0-9.]+', stop_pattern='(\s|!)') if 'frr_zebra_config' in opt: frr_cfg.add_before(frr.default_add_before, opt['frr_zebra_config']) frr_cfg.commit_configuration(zebra_daemon) if __name__ == '__main__': try: c = get_config() verify(c) generate(c) apply(c) except ConfigError as e: print(e) exit(1)