summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-08-16Merge pull request #2150 from ↵John Estabrook
dmbaturin/T5271-openvpn-peer-fingerprint-restrictions T5271: allow OpenVPN peer-fingerprint to be used instead of a CA in site-to-site mode
2023-08-16netplug: T5476: rewrite dhclient helper from Perl -> PythonChristian Breunig
There are two hooks called for bridge, ethernet and bond interfaces if the link-state changes up -> down or down -> up. The helpers are: * /etc/netplug/linkdown.d/dhclient * /etc/netplug/linkup.d/dhclient As those helpers use Linux actions to start/restart the dhclient process in Perl it's time to rewrite it. First goal is to get rid of all Perl code and the second is that we now have a Proper Python library. Instead of checking if the process is running the then restarting it without even systemd noticing (yeah we might get two processes beeing alive) we should: * Add a Python helper that can be used for both up and down (see man 8 netplugd FILES section) * Query the VyOS CLI config if the interface in question has DHCP(v6) configured and is not disabled * Add IPv6 DHCPv6 support MAN page: https://linux.die.net/man/8/netplugd
2023-08-16wireguard: T1843: add peer description CLI optionChristian Breunig
2023-08-15T5483: clean up tmp config fileJohn Estabrook
2023-08-15T5271: allow the user to specify either CA or peer fingerprintDaniil Baturin
in OpenVPN site-to-site mode
2023-08-15T5271: correct dict path in the template for OpenVPN peer fingerprintDaniil Baturin
2023-08-15T5270: generate 'dh none' unconditionally when dh-params is no presentDaniil Baturin
The condition is useless since OpenVPN simply switches to ECDH in all modes when the classic DH prime is not specified
2023-08-15T5478: remove config-trap configuration parser in firewallNicolas Fort
2023-08-14pki: T5477: use Config instead of ConfigTreeQuery for defaultsJohn Estabrook
2023-08-13smoketest: T5467: verify OSPF(v3) interface removal in VRF contextChristian Breunig
Testcases after the bugfix in commit 011697508 ("T5467: removing ospf(v3) or isis interface in VRF context did not clear FRR config"). For ISIS change in the tests - do not run self_commit() in a for loop if not really necessary, this will slow down the tests.
2023-08-13smoketest: openvpn: T5270:Christian Breunig
This fixes the smoketest after the change in commit e7d7bd20b ("openvpn: T5270: do not require classic DH params in any more Generate 'dh none' instead and let OpenVPN use ECDH") ... as there is no exception raised 05:47:26 DEBUG - ====================================================================== 05:47:26 DEBUG - FAIL: test_openvpn_server_verify (__main__.TestInterfacesOpenVPN.test_openvpn_server_verify) 05:47:26 DEBUG - ---------------------------------------------------------------------- 05:47:26 DEBUG - Traceback (most recent call last): 05:47:26 DEBUG - File "/usr/libexec/vyos/tests/smoke/cli/test_interfaces_openvpn.py", line 342, in test_openvpn_server_verify 05:47:26 DEBUG - with self.assertRaises(ConfigSessionError): 05:47:26 DEBUG - AssertionError: ConfigSessionError not raised
2023-08-12smoketest: T5465: add config migration test for VLAN interfaceChristian Breunig
2023-08-12Merge pull request #2117 from zdc/T5410-sagittaDaniil Baturin
utils: T5410: Extended supported types in `convert_data()`
2023-08-12T5160: fix merge regressionJohn Estabrook
2023-08-12T5467: removing ospf(v3) or isis interface in VRF context did not clear FRR ↵Christian Breunig
config To reproduce: set vrf name red table 2000 set vrf name red protocols ospf interface eth1 area 0 set vrf name red protocols ospf parameters router-id 1.1.1.1 set interfaces ethernet eth1 vrf red commit FRR now has an interface config vyos@vyos# vtysh -c "show run" no-header | sed -n "/^interface eth1/,/!/p" interface eth1 ip ospf area 0 ip ospf dead-interval 40 exit Now delete the interface from the OSPF(v3) or ISIS process delete vrf name red protocols ospf interface commit It's still there vyos@vyos# vtysh -c "show run" no-header | sed -n "/^interface eth1/,/!/p" interface eth1 ip ospf area 0 ip ospf dead-interval 40 exit ! Issue was caused in the FRR vtysh representation of an interface. It used to have a "vrf <name>" marker in earlier versions but FRR 8.5 and later no longer have the marker. So "interface eth1 vrf red" became "interface eth1" in vtysh, but our regex expected the "vrf" identifier when modifying FRR config.
2023-08-11ipv6: T5464: add support for per-interface dad (duplicate address detection) ↵Christian Breunig
setting
2023-08-11ipv6: T5464: use proper XML default for DAD transmitsChristian Breunig
This is only a cosmetic change so that the default value is properly retrieved from the defaultValue XML node.
2023-08-11Merge pull request #2016 from nicolas-fort/T5160Christian Breunig
T5160: Firewall refactor
2023-08-11Merge pull request #2148 from sever-sever/T5448Daniil Baturin
T5448: Move zabbix-agent to node monitoring
2023-08-11interface: T5465: adjust-mss: config migration fails if applied to a VLAN or ↵Christian Breunig
Q-in-Q interface When migration from 1.3 to 1.4 and a user hat the following configured: options { interface eth0.10{ adjust-mss 1452 adjust-mss6 1432 } } The configuration was wrongly migrated to: interfaces { ethernet eth0.10 { ipv6 { adjust-mss "1432" } ip { adjust-mss "1452" } } Instead of interfaces { ethernet eth0 { vif 10 { ipv6 { adjust-mss "1432" } ip { adjust-mss "1452" } } }
2023-08-11T5440: Restore pre/postconfig scripts if user deleted themApachez
Using variable ${vyos_rootfs_dir} instead of wildcard for both restore_if_missing_preconfig and restore_if_missing_postconfig.
2023-08-11T5460: remove config-trap from firewallNicolas Fort
2023-08-11T5160: firewall refactor: fix regexep for connection-status. Create new file ↵Nicolas Fort
with common matcher for ipv4 and ipv6, and use include on all chains for all this comman matchers
2023-08-11T5160: firewall refactor: change default value for <default-action> from ↵Nicolas Fort
<drop> to <accept> if default-action is not specified in base chains
2023-08-11T5160: firewall refactor: move <set firewall ipv6 ipv6-name ...> to <set ↵Nicolas Fort
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip.
2023-08-11T5160: firewall refactor: fix firewall template for correct rule parsing ↵Nicolas Fort
that contains fqnd and/or geo-ip in base chains. Fix mig script
2023-08-11T5160: firewal refactor: fix tabulation for geo-ip parsing code. Typo fix in ↵Nicolas Fort
firewall smoketest
2023-08-11T5160: T5250: while refactoring, fix reference column for op-mode command ↵Nicolas Fort
show_firewall_group.
2023-08-11T5160: firewall refactor: change firewall ip to firewall ipv4Nicolas Fort
2023-08-11T5160: firewall refactor. Update op-mode commands to new syntax.Nicolas Fort
2023-08-11T5160: firewall refactor: re-add missing code in template.py which was ↵Nicolas Fort
accidentaly removed. Update smokestest: remove zone test and fix test_sysfs test
2023-08-11T5160: firewall refactor: new cli structure. Add migration script and update ↵Nicolas Fort
smoketest
2023-08-11T5160: firewall refactor: new cli structure. Update jinja templates, python ↵Nicolas Fort
scripts and src firewall
2023-08-11T5160: firewall refactor: new cli structure. Update only all xmlNicolas Fort
2023-08-11T5448: Move zabbix-agent to node monitoringViacheslav Hletenko
Move 'service zabbix-agent' => 'service monitoring zabbix-agent'
2023-08-11Merge pull request #2147 from jestabro/remaining-defaultsViacheslav Hletenko
T5434: remove reamining calls to incorrect defaults
2023-08-11Merge pull request #2146 from dmbaturin/T5270-openvpn-dh-optionalChristian Breunig
openvpn: T5270: do not require classic DH params in any mode
2023-08-10T5319: remove defaults workarounds in vyos-domain-resolver.pyJohn Estabrook
2023-08-10T5434: use package specific cache in nosetestsJohn Estabrook
2023-08-10T5434: drop unneeded cache generation from old libJohn Estabrook
2023-08-10T5434: use get_defaults instead of defaultsJohn Estabrook
2023-08-10T5434: use auto-defaults in op-mode pki.pyJohn Estabrook
2023-08-10T5434: remove unneeded importJohn Estabrook
2023-08-10T5434: replace import of component_versionJohn Estabrook
2023-08-10xml: T5218: fix typo in component_versionJohn Estabrook
2023-08-10T5319: remove workaround in op-mode show_openconnect_otp.pyJohn Estabrook
2023-08-10Merge pull request #2140 from sever-sever/T5448Daniil Baturin
T5448: Add service zabbix-agent
2023-08-10openvpn: T5270: do not require classic DH params in any moreDaniil Baturin
Generate 'dh none' instead and let OpenVPN use ECDH
2023-08-10tunnel: T5223: clear GRE key id after deletionsrividya0208
2023-08-10Merge pull request #2144 from dmbaturin/T5271-openvpn-peer-fingerprintChristian Breunig
openvpn: T5271: add peer certificate fingerprint option