summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-04-02configverify: T6198: add common helper for PKI certificate validationChristian Breunig
The next evolutional step after adding get_config_dict(..., with_pki=True) is to add a common verification function for the recurring task of validating SSL certificate existance in e.g. EAPoL, OpenConnect, SSTP or HTTPS. (cherry picked from commit 3b758d870449e92fece9e29c791b950b332e6e65)
2024-04-02Merge pull request #3233 from vyos/mergify/bp/sagitta/pr-3232Christian Breunig
T6196: Fixed applying parameters for aggregation in BGP (backport #3232)
2024-04-02Merge pull request #3234 from vyos/mergify/bp/sagitta/pr-3230Christian Breunig
firewall: nat: policy: vrf: nft call syntax and import cleanup (backport #3230)
2024-04-02ssh: T6192: allow binding to multiple VRF instancesChristian Breunig
Currently VyOS only supports binding a service to one individual VRF. It might become handy to have the services (initially it will be VRF, NTP and SNMP) be bound to multiple VRFs. Changed VRF from leafNode to multi leafNode with defaultValue: default - which is the name of the default VRF. (cherry picked from commit e5af1f0905991103b12302892e6f0070bbb7b770)
2024-04-02utils: T5738: always use vyos.utils.network.interface_exists over os.path.existsChristian Breunig
(cherry picked from commit 5bb27f0c6220fd940b63cdd37a60c312c0ac3efd)
2024-04-02xml: T5738: extend VRF building blocks with common constraint definitionChristian Breunig
(cherry picked from commit 32d6a693de99021d2cd44fb4235e929caf7b4a6d)
2024-04-02init: T3355: always use full nft command name (e.g. --file over -f)Christian Breunig
(cherry picked from commit 0529371bc587e2fcdd8794061e9bb9d60c792c43)
2024-04-02firewall: T970: always use full nft command name (e.g. --file over -f)Christian Breunig
(cherry picked from commit f1c51884fb62d3917e92af51d4219e291c7a8e74)
2024-04-02conntrack: T4309: T4903: always use full nft command name (e.g. --file over -f)Christian Breunig
(cherry picked from commit 462ba67cf2e193883e33b4ce655b2b0cd1aab80f)
2024-04-02nhrp: T2199: always use full nft command name (e.g. --file over -f)Christian Breunig
(cherry picked from commit f92ef7f3c86ca09775b536ca2bd9813f95cc7d3f)
2024-04-02policy: T2199: always use full nft command name (e.g. --file over -f)Christian Breunig
(cherry picked from commit a33946630348371518247ff13ce918c208ef50d1)
2024-04-02nat: T2199: always use full nft command name (e.g. --file over -f)Christian Breunig
(cherry picked from commit e257155aea09b906d8784cb6143d3ab27578c4a8)
2024-04-02vrf: T3655: always use full nft command name (e.g. --check over -c)Christian Breunig
(cherry picked from commit 09ac2851f89f2b7d94a21c3506e46f380e961fba)
2024-04-02firewall: T2199: always use full nft command name (e.g. --file over -f)Christian Breunig
(cherry picked from commit 6e0fdbcbba39691461f791c7a68a2c6c5091d2c1)
2024-04-02T6196: Fixed applying parameters for aggregation in BGPaapostoliuk
Fixed using 'route-map', 'as-set' and 'summary-only' together in aggregation in BGP (cherry picked from commit d8df8339d665db58afbf20cecaeb49ac9d1b617d)
2024-04-02Merge pull request #3231 from vyos/mergify/bp/sagitta/pr-3212Daniil Baturin
bgp: T6151: Allow configuration of disable-ebgp-connected-route-check (backport #3212)
2024-04-01bgp: T6151: Fix description in PEER disable-connected-checkfett0
(cherry picked from commit 24d0400b9c55cadef1eb99b3e84a363dd6ad5033)
2024-04-01bgp: T6151: Fix description in PEER disable-connected-checkfett0
(cherry picked from commit 84b6f6bcf59d526c35928c974e3f2d03c4d5ec06)
2024-04-01bgp: T6151: Allow configuration of disable-ebgp-connected-route-checkfett0
(cherry picked from commit 85e5ccbab85c8ded426896d61bcf64d329768f2c)
2024-04-01bgp: T6010: Allow configuration of disable-ebgp-connected-route-checkfett0
(cherry picked from commit 010c4061a8884a3617368f3618a425dc517d0675)
2024-04-01Merge pull request #3227 from vyos/mergify/bp/sagitta/pr-3223Daniil Baturin
system: T6193: invalid warning "is not a DHCP interface but uses DHCP name-server option" (backport #3223)
2024-04-01Merge pull request #3226 from vyos/mergify/bp/sagitta/pr-3224Christian Breunig
dhcpv6-client: T2590: fix vyos-hostsd update for nameserver and search domains (backport #3224)
2024-04-01system: T6193: invalid warning "is not a DHCP interface but uses DHCP ↵Christian Breunig
name-server option" This fixes an invalid warning when using a DHCP VLAN interface to retrieve the system nameserver to be used. VLAN CLI config is not properly expanded leading to a false warning: [ system name-server eth1.10 ] WARNING: "eth1.10" is not a DHCP interface but uses DHCP name-server option! (cherry picked from commit 61e70c5500ad5b0a9d25bdee28d982644bad6461)
2024-04-01dhcpv6-client: T2590: fix vyos-hostsd update for nameserver and search domainsChristian Breunig
After migrating from ISC DHCLIENT for IPv6 to wide-dhcp-client the logic which was present to update /etc/resolv.conf with the DHCP specified nameservers and also the search domain list was no longer present. This commit adds a per interface rendered script to inform vyos-hostsd about the received IPv6 nameservers and search domains. (cherry picked from commit ece425f0191762638b7c967097accd8739e9103d)
2024-04-01Merge pull request #3225 from vyos/mergify/bp/sagitta/pr-3222Daniil Baturin
T6178: Check that certificate exists during reverse-proxy commit (backport #3222)
2024-04-01T6178: Check that certificate exists during reverse-proxy commitkhramshinr
(cherry picked from commit 320fe827b4842b0c0da1ec5fee3d41a5730334d5)
2024-03-31Merge pull request #3220 from vyos/mergify/bp/sagitta/pr-3218Christian Breunig
accel-ppp: T6187: use correct CPU counts adjusted for SMT (backport #3218)
2024-03-31accel-ppp: T6187: use correct CPU counts adjusted for SMTDaniil Baturin
(cherry picked from commit 6927c0b622c8feaece907944bae3d4724f1e55a0)
2024-03-30Merge pull request #3216 from vyos/mergify/bp/sagitta/pr-3213Christian Breunig
bgp: T6106: Valid commit error for route-reflector-client option defined in peer-group (backport #3213)
2024-03-30Merge pull request #3217 from vyos/mergify/bp/sagitta/pr-3215Daniil Baturin
image-tools: T6186: simplify image annotations fixing regression (backport #3215)
2024-03-30image-tools: T6186: simplify image annotations fixing regressionJohn Estabrook
(cherry picked from commit 1f0c33c00118c42fc2796d99aff94c428f434d4a)
2024-03-30bgp: T6106: Valid commit error for route-reflector-client option defined in ↵khramshinr
peer-group changed exception condition Improved route_reflector_client test (cherry picked from commit 84f05b1dd41bea5de16d707aa77a467f8d499323)
2024-03-29Merge pull request #3196 from HollyGurza/T4718-sagittaDaniil Baturin
dhcp-server: T4718: Listen-address is not commited if the IP address is on the interface with a VRF
2024-03-29Merge pull request #3209 from vyos/mergify/bp/sagitta/pr-3198Daniil Baturin
openvpn: T6159: Openvpn Server Op-cmd adds heading "OpenVPN status on vtunx" for every client connection (backport #3198)
2024-03-28openvpn: T6159: Openvpn Server Op-cmd adds heading "OpenVPN status on vtunx" ↵khramshinr
for every client connection Don't show duplicate info of vtunx show header when clints is not connected but server is configured (cherry picked from commit 66a009f367f8bf274eac9a4d4e1f4f8911c85872)
2024-03-28Merge pull request #3197 from vyos/mergify/bp/sagitta/pr-3193Christian Breunig
T6121: Extend config-sync for QoS and system options (backport #3193)
2024-03-28Merge pull request #3206 from vyos/mergify/bp/sagitta/pr-3200Daniil Baturin
T5832: VRRP allow set interface for exluded-address (backport #3200)
2024-03-28T5832: VRRP allow set interface for exluded-addressViacheslav Hletenko
Ability to set interface for `excluded-address` The excluded-addresses are not listed in the VRRP packet (adverts packets). We have this ability for `address`, add the same feature for the excluded-address ``` set high-availability vrrp group GRP-01 excluded-address 192.0.2.202 interface 'dum2' set high-availability vrrp group GRP-01 excluded-address 192.0.2.203 interface 'dum3' ``` (cherry picked from commit 0daf445abcd00446da21fe0220d41d5fdde95ebd)
2024-03-28Merge pull request #3204 from vyos/mergify/bp/sagitta/pr-2965Daniil Baturin
T5872: ipsec remote access VPN: support dhcp-interface. (backport #2965)
2024-03-28Merge pull request #3205 from vyos/mergify/bp/sagitta/pr-3202Daniil Baturin
ipsec: T5606: T5871: Use multi node for CA certificates (backport #3202)
2024-03-28ipsec: T5606: T5871: Use multi node for CA certificatessarthurdev
This changes behaviour from fetching CA chain in PKI, to the user manually setting CA certificates. Prevents unwanted parent CAs existing in PKI from being auto-included as may not be desired/intended. (cherry picked from commit 952b1656f5164f6cfc601e040b48384859e7a222)
2024-03-28T5872: re-write exit hook to always regenerate configLucas Christian
(cherry picked from commit 679b78356cbda4de15f96a7f22d4a98037dbeea4)
2024-03-28T5872: further fixes to ipsec dhcp exit hookLucas Christian
(cherry picked from commit 92012a0b3db8e93b10db4137414073f0371ed8cc)
2024-03-28T5872: fix ipsec dhclient exit hookLucas Christian
(cherry picked from commit cd8ef21f280f726955f537132e3fab2bcb3c286f)
2024-03-28T5872: ipsec remote access VPN: support dhcp-interface.Lucas Christian
(cherry picked from commit f7834324d3d9edd7e161e7f2f3868452997c9c81)
2024-03-28Merge pull request #3203 from vyos/mergify/bp/sagitta/pr-3201Christian Breunig
grub: T4516: correct a format string (backport #3201)
2024-03-28grub: T4516: correct a format stringDaniil Baturin
(cherry picked from commit 74e502c16109b8d6d197751fc63ac5a32ff44404)
2024-03-28Merge pull request #3199 from vyos/mergify/bp/sagitta/pr-3194Christian Breunig
op-mode: T6175: "renew dhcp interface <name>" does not check for DHCP interface (backport #3194)
2024-03-28op-mode: T6175: "renew dhcp interface <name>" does not check for DHCP interfaceChristian Breunig
The current op-mode script simply calls sudo systemctl restart "dhclient@$4.service" with no additional information about a client interface at all. This results in useless dhclient processes root 47812 4.7 0.0 5848 3584 ? Ss 00:30 0:00 /sbin/dhclient -4 -d root 48121 0.0 0.0 4188 3072 ? S 00:30 0:00 \_ /bin/sh /sbin/dhclient-script root 48148 50.0 0.2 18776 11264 ? R 00:30 0:00 \_ python3 - Which also assign client leases to all local interfaces, if we receive one valid DHCPOFFER vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address MAC VRF MTU S/L Description ----------- ----------------- ----------------- ------- ----- ----- ------------- eth0 - 00:50:56:bf:c5:6d default 1500 u/u eth0.10 172.16.33.102/24 00:50:56:bf:c5:6d default 1500 u/u eth1 172.16.33.131/24 00:50:56:b3:38:c5 default 1500 u/u 172.16.33.102/24 and 172.16.33.131/24 are stray DHCP addresses. This commit moved the renew command to the DHCP op-mode script to properly validate if the interface we request a renew for, has actually a dhcp address configured. In additional this exposes the renew feature to the API. (cherry picked from commit 7dbaa25a199a781aaa9f269741547e576410cb11)
2024-03-28T6121: Extend config-sync for QoS and system optionsViacheslav Hletenko
Extent the service config-sync for sections: - qos interface - qos policy - system conntrack - system flow-accounting - system option - system sflow - system static-host-mapping - system sysctl (cherry picked from commit 9d5ad172034ae510288b11313d307f0a24bb4b7d)