summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-12-08login: T4943: use pam-auth-update to enable/disable Google authenticatorChristian Breunig
The initial version always enabled Google authenticator (2FA/MFA) support by hardcoding the PAM module for sshd and login. This change only enables the PAM module on demand if any use has 2FA/MFA configured. Enabling the module is done system wide via pam-auth-update by using a predefined template. Can be tested using: set system login user vyos authentication plaintext-password vyos set system login user vyos authentication otp key 'QY735IG5HDHBFHS5W7Y2A4EM274SMT3O' See https://docs.vyos.io/en/latest/configuration/system/login.html for additional details. (cherry picked from commit e134dc4171b051d0f98c7151ef32a347bc4f87e2)
2023-12-08Merge pull request #2586 from vyos/mergify/bp/sagitta/pr-2583Daniil Baturin
op-mode: T5808: Correction of description for ipv6 ospfv3 graceful-restart (backport #2583)
2023-12-08Merge pull request #2592 from vyos/mergify/bp/sagitta/pr-2591Christian Breunig
ddclient: T5791: use a fixed VRF table ID in smoketests (backport #2591)
2023-12-08T5805: telegraf: re-add network metricsVladimir F
2023-12-08ddclient: T5791: use a fixed VRF table ID in smoketestsChristian Breunig
Fixes DEBUG - ====================================================================== DEBUG - ERROR: test_07_dyndns_vrf (__main__.TestServiceDDNS.test_07_dyndns_vrf) DEBUG - ---------------------------------------------------------------------- DEBUG - Traceback (most recent call last): DEBUG - File "/usr/libexec/vyos/tests/smoke/cli/test_service_dns_dynamic.py", line 302, in test_07_dyndns_vrf DEBUG - self.cli_set(['vrf', 'name', vrf_name, 'table', vrf_table]) DEBUG - File "/usr/libexec/vyos/tests/smoke/cli/base_vyostest_shim.py", line 68, in cli_set DEBUG - self._session.set(config) DEBUG - File "/usr/lib/python3/dist-packages/vyos/configsession.py", line 154, in set DEBUG - self.__run_command([SET] + path + value) DEBUG - File "/usr/lib/python3/dist-packages/vyos/configsession.py", line 143, in __run_command DEBUG - raise ConfigSessionError(output) DEBUG - vyos.configsession.ConfigSessionError: Number is not in any of allowed ranges (cherry picked from commit 7b4be76afae1af580bbe46f17e88d4a6c1088f15)
2023-12-08Merge pull request #2581 from vyos/mergify/bp/sagitta/pr-2578Viacheslav Hletenko
T160: add NAT64 (backport #2578)
2023-12-08Merge pull request #2588 from vyos/mergify/bp/sagitta/pr-2587Christian Breunig
wireguard: T5413: fix missing check to migration script raising error (backport #2587)
2023-12-08wireguard: T5413: fix missing check to migration script raising errorJohn Estabrook
(cherry picked from commit 237b71a89160f28e5c603bacf707b1c235f01026)
2023-12-07op-mode: T5808: Correction of description for ipv6 ospfv3 graceful-restartsrividya0208
(cherry picked from commit 21ad36aa8789b28311fa04f8add14388057a67ad)
2023-12-07Merge pull request #2577 from indrajitr/sagitta-ddclient-backports-T5791Christian Breunig
ddclient: T5791: Update dynamic dns configuration path (sagitta backport)
2023-12-07smoketest: add a dialout router config with IPv6-PD and WireGuard from 1.3.4Christian Breunig
2023-12-07Merge pull request #2582 from vyos/mergify/bp/sagitta/pr-2551Viacheslav Hletenko
T5778: dhcp server: fix op-mode command (backport #2551)
2023-12-07T5778: dhcp server: fix op-mode command <show dhcp server leases ...>.Nicolas Fort
(cherry picked from commit 57761a370d2217eeb79827e8c20384f6de649c66)
2023-12-07T5778: dhcp server: patch op-mode command <show dhcp server leases>. If ↵Nicolas Fort
*pool* empty, this means that lease was granted by fail-over server. Also fix issue that <show dhcp server leases state all> print nothing. (cherry picked from commit da83b3f96dcedaa8e4d926d9f5bdc963abd9a813)
2023-12-07T160: Fix Debian control conflictsViacheslav Hletenko
2023-12-07T160: Rebase and fixes for NAT64Viacheslav Hletenko
- Update the base (rebase) - Move include/nat64-protocol.xml.i => include/nat64/protocol.xml.i - Delete unwanted `write_json`, use `write_file` instead - Remove unnecessary deleting of default values for tagNodes T2665 - Add smoketest Example: ``` set interfaces ethernet eth0 address '192.168.122.14/24' set interfaces ethernet eth0 address '192.168.122.10/24' set interfaces ethernet eth2 address '2001:db8::1/64' set nat64 source rule 100 source prefix '64:ff9b::/96' set nat64 source rule 100 translation pool 10 address '192.168.122.10' set nat64 source rule 100 translation pool 10 port '1-65535' ``` (cherry picked from commit 336bb5a071b59264679be4f4f9bedbdecdbe2834)
2023-12-07nat64: T160: Implement Jool-based NAT64 translatorJoe Groocock
Signed-off-by: Joe Groocock <me@frebib.net> (cherry picked from commit 7d49f7079f1129c2fadc7f38ceb230804d89e177) # Conflicts: # debian/control
2023-12-05ddclient: T5791: Simplify and fix migration script for dynamic dnsIndrajit Raychaudhuri
Mark 'dns dynamic name' as tag node to avoid unexpected nesting. Also, fix file exec permission for migration script.
2023-12-05ddclient: T5791: Update smoketest for dynamic dns config path changeIndrajit Raychaudhuri
2023-12-05ddclient: T5791: Migration script for dynamic dns config path changeIndrajit Raychaudhuri
2023-12-05ddclient: T5791: Remove XML includes that aren't used anymoreIndrajit Raychaudhuri
As followup to interface definition change, remove XML snippets that aren't used anymore. They were there because they were 'include'-ed multiple times in the interface definition `dynamic-dns.xml.in`. Since that's not the case anymore, they can be removed.
2023-12-05ddclient: T5791: Update dynamic dns configuration pathIndrajit Raychaudhuri
Modify the configuration path to be consistent with the usual dialects of VyoS configuration (wireguard, dns, firewall, etc.) This would also shorten the configuration path and have a unified treatment for RFC2136-based updates and other 'web-service' based updates. While at it, add support for per-service web-options. This would allow for probing different external URLs on a per-service basis.
2023-12-03Merge pull request #2568 from vyos/mergify/bp/sagitta/pr-2566Christian Breunig
vti: T5769: restore interface settings on down -> up event (backport #2566)
2023-12-03vti: T5769: restore interface settings on down -> up eventChristian Breunig
On VTI interface link down the link-local IPv6 address is removed. As soon as the IPSec tunnel is online again, vti-up-down helper is called which only places the interface in up state using iproute2 command sudo ip link set vti0 up This does not restore the IPv6 LL address. Instead use vyos.ifconfig to properly re-initialize the VTI interface using the generic update() method. (cherry picked from commit d90ca4415bed8ce99c854243dca3036e76497270)
2023-12-02Merge pull request #2565 from vyos/mergify/bp/sagitta/pr-2564Viacheslav Hletenko
T5796:add/fixed OCSERV HTTP security headers (backport #2564)
2023-12-02 T5796:add/fixed OCSERV HTTP security headersfett0
(cherry picked from commit db51546edd653d3637cb26d6957ce5222d44d395)
2023-12-02Merge pull request #2563 from vyos/mergify/bp/sagitta/pr-2562Christian Breunig
mdns: T5793: Cleanup avahi-daemon configuration in `/etc` [followup] (backport #2562)
2023-12-02mdns: T5793: Cleanup avahi-daemon configuration in `/etc`Indrajit Raychaudhuri
`/etc/avahi` technically can be deleted since we operate with avahi-daemon configuration in `/run/avahi-daemon`. But we still need to keep `/etc/avahi/services` because avahi-daemon `chroot` to that location at startup. This is setup at build time via `AVAHI_CONFIG_DIR` and there is no way to change it at runtime. (cherry picked from commit 2b57ca6c3f9ff98cd6d4dd2a101a8b72ed2d94f4)
2023-12-02Merge pull request #2561 from jestabro/sagitta-http-apiChristian Breunig
http-api: T5782: simplifications for config mode http-api
2023-12-01Merge pull request #2560 from vyos/mergify/bp/sagitta/pr-2559Christian Breunig
mdns: T5793: Cleanup avahi-daemon configuration in `/etc` (backport #2559)
2023-12-01http-api: T5782: use single config-mode script for https and http-apiJohn Estabrook
2023-12-01http-api: T5768: remove auxiliary http-api.confJohn Estabrook
2023-12-01mdns: T5793: Cleanup avahi-daemon configuration in `/etc`Indrajit Raychaudhuri
`/etc/avahi` can be deleted since we operate with avahi-daemon configuration in `/run/avahi-daemon`. (cherry picked from commit 33c96654f485a13fe3475bb89dec3ad26107058e)
2023-12-01Merge pull request #2557 from vyos/mergify/bp/sagitta/pr-2467Christian Breunig
T5727: Use native URL validator instead of regex-based validator (backport #2467)
2023-12-01Merge pull request #2558 from vyos/mergify/bp/sagitta/pr-2547Christian Breunig
policy: T4704: Allowed to set metric (MED) to (+/-)rtt (backport #2547)
2023-12-01policy: T4704: Allowed to set metric (MED) to (+/-)rttaapostoliuk
Allowed to set metric (MED) to (+/-)rtt in the route-map. (cherry picked from commit 5d98e806ef4edb4439620eff60215aaf30b5a592)
2023-12-01Merge pull request #2555 from indrajitr/sagitta-ddclient-backportsChristian Breunig
ddclient: T5573,T5574,T5612,T5708: Backport ddclient related changes
2023-12-01Merge pull request #2556 from vyos/mergify/bp/sagitta/pr-2459Christian Breunig
mdns: T5723: Always reload systemd daemon before applying changes (backport #2459)
2023-12-01T5727: Use native URL validator instead of regex-based validatorIndrajit Raychaudhuri
Replace regex-based URL validator with native validator from vyos-utils. Also, move `include/url.xml.i` to `include/url-http-https.xml.i` to reflect the fact that it is used only for HTTP(S) URLs. (cherry picked from commit 64322b19d6968195a6dc7c82e7e22126072377f5)
2023-12-01mdns: T5723: Always reload systemd daemon before applying changesIndrajit Raychaudhuri
Additionally, templatize system service override and move it to the runtime path. (cherry picked from commit eb906739047187c322b6ce9efe7c9479bed9a024)
2023-11-30ddclient: T5708: Fix VRF table generation in smoketestIndrajit Raychaudhuri
Ensure that the random VRF table name is 4 digits long, not 5 and stays within the the range of 100 - 65535.
2023-11-30ddclient: T5708: Additional smoketests for web-optionsIndrajit Raychaudhuri
Add additional smoketests for web-options validation. Also, format error messages to optionally include protocol name.
2023-11-30ddclient: T5708: Migration to 3.11.1 and related improvementsIndrajit Raychaudhuri
Fix execution bit for migration script
2023-11-30ddclient: T5708: Migration to 3.11.1 and related improvementsIndrajit Raychaudhuri
- Migrate to ddclient 3.11.1 and enforce debian/control dependency - Add dual stack support for additional protocols - Restrict usage of `porkbun` protocol, VyOS configuration structure isn't compatible with porkbun yet - Improve and cleanup error messages
2023-11-30ddclient: T5708: Validate proper use of `web-options`Indrajit Raychaudhuri
`web-options` is only applicable when using HTTP(S) web request to obtain the IP address. Apply guard for that.
2023-11-30ddclient: T5708: Ensure password is always wrapped in quotesIndrajit Raychaudhuri
Migration to 3.11.1 follow-up: This should make `ddclient.conf` parsing more resilient to edge cases (particularly when `password` isn't the last option right before the host parameter). ddclient config parser applies special treatment to the password field and would unwrap the quotes automatically. Also, switch from now deprecated `use=no` to `use=disabled`.
2023-11-30ddclient: T5708: Migrate `timeout` to `interval`Indrajit Raychaudhuri
Time interval in seconds to wait between DNS updates would be a bit more intuitive as `interval` than `timeout`.
2023-11-30ddclient: T5574: Support per-service cache management for servicesIndrajit Raychaudhuri
Add support for per-service cache management for ddclient providers via `wait-time` and `expiry-time` options. This allows for finer-grained control over how often a service is updated and how long the hostname will be cached before being marked expired in ddclient's cache. More specifically, `wait-time` controls how often ddclient will attempt to check for a change in the hostname's IP address, and `expiry-time` controls how often ddclient to a forced update of the hostname's IP address. These options intentionally don't have any default values because they are provider-specific. They get treated similar to the other provider- specific options in that they are only used if defined.
2023-11-30ddclient: T5612: Additional refactoring for scripts and smoketestsIndrajit Raychaudhuri
Additional cleanup and refactoring for ddclient scripts including the smotektests.
2023-11-30ddclient: T5612: Adjust validator and completion for ddclientIndrajit Raychaudhuri
Adjust the validator and completion for ddclient to remove unsupported or superfluous protocols. Specifically, - remove 'nsupdate' protocol from the list because there is a separate config path for that protocol (rfc2136) - remove 'cloudns' protocol from the list because it has non standard configuration and is not supported by our configurator at this time