summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-01-12Merge pull request #2808 from vyos/mergify/bp/sagitta/pr-2807Daniil Baturin
T5922: firewall: fix intra-zone filtering parsing rules; update firew… (backport #2807)
2024-01-12T5922: firewall: fix intra-zone filtering parsing rules; update firewall ↵Nicolas Fort
smoketest (cherry picked from commit 5c4c873f9c36459bc7bad73208450ee802440929)
2024-01-12Revert "syslog: T1487: store all journalctl log files also in syslog"Christian Breunig
This reverts commit 61817dbb3f2667bcb0fbd734d70daeb2c4672720.
2024-01-11Merge pull request #2805 from vyos/mergify/bp/sagitta/pr-2790Daniil Baturin
firewall: T5814: Retain legacy 'accept' behaviour and re-order migration (backport #2790)
2024-01-11firewall: T5814: Retain legacy 'accept' behaviour and re-order migrationsarthurdev
Pre-1.4 firewall 'accept' action acted as a 'return'. This change ensures the migrated rules meet the expected behaviour. This commit also re-orders migrated in/out/local jumps ordered by direction instead of interface. (cherry picked from commit dc542f109460bca6453d1eeba9fe829aea38bb33)
2024-01-11Merge pull request #2804 from vyos/mergify/bp/sagitta/pr-2798Daniil Baturin
T5791: T5918: use generic pattern to detect dynamic interfaces for ipsec and dynamic dns (backport #2798)
2024-01-11Merge pull request #2803 from vyos/mergify/bp/sagitta/pr-2797Daniil Baturin
syslog: T1487: store all journald log files also in syslog (backport #2797)
2024-01-11Merge pull request #2801 from vyos/mergify/bp/sagitta/pr-2799Daniil Baturin
T5919: firewall: fix <show firewall ipv6 ..> command (backport #2799)
2024-01-11ipsec: T5918: warn when dynamic interfaces are used to bind ipsec daemonChristian Breunig
Fix after commit 8452d8f4921 ("T5918: Fix typo in verify vpn ipsec interface") so that dynamic interfaces can be used by ipsec but a warning is issued that this will only work after they are available on the system. PPPoE interfaces are the best example for this, as they are down during system bootup and will be available anytime after the boot once we've dialed into the BRAS. (cherry picked from commit 8c941e316035e56757d77b782cf39702c73546e0)
2024-01-11dns: T5791: use common pattern for exclude check of dynamic interfacesChristian Breunig
This uses a more common pattern froma base class while the original code from 0a1c9bc38 ("T5791: DNS dynamic exclude check for dynamic interfaces PPPoE") is still retained. (cherry picked from commit e5ce4222c6e9b24d276625678db7339ada0c54ef)
2024-01-11Merge pull request #2800 from vyos/mergify/bp/sagitta/pr-2784Daniil Baturin
T5915: firewall: re-add opmode command for zone based firewall (backport #2784)
2024-01-11syslog: T1487: store all journalctl log files also in syslogChristian Breunig
This is useful to send the journal logs to external syslog servers (cherry picked from commit 800c85a20a00278ab07bbcccd85b753b1ca31e21)
2024-01-11T5919: firewall: fix <show firewall ipv6 ..> commandNicolas Fort
(cherry picked from commit 089280f82349cd7b77649eb71729be1e73714b52)
2024-01-11T5915:firewall: re-add opmode command for zone based firewallNicolas Fort
(cherry picked from commit 62f10e0ec8075634e1515d6cecc822d87053bccb)
2024-01-11Merge pull request #2789 from vyos/mergify/bp/sagitta/pr-2777Christian Breunig
T5688: Changed 'range' to multi in 'client-ip-pool' for accell-ppp (backport #2777)
2024-01-11Merge pull request #2794 from sarthurdev/T5787_sagittaChristian Breunig
dhcp: T5787: Prevent duplicate IP addresses on static mappings (backport)
2024-01-11Merge pull request #2793 from sarthurdev/T5550_sagittaChristian Breunig
interface: T5550: Interface source-validation priority over global value (backport)
2024-01-10Merge pull request #2795 from vyos/mergify/bp/sagitta/pr-2786Daniil Baturin
image-tools: T5917: annotate image list with (running)/(default boot) (backport #2786)
2024-01-10image-tools: T5917: annotate image list with (running)/(default boot)John Estabrook
(cherry picked from commit 17a1d31299e8960d9eba528e04c418b4c1007eb2)
2024-01-10dhcp: T5787: Prevent duplicate IP addresses on static mappingssarthurdev
2024-01-10Merge pull request #2792 from vyos/mergify/bp/sagitta/pr-2791Viacheslav Hletenko
T5918: Fix typo in verify vpn ipsec interface (backport #2791)
2024-01-10T5918: Fix typo in verify vpn ipsec interfaceViacheslav Hletenko
The correct CLI command is `interface` and not `interfaces` ``` set vpn ipsec interface xxx ``` (cherry picked from commit 8452d8f49216d224bc5d5751354414274982f5be)
2024-01-10Merge pull request #2788 from vyos/mergify/bp/sagitta/pr-2787Viacheslav Hletenko
bgp: T5913: allow peer-group support for ipv4|6-labeled-unicast SAFI (backport #2787)
2024-01-10T5688: Changed 'range' to multi in 'client-ip-pool' for accell-pppaapostoliuk
Changed node 'range' to multi in 'client-ip-pool' for accell-ppp services. Added completionHelp to default-pool and next-pool. Fixed verification in vpn l2tp config script. (cherry picked from commit 4ffec67d04670192d9b722353cbaef04cb0ba129)
2024-01-10Merge pull request #2782 from vyos/mergify/bp/sagitta/pr-2780Christian Breunig
T5916: Added segment routing check for index size and SRGB size (backport #2780)
2024-01-10bgp: T5913: allow peer-group support for ipv4|6-labeled-unicast SAFIChristian Breunig
(cherry picked from commit f1411240c6b11ec400ac0f66eb71982259204317)
2024-01-10T5916: Added segment routing check for index base size and SRGB base sizeCheeze_It
(cherry picked from commit cfb5b052c84ffba789d61a59350676b6b4a0a5f7)
2024-01-10Merge pull request #2783 from vyos/mergify/bp/sagitta/pr-2263Christian Breunig
T5530: isis: Adding loop free alternate feature (backport #2263)
2024-01-10Merge pull request #2781 from vyos/mergify/bp/sagitta/pr-2773Christian Breunig
https: T5902: remove virtual-host configuration (backport #2773)
2024-01-10T5530: isis: Adding loop free alternate featureCheeze_It
(cherry picked from commit 7a2b70bd73c8579a885348b93b8addfb20fb006c)
2024-01-10boot-config-loader: T1622: add missing groups to failsafe userChristian Breunig
This extends commit 86d1291ec5 ("[boot-config-loader] T1622: Add failsafe and back trace") and adds missing groups to the vyos user. Without this change the vyos user will only have operator (vyos@vyos>) privileges, even if this level is discontinued. One could hack himself up as the user has sudo rights, but rather place the user in the right groups from the beginning. NOTE: This user is only added if booted with "vyos-config-debug" and an error when the configuration can not be loaded at all. (cherry picked from commit 07e802a2d3f98cdf29928bf321cc8b89cb41766c)
2024-01-10pki: T5911: fix service update algorithm if certificate name contains a ↵Christian Breunig
hyphen (-) When testing for changed PKI certificates using node_changed(), we should not use key_mangling=('-', '_'), as this will make certificate updates with a hypen not possible. (cherry picked from commit fc6926fdf32a7bdf9f943c7818ee6ea4a8131fba)
2024-01-10https: T5902: remove virtual-host configurationChristian Breunig
We have not seen the adoption of the https virtual-host CLI option. What it did? * Create multiple webservers each listening on a different IP/port (but in the same VRF) * All webservers shared one common document root * All webservers shared the same SSL certificates * All webservers could have had individual allow-client configurations * API could be enabled for a particular virtual-host but was always enabled on the default host This configuration tried to provide a full webserver via the CLI but VyOS is a router and the Webserver is there for an API or to serve files for a local-ui. Changes Remove support for virtual-hosts as it's an incomplete and thus mostly useless "thing". Migrate all allow-client statements to one top-level allow statement. (cherry picked from commit d0d3071e99eb65edb888c26ef2fdc9e038438887)
2024-01-08Merge pull request #2774 from vyos/mergify/bp/sagitta/pr-2758Christian Breunig
pki: T5886: add support for ACME protocol (LetsEncrypt) (backport #2758)
2024-01-08smoketest: T5905: always delete pki in ipsec test startupChristian Breunig
(cherry picked from commit 2095eb75a2326b8f493944aef07f65b150cfbc60)
2024-01-08ipsec: T5905: use interface_exists() wrapper over raw calls to os.path.exists()Christian Breunig
(cherry picked from commit 410458c00e6202dd9a5c52b3c5ac00a90db5bc53)
2024-01-08pki: T5905: do not use expand_nodes=Diff.ADD|Diff.DELETE) in node_changed()Christian Breunig
This fixes a priority inversion when doing initial certificate commits. * pki subsystem is executed with priority 300 * vti uses priority 381 * ipsec uses priority 901 On commit pki.py will be executed first, detecting a change in dependencies for vpn_ipsec.py which will be executed second. The VTI interface was yet not created leading to ConfigError('VTI interface XX for site-to-site peer YY does not exist!') The issue is caused by this new line of code in commit b8db1a9d7ba ("pki: T5886: add support for ACME protocol (LetsEncrypt)") file src/conf_mode/pki.py line 139 which triggers the dependency update even if a key is newly added. This commit changes the "detection" based on the cerbot configuration on disk. (cherry picked from commit 9162631f12ade65392ea2fa53642ea4af39627c7)
2024-01-08https: T5886: migrate https certbot to new "pki certificate" CLI treeChristian Breunig
(cherry picked from commit 9ab6665c80c30bf446d94620fc9d85b052d48072)
2024-01-08pki: T5886: add op-mode commands for log and renewalChristian Breunig
* show log certbot * monitor log certbot * renew certbot (cherry picked from commit 9d02d32319f9328df618910a038ef580588e13c8)
2024-01-08pki: T5886: add support for ACME protocol (LetsEncrypt)Christian Breunig
The "idea" of this PR is to add new CLI nodes under the pki subsystem to activate ACME for any given certificate. vyos@vyos# set pki certificate NAME acme Possible completions: + domain-name Domain Name email Email address to associate with certificate listen-address Local IPv4 addresses to listen on rsa-key-size Size of the RSA key (default: 2048) url Remote URL (default: https://acme-v02.api.letsencrypt.org/directory) Users choose if the CLI based custom certificates are used set pki certificate EXAMPLE acme certificate <base64> or if it should be generated via ACME. The ACME server URL defaults to LetsEncrypt but can be changed to their staging API for testing to not get blacklisted. set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory Certificate retrieval has a certbot --dry-run stage in verify() to see if it can be generated. After successful generation, the certificate is stored in under /config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set interfaces ethernet eth0 eapol certificate EXAMPLE) we call vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the base64 encoded certificate into the JSON data structure normally used when using a certificate set by the CLI. Using this "design" does not need any change to any other code referencing the PKI system, as the base64 encoded certificate is already there. certbot renewal will call the PKI python script to trigger dependency updates. (cherry picked from commit b8db1a9d7baf91b70c1b735e58710f1e2bc9fc7a) # Conflicts: # debian/control
2024-01-08Merge pull request #2772 from vyos/mergify/bp/sagitta/pr-2760Christian Breunig
image: T5898: fix kernel-level partition rescan (backport #2760)
2024-01-08image: T5898: fix kernel-level partition rescanMatt Clauson
This fix moves from partprobe to partx to rescan the partition table on an affected disk. (cherry picked from commit f883455d9a3081780c43426ab26de9d26f24c9aa)
2024-01-08Merge pull request #2771 from nicolas-fort/T5896Christian Breunig
T5896: firewall: backport interface validator for firewall rules.
2024-01-08T5896: firewall: backport interface validator for firewall rules.Nicolas Fort
2024-01-07Merge pull request #2770 from vyos/mergify/bp/sagitta/pr-2769Viacheslav Hletenko
smoketest: T5195: fix BasicInterfaceTest tearDown() timeout penalty (backport #2769)
2024-01-07smoketest: T5195: fix BasicInterfaceTest tearDown() timeout penaltyChristian Breunig
Commit ad9bdfc24 ("T5195: add timeout argument to process_named_running()") added a 2*10 seconds penalty for every interface test (dhcp and dhcpv6). This leads to long runs of "make test" after an ISO build. There is no need to wait 10 seconds for a test that checks for a process not running. The timeout is there to give the process some time to startup. (cherry picked from commit 041db49533d57cabfccd319492b85ee0bafdd40c)
2024-01-07Merge pull request #2767 from vyos/mergify/bp/sagitta/pr-2764Christian Breunig
T5195: add timeout argument to process_named_running() (backport #2764)
2024-01-07Merge pull request #2766 from vyos/mergify/bp/sagitta/pr-2765Viacheslav Hletenko
op-mode: T5904: add "show ipv6 route vrf <name> <prefix>" command (backport #2765)
2024-01-07T5195: add timeout argument to process_named_running()Christian Breunig
Smoketests heavily rely on process_named_running() so in order to "relax" system constraints during a test we will add a timeout of 10 seconds for every testcase provided by base_interfaces_test.py (cherry picked from commit ad9bdfc248cf47b3361bd0e5d7371d56131160a0)
2024-01-07op-mode: T5904: add "show ipv6 route vrf <name> <prefix>" commandChristian Breunig
We've always had a command to display discrete IPv6 routes/prefixes within the global VRF. This commit also adds support for a discrete VRF. vyos@vyos:~$ show ipv6 route vrf <name> Possible completions: <Enter> Execute the current command <h:h:h:h:h:h:h:h> Show IPv6 routes of given address or prefix <h:h:h:h:h:h:h:h/x> (cherry picked from commit 119d94bdb05d0c88bfc452d903e64000b278c43e)