summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-12-30Merge pull request #2721 from vyos/mergify/bp/sagitta/pr-2716Christian Breunig
login: T5875: restore home directory permissions when re-adding user account (backport #2716)
2023-12-30login: T5875: restore home directory permissions when re-adding user accountChristian Breunig
After deleting a user account and working with a newly added account, we see that after rebooting in the previously saved configuration, the user is re-added but it's home directory might have an old UID set on the filesystem. This is due to the fact that vyos config does not store UIDs. When adding a user account to the system we now check if the home directory already exists and adjust the ownership to the new UID. (cherry picked from commit 3c990f49e2bf9347bd2cc478995baa995ee822fd)
2023-12-29Merge pull request #2713 from vyos/mergify/bp/sagitta/pr-2709Christian Breunig
nat: T5681: relax wording on non existing interface Warning message (backport #2709)
2023-12-29nat: T5681: relax wording on non existing interface Warning messageChristian Breunig
Remove the word "error" from a Warning only message to not irritate the user. (cherry picked from commit 9f863a50f1ac6c81782df6c43f7df816d9e11b16)
2023-12-29Merge pull request #2712 from vyos/mergify/bp/sagitta/pr-2710Christian Breunig
smoketest: T5867: extend container tests for IPv4 and IPv6 networks (backport #2710)
2023-12-29smoketest: T5867: extend container tests for IPv4 and IPv6 networksChristian Breunig
(cherry picked from commit 503e0d1836aa99e34542031fb6c401eb6877eff7)
2023-12-29Merge pull request #2705 from vyos/mergify/bp/sagitta/pr-2703Christian Breunig
ddclient: T5852: add missing priority (backport #2703)
2023-12-28ddclient: T5852: add missing priorityChristian Breunig
Running ddclient on a VLAN interface will fail during reboot as there is no discrete priority to tell that the dynamic DNS service needs to be started after the interfaces. (cherry picked from commit ef237a7555843226e9bf48e552ed5feb5df581f4)
2023-12-28Merge pull request #2697 from c-po/sagitta-T5829Daniil Baturin
container: T5829: verify container network used supports the given AFI (backport)
2023-12-28Merge pull request #2700 from vyos/mergify/bp/sagitta/pr-2501Daniil Baturin
accel-ppp: T5688: Standardized pool configuration in accel-ppp (backport #2501)
2023-12-28Merge pull request #2702 from vyos/mergify/bp/sagitta/pr-2699Christian Breunig
container: T5867: disable healthchecks due to upstream issue (backport #2699)
2023-12-28Merge pull request #2701 from vyos/mergify/bp/sagitta/pr-2698Christian Breunig
op-mode: T5866: Add command to restart IPv6 RA daemon (backport #2698)
2023-12-28container: T5867: disable healthchecks due to upstream issueChristian Breunig
conmon 402de34b31388b5a2e1c <error>: Unable to send container stderr message to parent Broken pipe https://github.com/containers/conmon/issues/438 (cherry picked from commit 6c84ff41b92d7c2e0b239dca59955e8a247fecdb)
2023-12-28op-mode: T5866: Add command to restart IPv6 RA daemonChristian Breunig
vyos@vyos:~$ restart router-advert (cherry picked from commit 9d15c7d3fb21648a52b9c06bdc0a5055f8099119)
2023-12-28T5859: Fixed format of pool range in the accel-ppp configaapostoliuk
Fixed format of ipv4 pool range from 'x.x.x.x-x.x.x.y' to 'x.x.x.x-y' (cherry picked from commit 714a6b1dd5e4de6c85911fa64f4b5f37b44979cf)
2023-12-28accel-ppp: T5688: Fixed migration script for pppoe-serveraapostoliuk
Fixed migration script for pppoe-server (cherry picked from commit 17722f3ee1151d2e4ccf23655f7079615bf61e24)
2023-12-28accel-ppp: T5688: Standardized pool configuration in accel-pppaapostoliuk
Standardized pool configuration for all accel-ppp services. 1. Only named pools are used now. 2. Allows all services to use range in x.x.x.x/mask and x.x.x.x-x.x.x.y format 3. next-pool can be used in all services 2. Allows to use in ipoe gw-ip-address without pool configuration which allows to use Fraimed-IP-Address attribute by radius. 3. Default pool name should be explicidly configured with default-pool. 4. In ipoe netmask and range subnet can be different. (cherry picked from commit 422eb463d413da812eabc28706e507a9910d7b53)
2023-12-28container: T5829: fix base key "container" re-use in for loopChristian Breunig
(cherry picked from commit 405cc66041d8035500f7b7116301983c48464a9b)
2023-12-28container: T5829: verify container network used supports the given AFIChristian Breunig
(cherry picked from commit e70ca62c474b4e2cc135851a6e5cceee037bf378)
2023-12-28Merge pull request #2692 from indrajitr/sagitta-ddclient-backports-20231226Christian Breunig
ddclient: T5144,T5791: Consolidated backport for dynamic dns updates and fixes
2023-12-26ddclient: T5144: Warn against configuration with broken IP lookup serviceIndrajit Raychaudhuri
We always enable HTTPS in ddclient configuration, however `http://checkip.dyndns.org` is HTTP only and does not support HTTPS. Warn the user if they are using this service. Also, make `url` in `web-options` mandatory.
2023-12-26ddclient: T5144: Migrate web-options url to stricter formatIndrajit Raychaudhuri
Legacy ddclient allowed arbitrary URLs in web-options, but the new has stricter validations. Apply migration to the old URLs. Also migrate checkip.dyndns.org to https://domains.google.com/checkip for better TLS support.
2023-12-26ddclient: T5144: Fix migration to avoid config name conflictIndrajit Raychaudhuri
When migrating from `service dns dynamic interface <interface> ...` to `service dns dynamic address <address> ...`, the config name can potentially have a conflict when `address == 'web'`. Although the `/run/ddclient/ddclient.conf` that was generated earlier was incorrect, one could still potentially have misconfigured VyOS config without realizing it. We now append the old <interface> name to the config name to avoid conflict.
2023-12-26ddclient: T5791: Fix migration to normalize config name and avoid configIndrajit Raychaudhuri
Since `service dns dynamic address <address> service <service> ...` changed to `service dns dynamic name <service> address <address> ...`, the resulting service and address config flip can result in conflicting `service` name. Additionally, since dynamic DNS service name now have name constraint, we need to normalize the service name to conform with the constraint. We now migrate the service name to (service|rfc2136)-<service>-<address> to avoid the conflict and optionally append an index if there is still a name conflict after normalization.
2023-12-26ddclient: T5791: Enforce alphanumeric constraint on service nameIndrajit Raychaudhuri
Enforce constraint on Dynamic DNS service name to be alphanumeric (including hyphens and underscores).
2023-12-26ddclient: T5791: Add smoketest for dynamic interface and cleanupIndrajit Raychaudhuri
2023-12-26ddclient: T5791: Adjust the warning messages and minor refactoringIndrajit Raychaudhuri
2023-12-25Merge pull request #2690 from vyos/mergify/bp/sagitta/pr-2689Viacheslav Hletenko
ethernet: T5566: disable energy efficient ethernet (EEE) for interfaces (backport #2689)
2023-12-25ethernet: T5566: disable energy efficient ethernet (EEE) for interfacesChristian Breunig
VyOS is a routing (packet pushing) platform, thus supporting EEE which potentially causes issues is not a good idea. Some recent Intel drivers enable EEE by default, thus we will disable this for every NIC supporting EEE. (cherry picked from commit ab30509b25d54dac99294b76ba03fd49c3d2c946)
2023-12-25Merge pull request #2688 from vyos/mergify/bp/sagitta/pr-2687Christian Breunig
snmp: T5855: migrate "set service lldp snmp enable" to "set service lldp snmp" (backport #2687)
2023-12-25snmp: T5855: migrate "set service lldp snmp enable" to "set service lldp snmp"Christian Breunig
(cherry picked from commit a9201e77110ce0695e2ba879304aef41b7ac9a0c)
2023-12-25snmp: T5855: add GPL license headerChristian Breunig
(cherry picked from commit 2490f22408ad811ff9f63ec970d0167ecbf4ab59)
2023-12-24Merge pull request #2685 from vyos/mergify/bp/sagitta/pr-2682Daniil Baturin
configdict: T5837: add support to return added nodes when calling node_changed() (backport #2682)
2023-12-24configdict: T5837: add support to return added nodes when calling node_changed()Christian Breunig
In the past, node_changed() suggested it would also return nodes that got added (function comment) but in reality only deleted keys got accounted for. This commit changes the signature and adds an argument expand_nodes to specify the users interest of a node was deleted (default), added (expand_nodes=Diff.ADD) or even both (expand_nodes=Diff.ADD|Diff.DELETE). (cherry picked from commit 4ee4064705ebd1e1a6a59be0c6df3b96755a067e)
2023-12-24T5837: cleanup use of calls to vyos.configdict.node_changed()Christian Breunig
node_changed() will return a list of changed keys under "path". We are not always interested what changed, sometimes we are only interested if something changed at all, that what vyos.configdict.is_node_changed() is for. (cherry picked from commit 5e7a8288d06a6d6beee5e1abd2e06698ab778650)
2023-12-24Merge pull request #2684 from vyos/mergify/bp/sagitta/pr-2683Daniil Baturin
snmp: 5856: fix service removal error (backport #2683)
2023-12-24snmp: 5856: fix service removal errorChristian Breunig
When deleting SNMP from CLI the 'delete' key was not honored in the config dictionary, leading to a false process startup causing the following error: Job for snmpd.service failed because the control process exited with error code. See "systemctl status snmpd.service" and "journalctl -xeu snmpd.service" for details. (cherry picked from commit 20b98e780fda4131eb242921884d4955147ce51a)
2023-12-24Merge pull request #2681 from vyos/mergify/bp/sagitta/pr-2677Viacheslav Hletenko
T160: NAT64 add match firewall mark feature (backport #2677)
2023-12-24T160: NAT64 add match firewall mark featureViacheslav Hletenko
Match mark allows to use firewall marks of packet to use a specific pool Example of instance config /run/jool/instance-100.json ``` ... "pool4": [ { "protocol": "TCP", "prefix": "192.0.2.10", "port range": "1-65535", "mark": 23 }, ... ``` (cherry picked from commit 8e1e79cfa24c155c8d504822fbbd3c20f890fb70)
2023-12-24Merge pull request #2680 from vyos/mergify/bp/sagitta/pr-2679Christian Breunig
xml: T5854: clear empty paths left by embedded override of defaultValue (backport #2679)
2023-12-24veth: T5853: fix typo in constraintErrorMessagezero13th
(cherry picked from commit 89cd75b8dbe5cc145a4423bf10faa76fd6bdcdbf)
2023-12-24xml: T5854: clear empty paths left by embedded override of defaultValueJohn Estabrook
(cherry picked from commit c4f9c936c9fdd32e7f6258c0dfa8c8cf6057998d)
2023-12-21Merge pull request #2675 from c-po/nat66-fix-sagittaDaniil Baturin
nat66: T2898: build fix after ndp-proxy backport
2023-12-21nat66: T2898: build fix after ndp-proxy backportChristian Breunig
2023-12-21Merge pull request #2673 from vyos/mergify/bp/sagitta/pr-2665Christian Breunig
T2898: add ndp-proxy service (backport #2665)
2023-12-21T2898: add ndp-proxy serviceChristian Breunig
VyOS CLI command set service ndp-proxy interface eth0 prefix 2001:db8::/64 mode 'static' Will generate the following NDP proxy configuration $ cat /run/ndppd/ndppd.conf # autogenerated by service_ndp-proxy.py # This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route route-ttl 30000 # This sets up a listener, that will listen for any Neighbor Solicitation # messages, and respond to them according to a set of rules proxy eth0 { # Turn on or off the router flag for Neighbor Advertisements router no # Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds) timeout 500 # Control how long a valid or invalid entry remains in the cache (milliseconds) ttl 30000 # This is a rule that the target address is to match against. If no netmask # is provided, /128 is assumed. You may have several rule sections, and the # addresses may or may not overlap. rule 2001:db8::/64 { static } } (cherry picked from commit 4d721a58020971d00ab854c37b68e88359999f9c)
2023-12-21Merge pull request #2674 from vyos/mergify/bp/sagitta/pr-2663Daniil Baturin
srv6: T591: enable SR enabled packet processing on defined interfaces (backport #2663)
2023-12-21srv6: T591: enable SR enabled packet processing on defined interfacesChristian Breunig
The Linux Kernel needs to be told if IPv6 SR enabled packets whether should be processed or not. This is done using /proc/sys/net/conf/<iface>/seg6_* variables: seg6_enabled - BOOL Accept or drop SR-enabled IPv6 packets on this interface. Relevant packets are those with SRH present and DA = local. 0 - disabled (default) not 0 - enabled Or the VyOS CLI command: * set protocols segment-routing interface eth0 srv6 (cherry picked from commit 774cc97eda61eb0b91df820797fb3c705d0073d5)
2023-12-21vrf: T591: define sysctl setting for net.vrf.strict_modeChristian Breunig
Enable/Disable VRF strict mode, when net.vrf.strict_mode=0 (default) it is possible to associate multiple VRF devices to the same table. Conversely, when net.vrf.strict_mode=1 a table can be associated to a single VRF device. A VRF table can be used by the VyOS CLI only once (ensured by verify()), this simply adds an additional Kernel safety net, but a requirement for IPv6 segment routing headers. (cherry picked from commit 10701108fecb36f7be7eb7ef5f1e54e63da5fb4e)
2023-12-21Merge pull request #2672 from vyos/mergify/bp/sagitta/pr-2611Christian Breunig
T5804: nat: remove inbound|outbound interface from old configuration when it was set to <any>. (backport #2611)