summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-03-28ipsec: T5606: T5871: Use multi node for CA certificatessarthurdev
This changes behaviour from fetching CA chain in PKI, to the user manually setting CA certificates. Prevents unwanted parent CAs existing in PKI from being auto-included as may not be desired/intended. (cherry picked from commit 952b1656f5164f6cfc601e040b48384859e7a222)
2024-03-28T5872: re-write exit hook to always regenerate configLucas Christian
(cherry picked from commit 679b78356cbda4de15f96a7f22d4a98037dbeea4)
2024-03-28T5872: further fixes to ipsec dhcp exit hookLucas Christian
(cherry picked from commit 92012a0b3db8e93b10db4137414073f0371ed8cc)
2024-03-28T5872: fix ipsec dhclient exit hookLucas Christian
(cherry picked from commit cd8ef21f280f726955f537132e3fab2bcb3c286f)
2024-03-28T5872: ipsec remote access VPN: support dhcp-interface.Lucas Christian
(cherry picked from commit f7834324d3d9edd7e161e7f2f3868452997c9c81)
2024-03-28Merge pull request #3203 from vyos/mergify/bp/sagitta/pr-3201Christian Breunig
grub: T4516: correct a format string (backport #3201)
2024-03-28grub: T4516: correct a format stringDaniil Baturin
(cherry picked from commit 74e502c16109b8d6d197751fc63ac5a32ff44404)
2024-03-28Merge pull request #3199 from vyos/mergify/bp/sagitta/pr-3194Christian Breunig
op-mode: T6175: "renew dhcp interface <name>" does not check for DHCP interface (backport #3194)
2024-03-28op-mode: T6175: "renew dhcp interface <name>" does not check for DHCP interfaceChristian Breunig
The current op-mode script simply calls sudo systemctl restart "dhclient@$4.service" with no additional information about a client interface at all. This results in useless dhclient processes root 47812 4.7 0.0 5848 3584 ? Ss 00:30 0:00 /sbin/dhclient -4 -d root 48121 0.0 0.0 4188 3072 ? S 00:30 0:00 \_ /bin/sh /sbin/dhclient-script root 48148 50.0 0.2 18776 11264 ? R 00:30 0:00 \_ python3 - Which also assign client leases to all local interfaces, if we receive one valid DHCPOFFER vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address MAC VRF MTU S/L Description ----------- ----------------- ----------------- ------- ----- ----- ------------- eth0 - 00:50:56:bf:c5:6d default 1500 u/u eth0.10 172.16.33.102/24 00:50:56:bf:c5:6d default 1500 u/u eth1 172.16.33.131/24 00:50:56:b3:38:c5 default 1500 u/u 172.16.33.102/24 and 172.16.33.131/24 are stray DHCP addresses. This commit moved the renew command to the DHCP op-mode script to properly validate if the interface we request a renew for, has actually a dhcp address configured. In additional this exposes the renew feature to the API. (cherry picked from commit 7dbaa25a199a781aaa9f269741547e576410cb11)
2024-03-28T6121: Extend config-sync for QoS and system optionsViacheslav Hletenko
Extent the service config-sync for sections: - qos interface - qos policy - system conntrack - system flow-accounting - system option - system sflow - system static-host-mapping - system sysctl (cherry picked from commit 9d5ad172034ae510288b11313d307f0a24bb4b7d)
2024-03-28dhcp-server: T4718: Listen-address is not commit if the ip address is on the ↵khramshinr
interface with vrf
2024-03-26Merge pull request #3191 from vyos/mergify/bp/sagitta/pr-3190Christian Breunig
bgp: T6106: fix test and verify() (backport #3190)
2024-03-26bgp: T6106: fix test and verify()khramshinr
(cherry picked from commit 2ba435fa4bc8a5c9b2285fb9215ebc582bfb5fdf)
2024-03-25Merge pull request #3183 from vyos/mergify/bp/sagitta/pr-3181Daniil Baturin
xml: T5738: use common constraint include for container network (backport #3181)
2024-03-25Merge pull request #3187 from vyos/mergify/bp/sagitta/pr-3172Daniil Baturin
config-sync: T6145: batch section requests for commit by priority (backport #3172)
2024-03-25config-sync: T6145: batch section requests for commit by priorityJohn Estabrook
(cherry picked from commit 50e9364575481335520f50dac834c74ef02ccfab)
2024-03-24Merge pull request #3186 from vyos/mergify/bp/sagitta/pr-3185Christian Breunig
ospf: T6066: can not define the same network in different areas (backport #3185)
2024-03-24Merge pull request #3184 from vyos/mergify/bp/sagitta/pr-3182Christian Breunig
container: T6062: add image name completion helper (backport #3182)
2024-03-24ospf: T6066: can not define the same network in different areasChristian Breunig
Users can not (FRR fails) commit the same network belonging to different OSPF areas. Add verify() check to prevent this. (cherry picked from commit c6d8d9c012da1a7566eec2dff70385457f073e64)
2024-03-24container: T6062: add image name completion helperChristian Breunig
(cherry picked from commit 37a4fdf229a7ab74718655f1d6e35fd94e5ad69a)
2024-03-24xml: T5738: use common constraint include for container networkChristian Breunig
(cherry picked from commit 6be463fcca574e051420ae7549bed72e74486470)
2024-03-24Merge pull request #3175 from vyos/mergify/bp/sagitta/pr-3151Christian Breunig
bgp: T6106: Show complete FRR output on internal errors (backport #3151)
2024-03-24Merge pull request #3180 from vyos/mergify/bp/sagitta/pr-3179Christian Breunig
grub: T6165: increase service TimeoutSec from 5 -> 60 (backport #3179)
2024-03-24grub: T6165: increase service TimeoutSec from 5 -> 60Christian Breunig
The PCEngines APU2 systems with mSATA disks tend to be very slow. This results in a service startup error: $ systemctl status vyos-grub-update × vyos-grub-update.service - Update GRUB loader configuration structure Loaded: loaded (/lib/systemd/system/vyos-grub-update.service; enabled; preset: enabled) Active: failed (Result: timeout) since Sun 2024-03-24 08:48:10 UTC; 14min ago Main PID: 779 (code=killed, signal=TERM) CPU: 869ms Mar 24 08:48:05 LR4.wue3 systemd[1]: Starting vyos-grub-update.service - Update GRUB loader configuration structure... Mar 24 08:48:10 LR4.wue3 systemd[1]: vyos-grub-update.service: start operation timed out. Terminating. Mar 24 08:48:10 LR4.wue3 systemd[1]: vyos-grub-update.service: Main process exited, code=killed, status=15/TERM Mar 24 08:48:10 LR4.wue3 systemd[1]: vyos-grub-update.service: Failed with result 'timeout'. Mar 24 08:48:10 LR4.wue3 systemd[1]: Failed to start vyos-grub-update.service - Update GRUB loader configuration structure. Measunring on an APU2 system after boot and memory is "hot", it still needs almost 17 seconds to complete the job cpo@LR4.wue3:~$ time sudo /usr/libexec/vyos/system/grub_update.py real 0m16.803s user 0m0.018s sys 0m0.028s (cherry picked from commit 5a12645cb25fb23f2195db1e2e977a69d0788d01)
2024-03-24Merge pull request #3163 from vyos/mergify/bp/sagitta/pr-3157Viacheslav Hletenko
vti: T6085: bring VTI interfaces up only when the IPsec tunnel is up (backport #3157)
2024-03-24Merge pull request #3178 from vyos/mergify/bp/sagitta/pr-3177Christian Breunig
Revert "ethernet: T5566: disable energy efficient ethernet (EEE) for interfaces" (backport #3177)
2024-03-24Revert "ethernet: T5566: disable energy efficient ethernet (EEE) for interfaces"Christian Breunig
This reverts commit ab30509b25d54dac99294b76ba03fd49c3d2c946. As in T6152 there seem to be some NICs that have a non working implementation of reading the EEE registers. Remove this feature in the meantime until there is a less exploding solution hindering boards to boot. Return to Kernel defaults by removing this code path. (cherry picked from commit 946f93778f15f4af9f31cd5b164efcd931693635)
2024-03-23Merge pull request #3162 from HollyGurza/T5164-sagittaChristian Breunig
dhcp: T5164: op cmd: "show dhcp server leases state" with available o…
2024-03-23Merge pull request #3176 from vyos/mergify/bp/sagitta/pr-3171Christian Breunig
op-mode: T6161: Show container details in JSON format (backport #3171)
2024-03-23op-mode: T6161: Show container details in JSON formatAdrian L Lange
I made some assumptions about node types, and I expanded the initial request to also work for networks and containers. I found that the "raw" versions of these commands already existed in the python scripts, so I just used the existing flags. (cherry picked from commit b5d10d11fc8535a95df1fce2ddb0a2a08567fa77)
2024-03-23bgp: T6106: Valid commit error for route-reflector-client option defined in ↵khramshinr
peer-group handle vtysh bgp error (cherry picked from commit 6fa72591972618f02ac1c66c084a99e006ce18f3)
2024-03-23Merge pull request #3174 from vyos/mergify/bp/sagitta/pr-3173Christian Breunig
vyos.configverify: T6131: verify_interface_exists() checks CLI interfaces, too (backport #3173)
2024-03-23vyos.configverify: T6131: verify_interface_exists() checks CLI interfaces, tooChristian Breunig
Extend the way how we determine if interfaces exist in VyOS. In the past we only validated if the interface in question really exists at the OS level. This has some drawbacks as services (like OSPF or OSPFv3) can also handle interfaces dynamically which appear or leaf the OS. This commit not only checks for OS interfaces but also if the interface in question was configured at the CLI level, this is proof enough to pass the check. If it does not exist at the CLI level, we continue searching it it's maybe a Kernel interface - useful for container networks. In addition we can now not only raise() an error but simply show a warning if an interface does not exist. (cherry picked from commit f7250ecf1d119f14d72f99ee379deaaae0790f0e)
2024-03-22Merge pull request #3170 from vyos/mergify/bp/sagitta/pr-3169Viacheslav Hletenko
isis: T6160: NameError: name 'process' is not defined (backport #3169)
2024-03-22isis: T6160: NameError: name 'process' is not definedChristian Breunig
This is a leftover after commit 0e050cb35 (isis: T3417: drop artificial "domain" node identifying the IS-IS process name). Drop all references to "process" variable. Specifying: set protocols isis interface eth1 set protocols isis net '49.0001.1921.6825.5255.00' set protocols isis redistribute ipv4 bgp Triggered an exception Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/protocols_isis.py", line 309, in <module> verify(c) File "/usr/libexec/vyos/conf_mode/protocols_isis.py", line 158, in verify f'"protocols isis {process} redistribute {afi} {proto}"!') ^^^^^^^ NameError: name 'process' is not defined (cherry picked from commit 78212414e085d6261a32015553eb3e407f77792f)
2024-03-22Merge pull request #3166 from vyos/mergify/bp/sagitta/pr-3153Christian Breunig
policy: T6130: Revert commit 960cace (backport #3153)
2024-03-22policy: T6130: Revert commit 960caceaapostoliuk
This reverts commit 960cace189d7ace2bea0968646b1348b415e0363. All community rules syntax was changed. T5357 is invalid bug report. VyOS cannot use new configuration syntax in the previous versions. (cherry picked from commit 72378c67ef1eee01a06e2f9a194a0870c6a7fdd2)
2024-03-21vti: T6085: interface is always down and only enabled by IPSec daemonChristian Breunig
When a VTI interface is just created, it is in ADMIN UP state by default, even if an IPSec peer is not connected. After the peer is disconnected the interface goes to DOWN state as expected. This breaks routing logic - for example, static routes through VTI interfaces will be active even if a peer is not connected. This changes to logic so ADMIN UP/DOWN state can only be changed by the vti-up-down helper script. Error was introduced during the Perl -> Python migration and move to the generic vyos.ifconfig abstraction during the 1.4 development cycle. (cherry picked from commit 9eb018c4935235d292d7c693ac15da5761be064a)
2024-03-21dhcp: T5164: op cmd: "show dhcp server leases state" with available options ↵khramshinr
does not show any result
2024-03-21Merge pull request #3160 from vyos/mergify/bp/sagitta/pr-3159Christian Breunig
conntrack: T6147: Enable conntrack when firewall state-policy is defined (backport #3159)
2024-03-21Merge pull request #3161 from vyos/mergify/bp/sagitta/pr-3158Christian Breunig
bridge: T6125: support 802.1ad (ethertype 0x88a8) VLAN filtering (backport #3158)
2024-03-21bridge: T6125: support 802.1ad (ethertype 0x88a8) VLAN filteringChristian Breunig
Linux bridge uses EtherType 0x8100 by default. In some scenarios, an EtherType value of 0x88A8 is required. Reusing CLI command from VIF-S (QinQ) interfaces: set interfaces bridge br0 protocol 802.1ad (cherry picked from commit 9c9b1febff6863ccd3632a04d9e307909b3efe7a)
2024-03-21conntrack: T6147: Enable conntrack when firewall state-policy is definedsarthurdev
* Move global state-policy smoketest to it's own test, verify conntrack (cherry picked from commit 62bda3b082a79c2f31483dba5bfeb19464f6dbe2)
2024-03-20Merge pull request #3156 from vyos/mergify/bp/sagitta/pr-3155Christian Breunig
T6143: Increase configurable timeout range for service config-sync (backport #3155)
2024-03-20T6143: Increase configuratble timeout range for service config-syncViacheslav Hletenko
The maximum timeout for the `service config-sync` is 300 seconds (Connection API timeout). It could not be enough for the real massive configurations. Increase the maximum value to 3600 ``` set service config-sync secondary address 192.0.2.1 set service config-sync secondary timeout 3600 ``` (cherry picked from commit 4a90e00a886397d9f4202b78cc8995ed93d40014)
2024-03-20Merge pull request #3154 from vyos/mergify/bp/sagitta/pr-3131Viacheslav Hletenko
qos: T1871: add MTU option when configure limiter traffic-policy (backport #3131)
2024-03-20qos: T1871: add MTU option when configure limiter traffic-policykhramshinr
add mtu to default and specified class update smoke test (cherry picked from commit 84bbcdf5b7980f701aba6e158a2be4a05e7076d9)
2024-03-19Merge pull request #3152 from vyos/mergify/bp/sagitta/pr-3150Daniil Baturin
T6138: Fix op-mode show conntrack table with flowtable offloads (backport #3150)
2024-03-19Merge pull request #3149 from vyos/mergify/bp/sagitta/pr-3146Daniil Baturin
T6136: add error checks when using dynamic firewall groups (backport #3146)
2024-03-19T6138: Fix op-mode show conntrack table with flowtable offloadsViacheslav Hletenko
The op-mode command `show conntrack table ipv4` fails if gets a conntrack entrie with `flowtable` offload. Those entries do not have key `timeout` ``` File "/usr/libexec/vyos/op_mode/conntrack.py", line 115, in get_formatted_output timeout = meta['timeout'] ~~~~^^^^^^^^^^^ ``` Use the timeout `n/a` for those offload conntrack entries (cherry picked from commit a75be3b6814dd39711c157c29405ee6bd83993f5)