nhrp: T2326: NHRP migration to FRR

data/op-mode-standardized.json

@@ -19,7 +19,6 @@
 "multicast.py",
 "nat.py",
 "neighbor.py",
-"nhrp.py",
 "openconnect.py",
 "openvpn.py",
 "otp.py",

data/templates/frr/daemons.frr.tmpl

@@ -30,7 +30,7 @@ isisd=yes
 pimd=no
 pim6d=yes
 ldpd=yes
-nhrpd=no
+nhrpd=yes
 eigrpd=no
 babeld=yes
 sharpd=no

data/templates/frr/nhrpd.frr.j2

@@ -0,0 +1,62 @@
+!
+{% if redirect is vyos_defined %}
+nhrp nflog-group {{ redirect }}
+{% endif %}
+{% if multicast is vyos_defined %}
+nhrp multicast-nflog-group {{ multicast }}
+{% endif %}
+{% if tunnel is vyos_defined %}
+{%     for iface, iface_config in tunnel.items() %}
+interface {{ iface }}
+{%         if iface_config.authentication is vyos_defined %}
+ ip nhrp authentication {{ iface_config.authentication }}
+{%         endif %}
+{%         if iface_config.holdtime is vyos_defined %}
+ ip nhrp holdtime {{ iface_config.holdtime }}
+{%         endif %}
+{%         if iface_config.map.tunnel_ip is vyos_defined %}
+{%             for tunip, tunip_config in iface_config.map.tunnel_ip.items() %}
+{%                 if tunip_config.nbma is vyos_defined %}
+ ip nhrp map {{ tunip }} {{ tunip_config.nbma }}
+{%                 endif %}
+{%             endfor %}
+{%         endif %}
+{%         if iface_config.mtu is vyos_defined %}
+ ip nhrp mtu {{ iface_config.mtu }}
+{%         endif %}
+{%         if iface_config.multicast is vyos_defined %}
+{%             for multicast_ip in iface_config.multicast %}
+ ip nhrp map multicast {{ multicast_ip }}
+{%             endfor %}
+{%         endif %}
+{%         if iface_config.nhs.tunnel_ip is vyos_defined %}
+{%             for tunip, tunip_config in iface_config.nhs.tunnel_ip.items() %}
+{%                 if tunip_config.nbma is vyos_defined %}
+{%                     for nbmaip in tunip_config.nbma %}
+ ip nhrp nhs {{ tunip }} nbma {{ nbmaip }}
+{%                     endfor %}
+{%                 endif %}
+{%             endfor %}
+{%         endif %}
+{%         if iface_config.network_id is vyos_defined %}
+ ip nhrp network-id {{ iface_config.network_id }}
+{%         endif %}
+{%         if iface_config.redirect is vyos_defined %}
+ ip nhrp redirect
+{%         endif %}
+{%         if iface_config.registration_no_unique is vyos_defined %}
+ ip nhrp registration no-unique
+{%         endif %}
+{%         if iface_config.shortcut is vyos_defined %}
+ ip nhrp shortcut
+{%         endif %}
+{%         if iface_config.security_profile is vyos_defined %}
+ tunnel protection vici profile dmvpn-{{ iface_config.security_profile }}-{{ iface }}-child
+{%         endif %}
+exit
+!
+{%     endfor %}
+{% endif %}
+!
+exit
+!

data/templates/frr/nhrpd_nftables.conf.j2

@@ -0,0 +1,46 @@
+#!/usr/sbin/nft -f
+
+table ip vyos_nhrp_multicast
+table ip vyos_nhrp_redirect
+delete table ip vyos_nhrp_multicast
+delete table ip vyos_nhrp_redirect
+{% if multicast is vyos_defined %}
+table ip vyos_nhrp_multicast {
+    chain VYOS_NHRP_MULTICAST_OUTPUT {
+        type filter hook output priority filter+10; policy accept;
+{%     if tunnel is vyos_defined %}
+{%         for tun, tunnel_conf in tunnel.items() %}
+{%             if tunnel_conf.multicast is vyos_defined %}
+                oifname "{{ tun }}" ip daddr 224.0.0.0/24 counter log group {{ multicast }}
+                oifname "{{ tun }}" ip daddr 224.0.0.0/24 counter drop
+{%             endif %}
+{%         endfor %}
+{%     endif %}
+    }
+    chain VYOS_NHRP_MULTICAST_FORWARD {
+        type filter hook forward priority filter+10; policy accept;
+{%     if tunnel is vyos_defined %}
+{%         for tun, tunnel_conf in tunnel.items() %}
+{%             if tunnel_conf.multicast is vyos_defined %}
+                oifname "{{ tun }}" ip daddr 224.0.0.0/4 counter log group {{ multicast }}
+                oifname "{{ tun }}" ip daddr 224.0.0.0/4 counter drop
+{%             endif %}
+{%         endfor %}
+{%     endif %}
+    }
+}
+{% endif %}
+{% if redirect is vyos_defined %}
+table ip vyos_nhrp_redirect {
+    chain VYOS_NHRP_REDIRECT_FORWARD {
+        type filter hook forward priority filter+10; policy accept;
+{%     if tunnel is vyos_defined %}
+{%         for tun, tunnel_conf in tunnel.items() %}
+{%             if tunnel_conf.redirect is vyos_defined %}
+                iifname "{{ tun }}" oifname "{{ tun }}" meter loglimit-0 size 65535 { ip daddr & 255.255.255.0 . ip saddr & 255.255.255.0 timeout 1m limit rate 4/minute burst 1 packets } counter log group {{ redirect }}
+{%             endif %}
+{%         endfor %}
+{%     endif %}
+    }
+}
+{% endif %}

data/templates/ipsec/swanctl/profile.j2

@@ -22,16 +22,16 @@
         }
 {%         endif %}
         children {
-            dmvpn {
+            dmvpn-{{ name }}-{{ interface }}-child {
                 esp_proposals = {{ esp | get_esp_ike_cipher(ike) | join(',') }}
                 rekey_time = {{ esp.lifetime }}s
                 rand_time = 540s
                 local_ts = dynamic[gre]
                 remote_ts = dynamic[gre]
                 mode = {{ esp.mode }}
-{%         if ike.dead_peer_detection.action is vyos_defined %}
-                dpd_action = {{ ike.dead_peer_detection.action }}
-{%         endif %}
+                dpd_action = clear
+                close_action = none
+                start_action = none
 {%         if esp.compression is vyos_defined('enable') %}
                 ipcomp = yes
 {%         endif %}

debian/control

@@ -172,9 +172,6 @@ Depends:
   frr-rpki-rtrlib,
   frr-snmp,
 # End "protocols *"
-# For "protocols nhrp" (part of DMVPN)
-  opennhrp,
-# End "protocols nhrp"
 # For "protocols igmp-proxy"
   igmpproxy,
 # End "protocols igmp-proxy"

interface-definitions/include/version/nhrp-version.xml.i

@@ -0,0 +1,3 @@
+<!-- include start from include/version/nhrp-version.xml.i -->
+<syntaxVersion component='nhrp' version='1'></syntaxVersion>
+<!-- include end -->