summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-04-15Merge pull request #3309 from nicolas-fort/T5535Daniil Baturin
T5535: firewall: migrate command <set system ip disable-directed-broadcast> to firewall global-optinos
2024-04-15Merge pull request #3308 from sever-sever/T5734Daniil Baturin
T5734: OpenVPN check PKI DH name exists if DH configured
2024-04-15T5535: firewall: migrate command <set system ip disable-directed-broadcast> ↵Nicolas Fort
to firewall global-optinos
2024-04-15T5734: OpenVPN check PKI DH name exists if DH configuredViacheslav Hletenko
Check if DH is configured for OpenVPN but does not exist in the PKI section ``` set pki dh dh-correct parameters 'xxxx' set interfaces openvpn vtun10 tls dh-params 'dh-fake' File "/usr/libexec/vyos/conf_mode/interfaces_openvpn.py", line 208, in verify_pki pki_dh = pki['dh'][tls['dh_params']] ~~~~~~~~~^^^^^^^^^^^^^^^^^^ KeyError: 'dh-fake' ```
2024-04-13Merge pull request #3297 from HollyGurza/T6035Daniil Baturin
qos: T6035: QoS policy shaper queue-type random-detect requires limit avpkt
2024-04-12Merge pull request #3291 from aapostoliuk/T6100-circinusChristian Breunig
T6100: Added NAT migration from IP/Netmask to Network/Netmask
2024-04-12Merge pull request #3302 from lucasec/t5872-fixChristian Breunig
T5872: fix ipsec dhclient hook uses "exit" instead of "return"
2024-04-12T5872: fix ipsec dhclient hook uses "exit" instead of "return"Lucas Christian
2024-04-12Merge pull request #3300 from sever-sever/T6235Christian Breunig
T6235: Git update actions-label-merge-conflict version
2024-04-12T6235: Git update actions-label-merge-conflict versionViacheslav Hletenko
Update `actions-label-merge-conflict` due to `Node.js 16 actions are deprecated.`
2024-04-12qos: T6035: QoS policy shaper queue-type random-detect requires limit avpktkhramshinr
Added params for configuration red on the shaper policy
2024-04-12pppoe-server: T6141: T5364: PPPoE-server add pado-delay without sessions ↵Nataliia Solomko
fails (#3296)
2024-04-12T6100: Added NAT migration from IP/Netmask to Network/Netmaskaapostoliuk
Added NAT migration from IP/Netmask to Network/Netmask. In 1.3 allowed using IP/Netmask in Nat rules. In 1.4 and 1.5 it is prohibited. Allowed Network/Netmask.
2024-04-12Merge pull request #2708 from lucasec/t5871Christian Breunig
T5871: ipsec remote access VPN: specify "cacerts" for client auth
2024-04-11T5871: ipsec remote access VPN: specify "cacerts" for client auth.Lucas Christian
2024-04-11Merge pull request #3292 from sever-sever/T6222Daniil Baturin
T6222: VRRP show prefix for long rfc3768-compatibility interfaces allow prefix vrrp
2024-04-11Merge pull request #3290 from nicolas-fort/T6216Daniil Baturin
firewall: T6216: replace plus symbols (allowed by IPset but not NFT) in group names with underscores
2024-04-11Merge pull request #3274 from sever-sever/T5169Daniil Baturin
T5169: Add PoC for generating CGNAT rules rfc6888
2024-04-11Merge pull request #3281 from nicolas-fort/T6213Christian Breunig
T6214: T6213: change constraint <alpha-numeric-hyphen-underscore-dot.xml.i>
2024-04-11T6216: firewall: add patch while migrating from 1.3 to 1.4 in order to avoid ↵Nicolas Fort
errors when using character <+> in 1.3 in firewall groups and custom firewall chains.
2024-04-11T6222: VRRP show prefix for long rfc3768-compatibility interfacesViacheslav Hletenko
If we use rfc3768-compatibility with long interface names like eth1.100.200 it converts the VRRP interface name name to `<interface>v<VRID><IP version>` For example `eth2.100.200v10v4` The limit for interface name is 15 symbols and it causes that interface name is ignoring by keepalived VMAC interface name 'eth2.100.200v10v4' too long or invalid characters - ignoring And it uses the default prefix `vrrp` for such cases. It works fine, but such interfaces are not displayed in the op-mode Allow prefix `vrrp` for the op-mode for `show interfaces`
2024-04-09Merge pull request #3286 from jvoss/eui64_podman_vrfChristian Breunig
container: T6218: fix host IPv6 link-local address for VRF networks
2024-04-09container: T6218: fix host IPv6 link-local address for VRF networksJonathan Voss
2024-04-09T6214: T6213: change constraint <alpha-numeric-hyphen-underscore-dot.xml.i> ↵Nicolas Fort
in order to not allow string starting with dot character; use such constraint in firewall group definitions.
2024-04-09container: T6210: add capability sys-nicetheflakes
2024-04-09T5169: Add PoC for generating CGNAT rules rfc6888Viacheslav Hletenko
Add PoC for generating CGNAT rules https://datatracker.ietf.org/doc/html/rfc6888 Not all requirements are implemented, but some of them. Implemented: REQ-2 ``` A CGN MUST have a default "IP address pooling" behavior of "Paired" CGN must use the same external IP address mapping for all sessions associated with the same internal IP address, be they TCP, UDP, ICMP, something else, or a mix of different protocols. ``` REQ-3 ``` The CGN function SHOULD NOT have any limitations on the size or the contiguity of the external address pool ``` REQ-4 ``` A CGN MUST support limiting the number of external ports (or, equivalently, "identifiers" for ICMP) that are assigned per subscriber ``` CLI: ``` set nat cgnat pool external ext1 external-port-range '1024-65535' set nat cgnat pool external ext1 per-user-limit port '1000' set nat cgnat pool external ext1 range 192.0.2.222/32 set nat cgnat pool internal int1 range '100.64.0.0/28' set nat cgnat rule 10 source pool 'int1' set nat cgnat rule 10 translation pool 'ext1' ```
2024-04-09Merge pull request #3283 from c-po/T6199-build-fixChristian Breunig
T6199: add missing build dependency
2024-04-09T6199: add missing build dependencyChristian Breunig
2024-04-09Merge pull request #3280 from sever-sever/T5858Daniil Baturin
T5858: Fix op-mode format for show conntrack statistics
2024-04-09T5858: Fix op-mode format for show conntrack statisticsViacheslav Hletenko
2024-04-08Merge pull request #3278 from jestabro/default-config-choiceChristian Breunig
T6207: restore ability to copy config.boot.default on image install
2024-04-07image-tools: T6207: restore choice of config.boot.default as boot configJohn Estabrook
2024-04-07utils.io: T6207: allow default in select_entryJohn Estabrook
2024-04-07Merge pull request #3277 from sarthurdev/T6163Christian Breunig
kea: T3316: T6163: Ensure correct permissions on lease files
2024-04-07kea: T3316: Ensure correct permissions on lease filessarthurdev
2024-04-07Merge pull request #3265 from c-po/ethernet-mtu-T5862Daniil Baturin
ethernet: T5862: default MTU is not acceptable in some environments
2024-04-07Merge pull request #3270 from c-po/login-T5875Daniil Baturin
login: T5875: fix corner case for KeyError: 'getpwuid(): uid not found: XXXX'
2024-04-07dhcp: T6068: drop unused variable "failover_ok"Christian Breunig
2024-04-07Merge pull request #3272 from c-po/container-fixChristian Breunig
container: T6208: fix AttributeError: 'ConfigDict' object has no attribute 'upper'
2024-04-07container: T6208: fix AttributeError: 'ConfigDict' object has no attribute ↵Christian Breunig
'upper' Commit b30faa43c (container: T6208: rename "cap-add" CLI node to "capability") added an AttributeError referencing an out of scope variable. This has been fixed.
2024-04-07ipoe: T6205: fix conditional branch error in config migratorChristian Breunig
Commit a5ccc06c0 ("ipoe: T6205: error in migration script logic while renaming mac-address to mac node") added a conditional path into the config which could result in the migrated config not beeing written if precondition was not met.
2024-04-07Merge pull request #3269 from c-po/container-T6208Daniil Baturin
container: T6208: rename "cap-add" CLI node to "capability"
2024-04-06login: T5875: fix corner case for KeyError: 'getpwuid(): uid not found: XXXX'Christian Breunig
Commit 1b364428f ("login: T5875: restore home directory permissions only when needed") added logic to chown the users home directory if it's UID changes. This might happen when a user account is deleted and re-added to the system. Under rar e circumstances it was possible that the implementation triggered Traceback (most recent call last): File "<stdin>", line 1, in <module> KeyError: 'getpwuid(): uid not found: XXXX' This has been fixed by re-arranging the code path with an additional try/except if the PW database information could not be retrieved leading to an implicit chown() of the home directory to the user beeing added.
2024-04-06container: T6208: rename "cap-add" CLI node to "capability"Christian Breunig
Containers have the ability to add Linux system capabilities to them, this is done using the "set container name <name> cap-add" command. The CLI node sounds off and rather should be "set container name <name> capability" instead as we use and pass a capability to a container and not add/invent new ones.
2024-04-06Merge pull request #3263 from c-po/T6205-ipoeDaniil Baturin
ipoe: T6205: error in migration script logic while renaming mac-address to mac node
2024-04-06ipoe: T6205: error in migration script logic while renaming mac-address to ↵Christian Breunig
mac node The problem was introduced in [1] but the config migrator part unfortunately was added to the wrong version [2]. As IPoE config version 0 was only active during the 1.3 development cycle and VyOS 1.3.0 was already released with config version 1 we can safely drop the migrator 0-to-1 and move the code to 1-to-2 to properly support upgrades from VyOS 1.3 -> 1.4 or newer. 1: https://github.com/vyos/vyos-1x/commit/05df2a5f021f0c7aab7c06db645d210858b6e98d#diff-08291bf77870abe3af8bbe3e8ce4bbf344fd0498b2c5c75a75aa7235d381c88eL168 2: https://github.com/vyos/vyos-1x/commit/05df2a5f021f0c7aab7c06db645d210858b6e98d#diff-b8bb58b75607d3653e74d82eff02442f9f3ab82698f160ba37858f7cdf6c79ccR44-R46
2024-04-06Merge pull request #3266 from c-po/spring-cleaning-4Christian Breunig
T6199: start validating smoketests against real CLI defaultValues
2024-04-06GitHub: run unused-imports ony for current and sagittaChristian Breunig
2024-04-06T6199: start validating smoketests against real CLI defaultValuesChristian Breunig
Use vyos.xml_ref.default_value to query XML default values and take them into account when validating properly applied defaults in individual smoketests instead of using hardcoded values like 443 for https port.
2024-04-06ethernet: T5862: default MTU is not acceptable in some environmentsChristian Breunig
There are cloud environments available where the maximum supported ethernet MTU is e.g. 1450 bytes, thus we clamp this to the adapters maximum MTU value or 1500 bytes - whatever is lower.