summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-09-23Merge pull request #2302 from sever-sever/T5497Viacheslav Hletenko
T5497: op-mode: Add generate firewall rule-resequence
2023-09-23T5497: op-mode: Add generate firewall rule-resequenceViacheslav Hletenko
Add op-mode command `generate firewall rule-resequence` Generates output with new sequences for firewall rules set firewall ipv4 input filter rule 1 action 'accept' set firewall ipv4 input filter rule 1 description 'Allow loopback' $ generate firewall rule-resequence start 10 step 10 set firewall ipv4 input filter rule 10 action 'accept' set firewall ipv4 input filter rule 10 description 'Allow loopback'
2023-09-22Merge pull request #2298 from jestabro/disk-by-idChristian Breunig
smoketest: T5607: support getting SCSI device by drive-id
2023-09-21T5217: Add firewall synproxyViacheslav Hletenko
Add ability to SYNPROXY connections It is useful to protect against TCP SYN flood attacks and port-scanners set firewall global-options syn-cookies 'enable' set firewall ipv4 input filter rule 10 action 'synproxy' set firewall ipv4 input filter rule 10 destination port '22' set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1' set firewall ipv4 input filter rule 10 protocol 'tcp' set firewall ipv4 input filter rule 10 synproxy tcp mss '1460' set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
2023-09-21T5600: firewall: change constraints for inbound|outbound interface-name. Now ↵Nicolas Fort
user can use VRF, and negated VRF, and configuration wonn't be broken after reboot.
2023-09-21frr: T5591: hint about daemons that always run and can't be disabledChristian Breunig
2023-09-21frr: T5591: cleanup of daemons fileApachez
2023-09-21Merge pull request #2294 from sever-sever/T5602Christian Breunig
T5602: Reverse-proxy add option backup for backend server
2023-09-20op-mode: raid: T5608: define add/delete raid memberJohn Estabrook
2023-09-20op-mode: disk: T5609: add arg by-id to format diskJohn Estabrook
2023-09-20vyos.utils: T5609: get disk device by partial idJohn Estabrook
2023-09-20Merge pull request #2296 from dmbaturin/T5269-deprecate-shared-secretChristian Breunig
openvpn: T5269: add a deprecation warning for shared-secret
2023-09-20openvpn: T5269: add a deprecation warning for shared-secretDaniil Baturin
2023-09-20T5602: Reverse-proxy add option backup for backend serverViacheslav Hletenko
A `backup` server can be defined to take over in the case of all other backends failing set load-balancing reverse-proxy backend <tag> server <tag> address '192.0.2.3' set load-balancing reverse-proxy backend <tag> server <tag> port '8883' set load-balancing reverse-proxy backend <tag> server <tag> backup
2023-09-20Merge pull request #2293 from sarthurdev/conntrack_flowtableChristian Breunig
conntrack: firewall: T4502: Update conntrack check for new flowtable CLI
2023-09-19conntrack: firewall: T4502: Update conntrack check for new flowtable CLIsarthurdev
Also updates flowtable smoketest to verify conntrack enabled
2023-09-19Merge pull request #2289 from c-po/t5239-frrChristian Breunig
init: T5239: configure system hostname prior to FRR startup
2023-09-19init: T5239: configure system hostname prior to FRR startupChristian Breunig
On first boot after an upgrade /etc/hostname and FRR configuration is not populated. FRR determines the system hostname once during startup and does not repect changes of the hostname CLI value. Thus after an upgrade of VyOS FRR started with a hostname of debian that was propagated to peers. The commit retrieves the hostname from the CLI and presets this before FRR is initially started.
2023-09-19pam: T5577: Improved PAM configs for RADIUS and TACACS+zsdc
After sources analysis, we found the next possible return statuses for PAM modules: 1. pam_tacplus Auth: - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_AUTHTOK_ERR - PAM_BUF_ERR - PAM_CRED_INSUFFICIENT - PAM_PERM_DENIED - PAM_SUCCESS - PAM_USER_UNKNOWN Account: - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_PERM_DENIED - PAM_SUCCESS - PAM_USER_UNKNOWN Session: - PAM_AUTHINFO_UNAVAIL - PAM_SESSION_ERR - PAM_SUCCESS - PAM_USER_UNKNOWN 2. pam_radius_auth Auth: - PAM_ABORT - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_AUTHTOK_ERR - PAM_BAD_ITEM - PAM_BUF_ERR - PAM_CONV_AGAIN - PAM_CONV_ERR - PAM_IGNORE - PAM_NO_MODULE_DATA - PAM_PERM_DENIED - PAM_SUCCESS - PAM_SYSTEM_ERR - PAM_USER_UNKNOWN Account: - PAM_SUCCESS Session: - PAM_ABORT - PAM_AUTHINFO_UNAVAIL - PAM_BAD_ITEM - PAM_BUF_ERR - PAM_CONV_AGAIN - PAM_CONV_ERR - PAM_IGNORE - PAM_NO_MODULE_DATA - PAM_PERM_DENIED - PAM_SUCCESS - PAM_SYSTEM_ERR - PAM_USER_UNKNOWN PAM configurations were replaced with tuned versions to take this into account.
2023-09-19Merge pull request #2284 from c-po/t5596-bgpChristian Breunig
bgp: T5596: add new features from FRR 9
2023-09-19Merge pull request #2285 from c-po/T5597-isisChristian Breunig
isis: T5597: add new features from FRR 9
2023-09-19Merge pull request #2288 from sarthurdev/flowtableChristian Breunig
firewall: T4502: Update to flowtable CLI
2023-09-19bridge: T4072: Prevent error when removing firewall bridge configsarthurdev
A commit that removes `firewall bridge` will delete the table and not re-create it. Therefore any further firewall commit will fail trying to delete the non-existent bridge table. This commit ensures the table is always present (even if empty) to ensure successful commit.
2023-09-19firewall: ethernet: T4502: Add interface offload node and verify interface ↵sarthurdev
supports HW flowtable offload - Add required offload setting for interfaces + flowtable offload (hw-tc-offload) - Verification of interface support for hardware offloaded flowtables
2023-09-19firewall: T4502: Update to flowtable CLIsarthurdev
`set firewall flowtable <name> interface <ifname>` `set firewall flowtable <name> offload [software|hardware]` `set firewall [ipv4|ipv6] forward filter rule N action offload` `set firewall [ipv4|ipv6] forward filter rule N offload-target <name>`
2023-09-19utils: T5239: add low-level read from config.bootJohn Estabrook
2023-09-18frr: T5239: use vyos.base.warning()Christian Breunig
2023-09-18isis: T5597: add new features from FRR 9Christian Breunig
* Add support for IS-IS advertise-high-metrics set protocols isis advertise-high-metrics * Add support for IS-IS advertise-passive-only set protocols isis advertise-passive-only
2023-09-18bgp: T5596: add new features from FRR 9Christian Breunig
* Add BGP Software Version capability (draft-abraitis-bgp-version-capability) set protocols bgp neighbor 192.0.2.1 capability software-version * Add BGP neighbor path-attribute treat-as-withdraw command set protocols bgp neighbor 192.0.2.1 path-attribute treat-as-withdraw
2023-09-18Merge pull request #2283 from nicolas-fort/T5590-fwall-logChristian Breunig
T5590: firewall log rule: fix order which rule are processed
2023-09-18Merge pull request #2276 from sarthurdev/conntrackViacheslav Hletenko
conntrack: T5571: Refactor conntrack using vyos.configdep
2023-09-18conntrack: T5217: Add tcp flag matching to `system conntrack ignore`sarthurdev
- Moves MSS node out of `tcp-flags.xml.i` and into `tcp-mss.xml.i` - Update smoketest to verify TCP flag matching
2023-09-18T5590: firewall log rule: fix order which rule are processed. Log options ↵Nicolas Fort
should be added at the end of the rule, after all matchers and befora action. Also change 2 lines in policy_route smoketest, which suddenly wasn't working as expected
2023-09-18Merge pull request #2278 from indrajitr/ddclient-cache-fix-smoketestChristian Breunig
ddclient: T5573: Fix smoketest for updated ddclient config
2023-09-18Merge pull request #2279 from sever-sever/smoketestChristian Breunig
GitHub: Add smoketest result menu
2023-09-18Merge pull request #2281 from nicolas-fort/T5594Christian Breunig
T5594: vrrp: extend function is_ipv6_tentative
2023-09-18T5594: vrrp: extend function is_ipv6_tentative to analysis all type of ipv6 ↵Nicolas Fort
address, and not only global ipv6 address. This allows to configure ipv6 link local address on vrrp hello-source-address parameter.
2023-09-18GitHub: Add smoketest result menuViacheslav Hletenko
Add the `Smoketest result` option to the default PR template
2023-09-18ddclient: T5573: Fix smoketest for updated ddclient configIndrajit Raychaudhuri
2023-09-17Merge pull request #2251 from indrajitr/ddclient-cache-fixChristian Breunig
ddclient: T5573: Update config generation aligning with caching fixes
2023-09-16github: Update PR template with section of related PRssarthurdev
2023-09-16nat: Remove deprecated kernel checksarthurdev
/usr/libexec/vyos/conf_mode/nat.py:21: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives from distutils.version import LooseVersion
2023-09-16conntrack: T5571: Refactor conntrack to be independent conf script from ↵sarthurdev
firewall, nat, nat66
2023-09-15Merge pull request #2273 from sever-sever/T5586Christian Breunig
T5586: Disable by default SNMP for Keeplived VRRP service
2023-09-15Merge pull request #2185 from sever-sever/T5261-newViacheslav Hletenko
T5261: Add AWS load-balancing tunnel handler
2023-09-15Merge pull request #2272 from vfreex/fix-t4502Viacheslav Hletenko
T4502: Fix syntax error introduced by #2062
2023-09-15T5586: Disable by default SNMP for Keeplived VRRP serviceViacheslav Hletenko
AgentX does not work stable. From time to time we see the system service crashing/degrading if something is wrong with SNMP from util net-snmp. We should disable it by default and enable it only if configured. set high-availability vrrp snmp
2023-09-15T4502: Fix syntax error introduced by #2062Yuxiang Zhu
When rebasing https://github.com/vyos/vyos-1x/pull/2062, some additional lines are mistakenly included. https://github.com/vyos/vyos-1x/commit/45cfd569119b66abd2f0dfb954042b57921881bd has removed the extra `}`, but the `{{ group_tmpl.groups(group, True) }}` line needs to be removed as well.
2023-09-15Merge pull request #2270 from indrajitr/ddclient-config-permissionChristian Breunig
ddclient: T5585: Fix file access mode for dynamic dns configuration
2023-09-15system: T5505: T5575: support calling system-ip(v6).py from init processChristian Breunig
After commit 976f82785 ("T5575: ARP/NDP table-size isnt set properly") the system bootup process got interrupted as both system-ip.py and system-ipv6.py tried to talk to FRR which was yet not started. This has been fixed by using a conditional path to only execute when FRR service has been enabled. This is safe to do as the initial commit call will has FRR service running and the path will be executed.