summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2022-11-21Merge pull request #1672 from sever-sever/T4812-eqChristian Poessinger
T4812: Add op-mode Show vpn ipsec connections
2022-11-21T4812: Add op-mode Show vpn ipsec connectionsViacheslav Hletenko
Add op-mode CLI "show vpn ipsec connections" Add the ability to show all configured connections/tunnels and their states.
2022-11-15Merge pull request #1659 from vfreex/fix-ns-config-equuleusChristian Poessinger
backport: T4815: Fix various name server config issues
2022-11-15backport: T4815: Fix various name server config issuesYuxiang Zhu
This is a backport of https://github.com/vyos/vyos-1x/pull/1656. Note I also changed `ip-down.script.tmpl` to not wait for `systemctl stop dhcp6c@$iface.service`, because that command is slow and pppd will kill the ip-down script if it times out. I didn't see `ip-down.script.tmpl` or its equivalent in the 1.4 branch. Not sure if there is another mechanism to handle that functionality or it is missed.
2022-11-05Merge pull request #1640 from initramfs/equuleus-fix-pdns-reloadChristian Poessinger
backport: dns: T4799: fixed powerdns not being reloaded by vyos-hostsd
2022-11-05dns: T4799: fix bug with not reloading powerdns configinitramfs
PowerDNS version 4.7 and above has changed the main process name from 'pdns-r/worker' to 'pdns_recursor'. This commit updates the process name check to use the new name. (cherry picked from commit ff09d4f47e5f54fad8258cd27fb0adfaa4c552b3)
2022-11-01Merge pull request #1634 from c-po/t4177-equuleusChristian Poessinger
strip-private: T4177: Fix for hiding private data token/url/bucket
2022-11-01strip-private: T4177: Fix for hiding private data token/url/bucketViacheslav
Add URL, token and bucket hidind data when is used function "strip-private" (cherry picked from commit f12d8b5a575f4b454426fe11f65b5add966ca53c)
2022-10-31Merge pull request #1630 from roedie/1.3-T4526Christian Poessinger
keepalived: T4526: keepalived-fifo.py unable to load config
2022-10-31Merge pull request #1629 from c-po/t4785-snmp-equuleusChristian Poessinger
snmp: T4785: allow !, @, * and # in SNMP community name (equuleus)
2022-10-30keepalived: T4526: keepalived-fifo.py unable to load configSander Klein
keepalived-fifo.py cannot load the VyOS config because the script is started before the commit is completely finished. This change makes sure the script waits for the commit to be completed. It retries every 0.5 seconds. If the commit is still not completed it will continue as did the original implementation.
2022-10-30snmp: T4785: allow @, * and # in SNMP community nameChristian Poessinger
(cherry picked from commit 3f91033927d80748b70e1ef58b2941643d1aca33)
2022-10-29snmp: T4785: allow ! in community nameChristian Poessinger
(cherry picked from commit dda62226353ebc198b4dbbd319412bb5d1d1ece2)
2022-10-15Merge pull request #1579 from sever-sever/T4743Viacheslav Hletenko
ddclient: T4743: Add option for IPv6 Dynamic DNS
2022-10-13Merge pull request #1593 from sever-sever/T4312-eqViacheslav Hletenko
monitoring: T4312: Ability to set IP address in the URL
2022-10-13monitoring: T4312: Ability to set IP address in the URLViacheslav Hletenko
Use common "url.xml" which allow URL as domain name or IP entrie
2022-10-12Merge pull request #1582 from sever-sever/T4730-eqViacheslav Hletenko
conntrack-sync: T4730: Fix listen-address jinja2 template
2022-10-11Merge pull request #1583 from sever-sever/T4680-eqChristian Poessinger
monitoring: T4680: Bracketize prometheus listen-address
2022-10-11monitoring: T4680: Bracketize prometheus listen-addressViacheslav Hletenko
Fix correct format for prometheus listen-address when we use IPv6 address, we must use square 'brackets' http://[2001:db8::11e]:9273
2022-10-11conntrack-sync: T4730: Fix listen-address jinja2 templateViacheslav Hletenko
Listen address has option 'multi' As result we have an incorrect template value for listen-address - conntrack-sync listen-address '192.0.2.11' in template It looks like "IPv4_address ['192.0.2.11']" in the conntrackd.conf but the correct string expected without brackets Fix it
2022-10-10ddclient: T4743: Add option for IPv6 Dynamic DNSViacheslav Hletenko
Allow to set IPv6 address for Dynamic DNS set service dns dynamic interface eth2 ipv6-enable
2022-10-03Merge pull request #1548 from c-po/t4702-equuleus-wireguardChristian Poessinger
wireguard: T4702: actively revoke peer if it gets disabled
2022-10-03Merge pull request #1520 from c-po/t4652-equuleus-pdns-47Christian Poessinger
smoketest: T4652: upgrade PowerDNS recursor to 4.7 series
2022-10-03Merge pull request #1556 from c-po/equules-t3171Daniil Baturin
ethernet: T3171: enable RPS (Receive Packet Steering) for all RX queues
2022-09-24ethernet: T3171: enable RPS (Receive Packet Steering) for all RX queuesChristian Poessinger
The initial implementation in commit 9fb9e5cade ("ethernet: T3171: add CLI option to enable RPS (Receive Packet Steering)" only changed the CPU affinity for RX queue 0. This commit takes all RX queues into account. (cherry picked from commit 13645bc2cfd31f1525078469f23e89491987e0ea)
2022-09-17wireguard: T4702: actively revoke peer if it gets disabledChristian Poessinger
When any configured peer is set to `disable` while the Wireguard tunnel is up and running it does not get actively revoked and removed. This poses a security risk as connections keep beeing alive. Whenever any parameter of a peer changes we actively remove the peer and fully recreate it on the fly. (cherry picked from commit a4feb96af9ac45aff41ded1744cf302b5c5a9e7e)
2022-09-15Merge pull request #1519 from c-po/t4630-equuleus-peth-macsecDaniil Baturin
T4630: disallow same source-interface for macsec and pseudo-ethernet
2022-09-15Merge pull request #1539 from sever-sever/T4679-eqDaniil Baturin
openvpn: T4679: Fix incorrect verify local and remote address 1.3
2022-09-14openvpn: T4679: Fix incorrect verify local and remote addressViacheslav Hletenko
In the OpenVPN site-to-site config we can use IPv6 peers without IPv4 configurations but "verify()" checks also local and remote IPv4 addresses that in this case will be empty lists For example: set interfaces openvpn vtun2 local-address 2001:db8::1 set interfaces openvpn vtun2 remote-address 2001:db8::2 Check in the commit (v4loAddr == v4remAddr) <= both empty lists commit DEBUG: [] == [] or ['2001:db8::2'] == [] So we should also check v4loAddr, v4remAddr, v6loAddr, v6remAddr are not empty
2022-09-05smoketest: T4652: upgrade PowerDNS recursor to 4.7 seriesChristian Poessinger
(cherry picked from commit f3420a967ad5597c57093b5279a844dca4c516c0)
2022-09-04T4630: can not use same source-interface for macsec and pseudo-ethernetChristian Poessinger
A macsec interface requires a dedicated source interface, it can not be shared with another macsec or a pseudo-ethernet interface. set interfaces macsec macsec10 address '192.168.2.1/30' set interfaces macsec macsec10 security cipher 'gcm-aes-256' set interfaces macsec macsec10 security encrypt set interfaces macsec macsec10 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4232e44b7fda6f8e2d88a07bf78a7aff4' set interfaces macsec macsec10 security mka ckn '09924585a6f3010208cf5222ef24c821405b0e34f4b4f63b1f0ced474b9bb6e6' set interfaces macsec macsec10 source-interface 'eth1' commit set interfaces pseudo-ethernet peth0 source-interface eth1 commit Reuslts in FileNotFoundError: [Errno 2] failed to run command: ip link add peth0 link eth1 type macvlan mode private returned: exit code: 2 noteworthy: cmd 'ip link add peth0 link eth1 type macvlan mode private' returned (out): returned (err): RTNETLINK answers: Device or resource busy [[interfaces pseudo-ethernet peth0]] failed Commit failed (cherry picked from commit eb4a7ee3afc0765671ce0fa379ab5e3518e9e49e)
2022-09-04Merge pull request #1518 from initramfs/equuleus-fix-bond-members1.3.2Christian Poessinger
backport: bonding: T4668: Fix bond members not adding/interface state incorrect
2022-09-04Merge pull request #1498 from initramfs/fix-v6-default-routeChristian Poessinger
pppoe: T4648: fix incorrect installation of IPv6 default route even when default-route is set to none
2022-09-02bonding: T4668: fix live bonding member add or removeinitramfs
Fixes several bugs around bonding member interface states not matching the committed configuration, including: - Disabled removed interfaces coming back up - Newly added disabled interfaces not staying down - Newly added interfaces not showing up in the bond
2022-09-02bonding: T4668: refactor configuration mode interface bonding scriptinitramfs
Refactor interfaces-bonding.py to simplify existing code and to remove potentially bugprone sections in preparation for member add/remove fixes for T4668.
2022-08-29Merge pull request #1507 from c-po/t4653-offloading-equuleusChristian Poessinger
ethernet: T4653: bugfix copy-paste when processing NIC offloading
2022-08-29ethernet: T4653: bugfix copy-paste when processing NIC offloadingChristian Poessinger
Commit 31169fa8a763e ("vyos.ifconfig: T3619: only set offloading options if supported by NIC") added the new implementation which handles NIC offloading. Unfortunately every single implementation was copied from "gro" which resulted in a change to gro for each offloading option - thus options like lro, sg, tso had no effect at all. It all comes down to copy/paste errors ... one way or another. (cherry picked from commit b01f27b3bb3f4cbc6096011856d83009d0440313)
2022-08-29Merge pull request #1504 from sever-sever/T4654-eqDaniil Baturin
rpki: T4654: Fix RPKI cache description (1.3)
2022-08-29rpki: T4654: Fix RPKI cache descriptionViacheslav Hletenko
Fix wrong descriptions for the RPKI server It was mentioned about the NTP server
2022-08-27pppoe: T4648: stop default route from being installed under IPv6initramfs
Adds a sysctl parameter to ignore the default router obtained from router advertisements when pppoe default-route is set to 'none'.
2022-08-25Merge pull request #1494 from c-po/equuleus-proxy-t4642Christian Poessinger
proxy: T4642: bugfix regex, add hyphen to allow list
2022-08-25proxy: T4642: allow https proxy transportsChristian Poessinger
(cherry picked from commit 73be77ec42d06a369974bfb1255839164f73c276)
2022-08-24proxy: T4642: bugfix regex, add hyphen to allow listChristian Poessinger
(cherry picked from commit bfa13e367d0b77105ba350a34da8212859f07f59)
2022-08-22Merge pull request #1479 from c-po/macsec-t4538-equuleusDaniil Baturin
ethernet: T4538: fix wrong systemd unit used for EAPoL (equuleus)
2022-08-22Merge pull request #1484 from c-po/bridge-fixesChristian Poessinger
bridge: T4632: vlan aware bridge lacks CPU forwarding
2022-08-22bridge: T4632: vlan aware bridge lacks CPU forwardingChristian Poessinger
The VLAN aware bridge was forwarding traffic between member ports, but traffic destined torwards the CPU was dropped. This resulted in a gateway not reachable or DHCP leases that could not be handed out. Tested via: VyOS set interfaces bridge br0 enable-vlan set interfaces bridge br0 member interface eth1 allowed-vlan '10' set interfaces bridge br0 member interface eth1 allowed-vlan '20' set interfaces bridge br0 member interface eth1 allowed-vlan '30' set interfaces bridge br0 member interface eth1 allowed-vlan '40' set interfaces bridge br0 member interface eth1 native-vlan '40' set interfaces bridge br0 member interface eth2 allowed-vlan '30' set interfaces bridge br0 member interface eth2 allowed-vlan '20' set interfaces bridge br0 member interface eth2 allowed-vlan '10' set interfaces bridge br0 member interface eth2 allowed-vlan '40' set interfaces bridge br0 vif 10 address '10.0.10.1/24' set interfaces bridge br0 vif 20 address '10.0.20.1/24' set interfaces bridge br0 vif 30 address '10.0.30.1/24' set interfaces bridge br0 vif 40 address '10.0.40.1/24' Arista vEOS vlan 10,20,30,40 interface Ethernet1 switchport trunk allowed vlan 10,20,30,40 interface Vlan10 ip address 10.0.10.2/24 interface Vlan20 ip address 10.0.20.2/24 interface Vlan30 ip address 10.0.30.2/24 interface Vlan40 ip address 10.0.40.2/24 interface Ethernet1 switchport trunk allowed vlan 10,20,30,40 switchport mode trunk spanning-tree portfast Cisco vIOS interface GigabitEthernet0/0 ip address 10.0.40.3 255.255.255.0 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/0.10 encapsulation dot1Q 10 ip address 10.0.10.3 255.255.255.0 ! interface GigabitEthernet0/0.20 encapsulation dot1Q 20 ip address 10.0.20.3 255.255.255.0 ! interface GigabitEthernet0/0.30 encapsulation dot1Q 30 ip address 10.0.30.3 255.255.255.0 ! (cherry picked from commit f60d0e1ce029925b843f635b36154c90049b9577)
2022-08-22Merge pull request #1480 from c-po/t4629-equuleusDaniil Baturin
T4629: Raised ConfigErrors contain dict instead of only the dict key (equuleus)
2022-08-19vyos.config.configdict: T4592: T4629: only print interface name, not ↵Christian Poessinger
interface dict on error (cherry picked from commit 475fbb785dca76868715827833dc44115635c4a6)
2022-08-19ethernet: T4538: fix wrong systemd unit used for EAPoLChristian Poessinger
When MACsec was bound to an ethernet interface and the underlaying source-interface got changed (even description only) this terminated the MACsec session running on top of it. The root cause is when EAPoL was implemented in commit d59354e52a8a7f we re-used the same systemd unit which is responsible for MACsec. That indeed lead to the fact that wpa_supplicant was always stopped when anything happened on the underlaying source-interface that was not related to EAPoL. (cherry picked from commit f92a23ef9ab8be59681e5b7ba627e399d89bce53)
2022-08-18Merge pull request #1470 from c-po/openconnect-T4614Daniil Baturin
ocserv: openconnect: T4614: add support for split-dns (equuleus)