summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-01-01login: T5875: restore home directory permissions only when neededChristian Breunig
This improves commit 3c990f49e ("login: T5875: restore home directory permissions when re-adding user account") in a way that the home directory owner is only altered if it differs from the expected owner. Without this change on every boot we would alter the owner which could increase the boot time if the home of a user is cluttered. (cherry picked from commit 1b364428f79b7e4588a000fca40582ef968fc7fd)
2024-01-01image-tools: T5883: preserve file owner in /config on add system updateJohn Estabrook
(cherry picked from commit 9f66b9ccfa25f56c209d90a0ad5ad779f3963bee)
2024-01-01tunnel: T5879: properly verify source-interface used for tunnelsChristian Breunig
A tunnel interface can not properly be sourced from a pppoe0 interface when such interface is not (yet) connected to the BRAS. It might work on a running system, but subsequent reboots will fail as the source-interface most likely does not yet exist. (cherry picked from commit 66ce19058b7b8597536ddf63bbca027add2ca8a1)
2024-01-01configverify: T5880: raise exception if interfaces sourced form dynamic ↵Christian Breunig
interfaces Interfaces matching the following regex (ppp|pppoe|sstpc|l2tp|ipoe)[0-9]+ can not be used as source-interface for e.g. a tunnel. The main reason is that these are dynamic interfaces which come and go from a kernel point of view, thus it's not possible to bind an interface to them. (cherry picked from commit 5062f5d313548d6ebb9c07fee6b6d6be25b8f8f0)
2024-01-01Merge pull request #2730 from vyos/mergify/bp/sagitta/pr-2729Christian Breunig
T5474: establish common file name pattern for XML conf mode commands (backport #2729)
2024-01-01T5474: establish common file name pattern for XML conf mode commandsChristian Breunig
We will use _ as CLI level divider. The XML definition filename and also the Python helper should match the CLI node. Example: set interfaces ethernet -> interfaces_ethernet.xml.in set interfaces bond -> interfaces_bond.xml.in set service dhcp-server -> service_dhcp-server-xml.in (cherry picked from commit 4ef110fd2c501b718344c72d495ad7e16d2bd465)
2023-12-31Merge pull request #2725 from vyos/mergify/bp/sagitta/pr-2651Daniil Baturin
firewall: T5834: Rename 'enable-default-log' to 'default-log' (backport #2651)
2023-12-31Merge pull request #2727 from vyos/mergify/bp/sagitta/pr-2707Christian Breunig
T5870: ipsec remote access VPN: add x509 ("pubkey") authentication. (backport #2707)
2023-12-30T5870: ipsec remote access VPN: add x509 ("pubkey") authentication.Lucas Christian
(cherry picked from commit 656934e85cee799dba5b495d143f6be445ac22d5)
2023-12-30firewall: T5834: Improve log message and simplify log-option includeIndrajit Raychaudhuri
`include/firewall/rule-log-options.xml.i` is now more aptly renamed to `include/firewall/log-options.xml.i`. (cherry picked from commit 53a48f499ae9bcc2f657136bb7779b38aad1c242)
2023-12-30firewall: T5834: Remove vestigial include fileIndrajit Raychaudhuri
This file is a left over from previous refactoring and no longer referenced anywhere in the interface definitions. (cherry picked from commit f8f382b2195da8db8b730f107ffba16e67dac822)
2023-12-30firewall: T5834: Add support for default log for route policyIndrajit Raychaudhuri
One can now do `set policy route foo default-log` which will add log to the policy route chain. (cherry picked from commit 6278ce9b7cb2060c8226a60ccbdb580a0d8a3fb5)
2023-12-30firewall: T5834: Migration for 'enable-default-log' to 'default-log'Indrajit Raychaudhuri
(cherry picked from commit 7c40b70af9def9242b30d1fc949288d9da2bd027)
2023-12-30firewall: T5834: Rename 'enable-default-log' to 'default-log'Indrajit Raychaudhuri
Rename chain level defaults log option from `enable-default-log` to `default-log` for consistency. (cherry picked from commit 245e758aa2ea8779186d0c92d79d33170d036992)
2023-12-30Merge pull request #2723 from vyos/mergify/bp/sagitta/pr-2722Christian Breunig
ipsec: T1210: add smoketest for remote-access (road-warrior) users (backport #2722)
2023-12-30ipsec: T1210: extend remote-access smoketest with IP pool configurationChristian Breunig
This extends commit f9207ed4a ("ipsec: T1210: add smoketest for remote-access (road-warrior) users") in a way that also the IPv4 pool and its DNS servers get validated. There is no separate IPv6 test, as both address families behave the same way when configuring these. (cherry picked from commit 1e46cd606d9d87226fe0400bf3a53bda360808d8)
2023-12-30ipsec: T1210: add smoketest for remote-access (road-warrior) usersChristian Breunig
(cherry picked from commit 1a84c4d0e6ff88b650bcfc8ba81827af7fc079f3)
2023-12-30Merge pull request #2714 from vyos/mergify/bp/sagitta/pr-2704Christian Breunig
vyos.template: T5869: first_host_address() does not honor RFC4291 section 2.6.1 (backport #2704)
2023-12-30Merge pull request #2717 from vyos/mergify/bp/sagitta/pr-2715Christian Breunig
tacacs: T141: Wrap string in double quotes to allow expansion (backport #2715)
2023-12-30Merge pull request #2720 from vyos/mergify/bp/sagitta/pr-2718Christian Breunig
system: T5877: Shorten system domain-search config path (backport #2718)
2023-12-30Merge pull request #2721 from vyos/mergify/bp/sagitta/pr-2716Christian Breunig
login: T5875: restore home directory permissions when re-adding user account (backport #2716)
2023-12-30login: T5875: restore home directory permissions when re-adding user accountChristian Breunig
After deleting a user account and working with a newly added account, we see that after rebooting in the previously saved configuration, the user is re-added but it's home directory might have an old UID set on the filesystem. This is due to the fact that vyos config does not store UIDs. When adding a user account to the system we now check if the home directory already exists and adjust the ownership to the new UID. (cherry picked from commit 3c990f49e2bf9347bd2cc478995baa995ee822fd)
2023-12-30system: T5877: Update smoketests for domain-search and related configIndrajit Raychaudhuri
In addition to testing for shortening the domain-search path, add and improve tests for other resolv.conf entries. (cherry picked from commit 584c63f4473373a377db802c173f6252c8085fa3)
2023-12-30system: T5877: Shorten system domain-search config pathIndrajit Raychaudhuri
Shorten and simplify `system domain-search` config path from: ``` set system domain-search domain <domain1> ``` to: ``` set system domain-search <domain1> ``` This will shorten the path and also make consistent with `domain-search` config in other places (like `dhcp-server`). (cherry picked from commit f77bf573c608b6c09182e1bad4312c4dd1e5195e)
2023-12-29tacacs: T141: Wrap string in double quotes to allow expansionIndrajit Raychaudhuri
(cherry picked from commit a95ee3fd38f3c1d54ea359088d0eb1a4d4582b6b)
2023-12-29tests: T5869: consolidate duplicated test casesChristian Breunig
We have had duplicated test cases in test_jinja_filters.py and test_template.py, They have been consolidated into test_template.py. (cherry picked from commit 80e2e80b5504d1da643a0d5c9772a1f9dee0aa99)
2023-12-29vyos.template: T5869: first_host_address() does not honor RFC4291 section 2.6.1Christian Breunig
The subnet router anycast address is predefined. Its format is as follows: | n bits | 128-n bits | +------------------------------------------------+----------------+ | subnet prefix | 00000000000000 | +------------------------------------------------+----------------+ The "subnet prefix" in an anycast address is the prefix that identifies a specific link. This anycast address is syntactically the same as a unicast address for an interface on the link with the interface identifier set to zero. Packets sent to the Subnet-Router anycast address will be delivered to one router on the subnet. All routers are required to support the Subnet-Router anycast addresses for the subnets to which they have interfaces. The Subnet-Router anycast address is intended to be used for applications where a node needs to communicate with any one of the set of routers. Our code as of now returns the subnet router anycast address as the first_host_address(). (cherry picked from commit cc4ce81ece57faca8ce111b8f3748389ecb40202)
2023-12-29Merge pull request #2713 from vyos/mergify/bp/sagitta/pr-2709Christian Breunig
nat: T5681: relax wording on non existing interface Warning message (backport #2709)
2023-12-29nat: T5681: relax wording on non existing interface Warning messageChristian Breunig
Remove the word "error" from a Warning only message to not irritate the user. (cherry picked from commit 9f863a50f1ac6c81782df6c43f7df816d9e11b16)
2023-12-29Merge pull request #2712 from vyos/mergify/bp/sagitta/pr-2710Christian Breunig
smoketest: T5867: extend container tests for IPv4 and IPv6 networks (backport #2710)
2023-12-29smoketest: T5867: extend container tests for IPv4 and IPv6 networksChristian Breunig
(cherry picked from commit 503e0d1836aa99e34542031fb6c401eb6877eff7)
2023-12-29Merge pull request #2705 from vyos/mergify/bp/sagitta/pr-2703Christian Breunig
ddclient: T5852: add missing priority (backport #2703)
2023-12-28ddclient: T5852: add missing priorityChristian Breunig
Running ddclient on a VLAN interface will fail during reboot as there is no discrete priority to tell that the dynamic DNS service needs to be started after the interfaces. (cherry picked from commit ef237a7555843226e9bf48e552ed5feb5df581f4)
2023-12-28Merge pull request #2697 from c-po/sagitta-T5829Daniil Baturin
container: T5829: verify container network used supports the given AFI (backport)
2023-12-28Merge pull request #2700 from vyos/mergify/bp/sagitta/pr-2501Daniil Baturin
accel-ppp: T5688: Standardized pool configuration in accel-ppp (backport #2501)
2023-12-28Merge pull request #2702 from vyos/mergify/bp/sagitta/pr-2699Christian Breunig
container: T5867: disable healthchecks due to upstream issue (backport #2699)
2023-12-28Merge pull request #2701 from vyos/mergify/bp/sagitta/pr-2698Christian Breunig
op-mode: T5866: Add command to restart IPv6 RA daemon (backport #2698)
2023-12-28container: T5867: disable healthchecks due to upstream issueChristian Breunig
conmon 402de34b31388b5a2e1c <error>: Unable to send container stderr message to parent Broken pipe https://github.com/containers/conmon/issues/438 (cherry picked from commit 6c84ff41b92d7c2e0b239dca59955e8a247fecdb)
2023-12-28op-mode: T5866: Add command to restart IPv6 RA daemonChristian Breunig
vyos@vyos:~$ restart router-advert (cherry picked from commit 9d15c7d3fb21648a52b9c06bdc0a5055f8099119)
2023-12-28T5859: Fixed format of pool range in the accel-ppp configaapostoliuk
Fixed format of ipv4 pool range from 'x.x.x.x-x.x.x.y' to 'x.x.x.x-y' (cherry picked from commit 714a6b1dd5e4de6c85911fa64f4b5f37b44979cf)
2023-12-28accel-ppp: T5688: Fixed migration script for pppoe-serveraapostoliuk
Fixed migration script for pppoe-server (cherry picked from commit 17722f3ee1151d2e4ccf23655f7079615bf61e24)
2023-12-28accel-ppp: T5688: Standardized pool configuration in accel-pppaapostoliuk
Standardized pool configuration for all accel-ppp services. 1. Only named pools are used now. 2. Allows all services to use range in x.x.x.x/mask and x.x.x.x-x.x.x.y format 3. next-pool can be used in all services 2. Allows to use in ipoe gw-ip-address without pool configuration which allows to use Fraimed-IP-Address attribute by radius. 3. Default pool name should be explicidly configured with default-pool. 4. In ipoe netmask and range subnet can be different. (cherry picked from commit 422eb463d413da812eabc28706e507a9910d7b53)
2023-12-28container: T5829: fix base key "container" re-use in for loopChristian Breunig
(cherry picked from commit 405cc66041d8035500f7b7116301983c48464a9b)
2023-12-28container: T5829: verify container network used supports the given AFIChristian Breunig
(cherry picked from commit e70ca62c474b4e2cc135851a6e5cceee037bf378)
2023-12-28Merge pull request #2692 from indrajitr/sagitta-ddclient-backports-20231226Christian Breunig
ddclient: T5144,T5791: Consolidated backport for dynamic dns updates and fixes
2023-12-26ddclient: T5144: Warn against configuration with broken IP lookup serviceIndrajit Raychaudhuri
We always enable HTTPS in ddclient configuration, however `http://checkip.dyndns.org` is HTTP only and does not support HTTPS. Warn the user if they are using this service. Also, make `url` in `web-options` mandatory.
2023-12-26ddclient: T5144: Migrate web-options url to stricter formatIndrajit Raychaudhuri
Legacy ddclient allowed arbitrary URLs in web-options, but the new has stricter validations. Apply migration to the old URLs. Also migrate checkip.dyndns.org to https://domains.google.com/checkip for better TLS support.
2023-12-26ddclient: T5144: Fix migration to avoid config name conflictIndrajit Raychaudhuri
When migrating from `service dns dynamic interface <interface> ...` to `service dns dynamic address <address> ...`, the config name can potentially have a conflict when `address == 'web'`. Although the `/run/ddclient/ddclient.conf` that was generated earlier was incorrect, one could still potentially have misconfigured VyOS config without realizing it. We now append the old <interface> name to the config name to avoid conflict.
2023-12-26ddclient: T5791: Fix migration to normalize config name and avoid configIndrajit Raychaudhuri
Since `service dns dynamic address <address> service <service> ...` changed to `service dns dynamic name <service> address <address> ...`, the resulting service and address config flip can result in conflicting `service` name. Additionally, since dynamic DNS service name now have name constraint, we need to normalize the service name to conform with the constraint. We now migrate the service name to (service|rfc2136)-<service>-<address> to avoid the conflict and optionally append an index if there is still a name conflict after normalization.
2023-12-26ddclient: T5791: Enforce alphanumeric constraint on service nameIndrajit Raychaudhuri
Enforce constraint on Dynamic DNS service name to be alphanumeric (including hyphens and underscores).