summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-11-21Merge pull request #2513 from zdc/T5577-equuleusChristian Breunig
PAM: T5577: Optimized RADIUS PAM config (backport from circinus)
2023-11-20PAM: T5577: Optimized RADIUS PAM configzsdc
- Added system `radius` group - Added `mandatory` and `optional` modes for RADIUS - Improved PAM config for RADIUS New modes: - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be stopped and access denied immediately. - `optional` (default) - if RADIUS answers with `Access-Reject`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-11-16Merge pull request #2492 from mkorobeinikov/equuleusChristian Breunig
T4940: new interfaces debugging command equuleus
2023-11-16T4940: new interfaces debugging command equuleusmkorobeinikov
2023-11-06Merge pull request #2348 from c-po/t4269-cli-defaults-backportChristian Breunig
scripts: T4269: node.def generator should automatically add default values (backport)
2023-10-31Merge pull request #2420 from rebortg/patch-1Christian Breunig
bridge: T5670: add missing constraint on "member interface" node
2023-10-31bridge: T5670: add missing constraint on "member interface" nodeRobert Göhler
correct include filename extension
2023-10-31Merge pull request #2310 from sever-sever/T5586-eqDaniil Baturin
T5586: Disable by default SNMP for Keeplived VRRP service
2023-10-25Merge pull request #2402 from c-po/equuleus-t5670Daniil Baturin
bridge: T5670: add missing constraint on "member interface" node
2023-10-25bridge: T5670: add missing constraint on "member interface" nodeChristian Breunig
One could specify a bridge member of VXLAN1 interface, but it is not possible to create a VXLAN interface with the name of VXLAN1 - prohibited by VXLAN interface name validator. Add missing interface-name validator code (cherry picked from commit 45dc149e4e3c0c294deac6fd541bb027d2280ea1) (cherry picked from commit e619b23b8889543465b61eb00d5b0d3c8063ae95)
2023-10-19Merge pull request #2381 from c-po/vxlan-t5669Christian Breunig
vxlan: T5669: unable to change port number
2023-10-19vxlan: T5669: unable to change port numberChristian Breunig
set interfaces vxlan vxlan23 address '100.64.10.2/24' set interfaces vxlan vxlan23 remote '192.0.2.1' set interfaces vxlan vxlan23 source-address '192.0.2.5' set interfaces vxlan vxlan23 vni '23' commit set interfaces vxlan vxlan23 port '4789' commit vyos@r1# ip -d link show dev vxlan23 12: vxlan23: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/ether 22:6e:6d:33:c5:6b brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535 vxlan id 23 remote 192.0.2.1 local 192.0.2.5 srcport 0 0 dstport 8472 Port remains at the default value of 8472 This has been fixed
2023-10-08Merge pull request #2333 from sever-sever/T5213-eq1.3.4Daniil Baturin
T5213: Add accounting-interim-interval option for PPPoE-server
2023-10-08Merge pull request #2347 from c-po/equuleusDaniil Baturin
pppoe: T5630: allow to specify MRU in addition to already configurable MTU (backport #2335)
2023-10-08scripts: T4269: node.def generator should automatically add default valuesChristian Breunig
Since introducing the XML <defaultValue> node it was common, but redundant, practice to also add a help string indicating which value would be used as default if the node is unset. This makes no sense b/c it's duplicated code/value/characters and prone to error. The node.def scripts should be extended to automatically render the appropriate default value into the CLI help string. For e.g. SSH the current PoC renders: $ cat templates-cfg/service/ssh/port/node.def multi: type: txt help: Port for SSH service (default: 22) val_help: u32:1-65535; Numeric IP port ... Not all subsystems are already migrated to get_config_dict() and make use of the defaults() call - those subsystems need to be migrated, first before the new default is added to the CLI help. (cherry picked from commit a68c9238111c6caee78bb28f8054b8f0cfa0e374)
2023-10-08pppoe: T5630: verify MRU is less or equal then MTUChristian Breunig
(cherry picked from commit e357258e645cf85de0035d4ecfbf99db4dd90f7e)
2023-10-08pppoe: T5630: allow to specify MRU in addition to already configurable MTUChristian Breunig
Set the MRU (Maximum Receive Unit) value to n. PPPd will ask the peer to send packets of no more than n bytes. The value of n must be between 128 and 16384, the default was always 1492 to match PPPoE MTU. A value of 296 works well on very slow links (40 bytes for TCP/IP header + 256 bytes of data). Note that for the IPv6 protocol, the MRU must be at least 1280. CLI: set interfaces pppoe pppoe0 mru 1280 (cherry picked from commit e062a8c11856f213983f5b41f50d4f9dbc0dde0f)
2023-10-03T5213: Add accounting-interim-interval option for PPPoE-serverViacheslav Hletenko
Add accounting-interim-interval option for PPPoE-server set service pppoe-server authentication radius accounting-interim-interval '60'
2023-09-26T5586: Disable by default SNMP for Keeplived VRRP serviceViacheslav Hletenko
AgentX does not work stable. From time to time we see the system service crashing/degrading if something is wrong with SNMP from util net-snmp. We should disable it by default and enable it only if configured. set high-availability vrrp snmp
2023-09-19Merge pull request #2282 from nicolas-fort/T5594-equuleusChristian Breunig
T5594: vrrp: extend function is_ipv6_tentative
2023-09-18T5594: vrrp: extend function is_ipv6_tentativeNicolas Fort
2023-09-07Merge pull request #2219 from sarthurdev/T5555_equuleusChristian Breunig
system: T5555: Fix time-zone migrator changing valid time-zones to UTC
2023-09-07system: T5555: Fix time-zone migrator changing valid time-zones to UTCsarthurdev
2023-09-05Merge pull request #2200 from sever-sever/T5533-eqDaniil Baturin
T5533: Fix VRRP IPv6 FAULT state due to IPv6 tentative state
2023-09-05Merge pull request #2198 from mlk-89/equuleusChristian Breunig
T5545: fix sflow configuration
2023-09-04T5533: Fix VRRP IPv6 FAULT state due to IPv6 tentative stateViacheslav Hletenko
Checks if an IPv6 address on a specific network interface is in the tentative state. IPv6 tentative addresses are not fully configured and are undergoing Duplicate Address Detection (DAD) to ensure they are unique on the network. inet6 2001:db8::3/125 scope global tentative It tentative state the group enters in FAULT state. Fix it.
2023-09-04T5545: fix sflow configurationMaxime.L
2023-09-02Merge pull request #2191 from c-po/equuleusChristian Breunig
T5428: fix DHCP client running in VRF context
2023-09-01container: T4353: capitalize ascii -> ASCIIChristian Breunig
(cherry picked from commit 8daf7f95d832550cc31ab22a65aabe969ecae813)
2023-09-01container: T578: fix XML build warning about 'Christian Breunig
2023-08-31Merge pull request #2181 from sever-sever/T738-eqChristian Breunig
T738: add CLI option for PowerDNS local-port
2023-08-31Merge pull request #2168 from sever-sever/T3546Christian Breunig
T3546: PPPoE-server add extended scripts for RADIUS attributes
2023-08-31Merge pull request #2166 from sever-sever/T5506-eqChristian Breunig
T5506: Add link-local IPv6 address for container interfaces
2023-08-30Merge pull request #2187 from sever-sever/T4933-eqViacheslav Hletenko
vyos.util: T4933: informative error for bad colon-separated lines
2023-08-30vyos.util: T4933: informative error for bad colon-separated linesDaniil Baturin
in vyos.util.colon_separated_to_dict (cherry picked from commit fb7f162f61522127ca72adffd6802797b136a99a)
2023-08-29T738: add CLI option for PowerDNS local-portViacheslav Hletenko
set service dns forwarding allow-from '192.0.2.0/24' set service dns forwarding listen-address '192.0.2.11' set service dns forwarding port '5353'
2023-08-28T5428: fix DHCP address renewal/release when running in VRFChristian Breunig
2023-09-01vrf: T5428: stop DHCP processes on VRF removalChristian Breunig
This is a workaround for the priority inversion from T5492 ("CLI node priority is not inversed on node deletion"). As this is a corner case bug that's only triggered if an interface is removed from a VRF and also the VRF is removed in one commit, priorities are not honored. Thus we implement this workaround which stop the DHCP(v6) client processes on the VRF associated interfaces to get out the DHCP RELEASE message before interfaces are shut down. (cherry picked from commit 005151f77be5cf999689cfd03620bbc39df59018)
2023-08-25Merge pull request #2170 from sever-sever/T4825-eqChristian Breunig
T4825: Add interface type veth
2023-08-25T4825: Add interface type vethViacheslav Hletenko
Add interface type veth (Virtual ethernet) One of the usecases it's interconnect different vrf's and default vrf via bridge set interfaces virtual-ethernet veth0 peer-name 'veth1010' set interfaces virtual-ethernet veth1010 address '10.0.0.10/24' set interfaces virtual-ethernet veth1010 peer-name 'veth0' set interfaces virtual-ethernet veth1010 vrf 'foo' set interfaces bridge br0 address '10.0.0.1/24' set interfaces bridge br0 member interface veth0 vyos@r1:~$ ping 10.0.0.10 count 1 PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data. 64 bytes from 10.0.0.10: icmp_seq=1 ttl=64 time=0.082 ms
2023-08-25T3546: PPPoE-server add extended scripts for RADIUS attributesViacheslav Hletenko
Ability to get and parse RADIUS attributes via a shell script and then execute commands Ane of the usecases is to create a custom shaper with some smart Extended scripts receive from PPPoE daemon the following variables: $1 - Interface name $4 - Tunnel GW IP address $5 - Delegated IP address to the client $6 - Calling Station ID (MAC) if [ -f /run/accel-pppd/radattr.$1 ]; then true fi
2023-08-24Merge pull request #2167 from jestabro/eq-T5006Christian Breunig
http-api: T5006: add explicit async to retrieve operation
2023-08-24http-api: T5006: add explicit async to retrieve operationJohn Estabrook
2023-08-24T5506: Add link-local IPv6 address for container interfacesViacheslav Hletenko
Fix for adding IPv6 link-local address for container interfaces set container network NET01 prefix '10.0.0.0/24' set container network NET01 prefix '2001:db8:2222::/64' % ip -6 addr show scope link dev pod-NET01 17: pod-NET01: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 inet6 fe80::d89c:dfff:fe1a:8689/64 scope link
2023-08-19Merge pull request #2158 from c-po/t5470-wifi-equuleusViacheslav Hletenko
wifi: T5470: improve error message
2023-08-19wifi: T5470: improve error messageChristian Breunig
(cherry picked from commit ffb798b4678f3b1bd0a40cc42b1f0477470346dc)
2023-08-17Merge pull request #2154 from sever-sever/T5486Christian Breunig
T5486: smoketest: adjust to new process_named_running() implementation
2023-08-17Merge pull request #2153 from sever-sever/T5223Daniil Baturin
T5223: Fix removing key id for GRE tunnel
2023-08-17T5486: smoketest: adjust to new process_named_running() implementationViacheslav Hletenko
After commit 9c677c8 ("vyos.util: extend process_named_running() signature with cmdline") we need an exact match for the process name. In the past we used a in b and now we test for a == b. Process name doesn't march 'ddclient' psutil.Process(pid=10987, name='ddclient - sleeping for 20 seconds', started='13:12:47' It cause smoketest fail
2023-08-17T5223: Fix removing key id for GRE tunnelViacheslav Hletenko
Fix for removing key id from GRE tunnel Before fix: del interfaces tunnel tun10 parameters ip key commit sudo ip tunnel show tun10 tun10: gre/ip remote 203.0.113.254 local 192.168.122.11 ttl 64 tos inherit key 1234 After the fix: sudo ip tunnel show tun10 tun10: gre/ip remote 203.0.113.254 local 192.168.122.11 ttl 64 tos inherit