security-polices: Create a system policy

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

security-policies: Show policy after it has been created

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

security-policies: Check if default policy exists

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

copy: Do not empty $dst when source file cannot be read

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

security-polcies: Only allow creating one policy at a time

This keeps the function easier and lets it return a better error code
when ever something goes wrong.

I don't expect to do anyone doing this in bulk.

I also changed some of the error messages.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

security-policies: Improve coding style

No functional changes.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

copy: Remove trailing dot from log message

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

copy: Move comment to right spot

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

copy: Make function handle paths with spaces

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add vpn security policies to cli

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hook: return error codes to previos functions

When we call an hook we should not exit with the error code.
Instead we should return the code to the function that called that hook function.
So we candle handle errors better.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zone: fix zone_new

Everytime somethings goes wrong when we call hook_new we wannt to call zone_destroy.
Not only when we get an EXIT_ERROR also when we get an EXIT_CONF_ERROR and so on.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

header-zone: refactor hook_edit nad hook_new

We now return error codes and break when something important goes wrong.
because of that, we have to split hook_new and hook_edit.
When zone_settins-read fails in hook_edit we cannot go but it would every time we would call it in hook_new.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipv4-static: create hook_parse_cmdline function

This patch just split the parsing of the cmd line
into a separate function to allowing an edit with the generic hook_edit function.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipv6-auto: create hook_parse_cmdline function

This patch just split the parsing of the cmd line
into a separate function to allowing an edit with the generic hook_edit function.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipv6-static: create hook_parse_cmdline function

This patch just split the parsing of the cmd line
into a separate function to allowing an edit with the generic hook_edit function.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pppoe-server: create hook_parse_cmdline function

This patch just split the parsing of the cmd line
into a separate function to allowing an edit with the generic hook_edit function.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

list: fix a bug

When the list is called "list" we have a problem because
${list}="list"
and ${!list}="list"
This creates effects nobody wants and which are also not so easy to understand.
To avoid such problems in the future we now throw an assertation when the list is called list.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

config: improve config_get_id_from_config and config_get_hook_from_config

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

add new feature vpn security policies

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

constants: add new constant NETWORK_SHARE_DIR

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

util: add new function copy

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Remove empty files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Remember to start DHCP servers once started

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

header-config: add generic hook_edit function

If a hook_parse-cmdline function exists
this functions allows it do edit the hook safely.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

config: add new functions

This patch add two new functions:
config_get_id_from_config()
config_get_hook_from_config

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dhcp: check the config indide the hook_parse_cmdline() function

We now check the config inside the hook_parse_cmdline function.
This mae it possible ti use this function in a generic edit function.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

header-zone fix hook_config_edit()

This function accepted only two arguments so new cmd coudl be passed.
We accept now more then 2 arguments.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zone: fix zone_config()

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Drop deprecated listlength function

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Drop deprecated listmatch function

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Drop deprecated listsort function

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Import CODING_STYLE

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Move license into docs directory

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dhcp: remove useless delay setting

Fixes: #11420
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

util: isbool accept now also true and false

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

man: Fix grammar and spelling in color documentation

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

man: add documentation for the description command

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

man: add color documentation

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dhcp: merge hooks ipv4-dhcp and ipv6-dhcp

Fixes: #11404
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zone: make edit syntax clear

Fixes: #11422
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zone: add new command config list

With the new command
network <zone> config list
a user can get all configured configs with id and hook.

Fixes: #11407
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zone: Check early if a id is valid

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zone: change edit syntax for config.

The syntax to edit a config is now

network zone upl0 config <id> edit

similar to the syntax if a zone is edited.

The cmd variable is setted to the content of ${1},
because we need the content in this variable if the ${id} is not valid, to print a nice error message.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

header-zone: refactor hook_config_edit

With the new id function this function gets a zone name and a id,
but hook_config_cmd needs also the name of the hook.

So this function now calls zone_config_get_hook_from_id to get the hook
and calls then hook_config_cmd with the correct argument order.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

header-zone: refactor hook_config_destroy

With the new id function this function gets a zone name and a id,
but hook_config_cmd needs also the name of the hook.

So this function now calls zone_config_get_hook_from_id to get the hook
and calls then hook_config_cmd with the correct argument order.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zone: Introduce id feature

When we write a config for the frist time a unique id is generated and appended to the filename.
So it is possible to identify a config clearly.

The variable config is rename to hook because this function takes now
the name of the hook and the id. The name of the config is no more suitable.
If no id is passed we generate one.
This should only happen when we write the file for the first time.

Fixes: #11405
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zone: new function zone_config_get_hook_from_id

This function is needed to implement the id feature
described in #11405

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zone: new function zone_config_id_is_valid

This function is needed to implement the id feature
described in #11405

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zone: new function zone_config_get_new_id

This functions is needed to implement the new id feature
described in #11405

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

config: remove old hashes

With the new id feature the old hashes are not necessary anymore.
The ipv6_hash function is dropped because we need this function no more.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

settings: remove dot from log message

The dots at the end of log messages can be confusing.
Especially behind variables,it is often unclear if the dot was part of the variable or not
which make debugging much harder.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pppoe-server: prevent multiple configs for the same zone

It is senseless to configure the ppoe-server hook
multiple times for a zone.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipv6-auto: prevent multiple configs for the same zone

It is senseless to configure the ipv6-auto hook
multiple times for a zone.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipv6-dhcp: prevent multiple configs for the same zone

It is senseless to configure the ipv6-dhcp hook
multiple times for a zone.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipv4-dhcp: prevent multiple configs for the same zone

It is senseless to configure the ipv4-dhcp hook
multiple times for a zone.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zone: add function to avoid multiple configs which are senseless

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

inetcalc: do not print the default prefix

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

network check if a zone exist before executing commands

We checked if a zone name was valid so
network zone net0 ... fails when theres was no zone net0.
net0 is a valid zone name so we jumped into the wrong if part.
We now check if a zone exist and when now
network zone net0 ...  is called when no zone net0 exists
we print an error message.
This behaviour is similar to network port .., there we do the same thing with port_exists

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

autocompletion: add description support

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

network: add description commands

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

cli: print the description title

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ports/zones: Add higher level function to get the description title

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add editor functions

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add new description functions

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

lock: refactoring functions

lock_acquire:
Refactor function to set the timeout manually
and to avoid the sleep of 0,25s when the timeout value is zero.

lock_exists:
Provides an easier to check if a lock exists

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

autocompletion: add color commands

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

network: add color commands

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

cli: print the color of a zone/port

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

color: add colors to zone and ports

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ports: Change ports settings file to /etc/network/${port}/settings

The configuration of a port was stored in a file called:
/etc/network/${port}
This is bad because it is very hard to add further information
which belong primary not to the configuration to this file.

So we change the settings file to /etc/network/${port}/settings like for the zones.

This make it possible to store other configurations like the color in other files in the directory
/etc/network/${port}.

A workaround to move the config file into the new directory scheme is:
port=p1 && mv /etc/network/ports/${port} /etc/network/ports/${port}-save \
&& mkdir -p /etc/network/ports/${port} \
&& mv /etc/network/ports/${port}-save /etc/network/ports/${port}/settings

where port is the name of the port like p1 or p0.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

util: new function abs

This function return the absolute value of a given number.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

util: add function mtu_is_valid

This function checks if an mtu is valid for a given IP protocol.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hotplug: Don't handle any events for loopback

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ports: Don't crash with an assertion error when no hook can be found

This happens when a device has an empty configuration file or
the HOOK variable is not set for an other reason.

In that case the function make the entire program crash.

This patch changes behaviour in that sense that the function
returns with an error which must be evaluated by the calling
function.

Fixes #11400

Reported-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

device_num_queues(): Read correct file for transmit queues

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

device_get_speed(): Break if speed is not readable

This is usually the case when a device has no link
(i.e. the speed is unknown).

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Makefile: Add missing trailing backslash

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

device: Show queue status

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

interrupts: Rename __bitmap_to_processor_id() which returns multiple values

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

device: Ignore unknown duplexing

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

device: Return speed only if a valid (positive) value

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

improve autocompletion of network zone new

Fixes: #11386
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

route: update documentation

This patch updates the documentation to follow the change from route to route static.
The network-route manpage is now a generical one wich just list which types of routes we support like static or later dynamic.

In the network-route-static are the explanation for static routes.
This documents represents the previous network-route manpage .

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

route: rename route to route static

Fixes: #11374
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

route: add new cli command reload

This new command just call route_apply.
It provide a nice way to take changes of the config file into affect.
Also it helps when the routes are not applied.
This should not happen, but when this command is better then network restart.

Fixes: 11367
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pppoe-server: improve input validation

We now check if the subnet, the mtu and the max-sessions valud is valid.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ip: restructure ip_net_is_valid

Insted of checking the network manually we now just calö ipv4_net_is_valid or
ipv6_net_is_valid

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipv4: new function ipv4_net_is_valid

This function checks if a given network is valid IPv4 network

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ip: rename ip_is_network to ip_net_is_valid

We rename this function to state clear what the function is actually doing.
The function checks if a network is valid and not if something is a network or not.

Fixes: 11357
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

device queues: Fix listing queues

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Fix incorrect variable name in SMP affinity handling

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

man: update the pppoe zone documentation

Fixes: #11375
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

route: apply static routes on startup and restart

The static routes can only be applied when the network has a valid layer 3  connectivity.
So it is not useful to have a route_init which is called before we have any layer 3  connectivity.
We now call the route_apply every time we set new routes for a zone.
We do this every time we get a new layer 3  connectivity so all routes are applied correctly.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

6to4-tunnel: LOCAL_ADDRESS6 needs to be a valid IPv6 network

Fixes: #1359
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Drop support for 6rd

This is probably not in wide use any more and I do not want
to support this either. Therefore this is dropped for now.

Fixes #11369

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Don't try identifying non-existant device when attaching to a zone

This resulted in an error message which is unnecessary.

Fixes #11174

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

test: Include test-functions in tarball

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

test: Add module tests for ip_network_is_subset_of

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

inetcalc: Use memcmp to determine which IP address is higher

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>