summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-08-01T6570: firewall: add global-option to configure sysctl parameter for ↵Nicolas Fort
enabling/disabling sending traffic from bridge layer to ipvX layer
2024-08-01T4072: firewall: improve error handling when firewall configuration is ↵Nicolas Fort
wrong. Use nft -c option to check temporary file, and use output provided by nftables to parse the error if possible, or print it as it is if it's an unknown error
2024-08-01T4072: firewall: extend firewall bridge capabilities, in order to include ↵Nicolas Fort
new chains, priorities, and firewall groups
2024-08-01Merge pull request #3221 from lucasec/t5873Christian Breunig
T5873: ipsec remote access VPN: support VTI interfaces.
2024-08-01Merge pull request #3903 from lucasec/ipsec-remote-access-profileChristian Breunig
T6617: T6618: vpn ipsec remote-access: fix profile generators
2024-08-01Merge pull request #3919 from sever-sever/T5657Christian Breunig
T5657: Add VRF support for zabbix-agent
2024-07-31T5657: Add VRF support for zabbix-agentViacheslav Hletenko
To start the service under VRF requires starting under User=root otherwise it had issues with cgroups
2024-07-31ipsec: T6148: Removed unused imports (#3915)aapostoliuk
Removed unused pprint module
2024-07-30Merge pull request #3902 from vyos/c-po-patch-1Christian Breunig
GitHub: T6560: action must be run on forked repo
2024-07-30Merge pull request #3747 from sever-sever/T6486Christian Breunig
T6486: T6379: Rewrite generate openvpn client-config
2024-07-30Merge pull request #3698 from talmakion/bugfix/T3334Christian Breunig
system: op-mode: T3334: allow delayed getty restart when configuring serial ports
2024-07-30system: op-mode: T3334: replace some print() statements with Warning()Christian Breunig
Make it more obvious for the user aber the severity of his action.
2024-07-30system: op-mode: T3334: allow delayed getty restart when configuring serial ↵Andrew Topp
ports * Created op-mode command "restart serial console" * Relocated service control to vyos.utils.serial helpers, used by conf- and op-mode serial console handling * Checking for logged-in serial sessions that may be affected by getty reconfig * Warning the user when changes are committed and serial sessions are active, otherwise restart services as normal. No prompts issued during commit, all config gen/commit steps still occur except for the service restarts (everything remains consistent) * To apply committed changes, user will need to run "restart serial console" to complete the process or reboot the whole router * Added additional flags and target filtering for generic use of helpers.
2024-07-30T6572: trigger remote pr only for circinus pr merge (#3899)Vijayakumar A
2024-07-30Merge pull request #3883 from c-po/vrf-conntrackChristian Breunig
vrf: T6603: conntrack ct_iface_map must only contain one entry for iifname/oifname
2024-07-30T6617: T6618: vpn ipsec remote-access: fix profile generatorsLucas Christian
2024-07-30Merge pull request #3740 from talmakion/feature/T6430-vrf-directChristian Breunig
pbr: T6430: Allow forwarding into VRFs by name as well as route table IDs
2024-07-30pbr: T6430: refactor to use vyos.utils.network.get_vrf_tableid()Christian Breunig
Commit 452068ce78 ("interfaces: T6592: moving an interface between VRF instances failed") added a similar but more detailed implementation of get_vrf_table_id() that was added in commit adeac78ed of this PR. Move to the common available implementation.
2024-07-30pbr: T6430: Allow forwarding into VRFs by name as well as route table IDsAndrew Topp
* PBR can only target table IDs up to 200 and the previous PR to extend the range was rejected * PBR with this PR can now also target VRFs directly by name, working around targeting problems for VRF table IDs outside the overlapping 100-200 range * Validation ensures rules can't target both a table ID and a VRF name (internally they are handled the same) * Added a simple accessor (get_vrf_table_id) for runtime mapping a VRF name to table ID, based on vyos.ifconfig.interface._set_vrf_ct_zone(). It does not replace that usage, as it deliberately does not handle non-VRF interface lookups (would fail with a KeyError). * Added route table ID lookup dict, global route table and VRF table defs to vyos.defaults. Table ID references have been updated in code touched by this PR. * Added a simple smoketest to validate 'set vrf' usage in PBR rules
2024-07-29T6560: action must be run on forked repoChristian Breunig
n order to properly build and test the code that is to be "merged in", we need to run this action on the source branch of the PR (pull_request) and not the target branch of the PR (pull_request_target)
2024-07-29Merge pull request #3898 from dmbaturin/T6620Christian Breunig
vyos.configtree: T6620: allow list_nodes() to work on non-existent paths
2024-07-29vyos.configtree: T6620: allow list_nodes() to work on non-existent pathsDaniil Baturin
and return an empty list in that case (handy for migration scripts and the like)
2024-07-29Merge pull request #3804 from HollyGurza/T6362Daniil Baturin
T6362: Create conntrack logger daemon
2024-07-29Merge pull request #3823 from srividya0208/T6571Daniil Baturin
OpenVPN CLI-option: T6571: rename ncp-ciphers with data-ciphers
2024-07-29Merge pull request #3895 from talmakion/bugfix/T4694/outbound-ipsec-migscriptDaniil Baturin
firewall: T4694: incomplete node checks in migration script
2024-07-30firewall: T4694: incomplete node checks in migration scriptAndrew Topp
This patch on #3616 will only attempt to fix ipsec matches in rules if the firewall config tree passed to migrate_chain() has rules attached.
2024-07-29Merge pull request #3897 from indrajitr/typo-fixChristian Breunig
T6349: Fix typo in file name
2024-07-29T6349: Fix typo in file nameIndrajit Raychaudhuri
2024-07-28Merge pull request #3874 from c-po/unused-importChristian Breunig
smoketest: T6592: remove unused "import os"
2024-07-28Merge pull request #3888 from c-po/op-mode-smoketestChristian Breunig
smoketest: T6614: initial support for op-mode command testing
2024-07-28Merge pull request #3889 from c-po/syslog-smoketestChristian Breunig
smoketest: T5705: use locally connected remote syslog servers
2024-07-28ipsec: T6148: Fixed reset command by adding init after terminating (#3763)aapostoliuk
Strongswan does not initiate session after termination via vici. Added an CHILD SAs initialization on the initiator side of the tunnel.
2024-07-28firewall: T4694: Adding rt ipsec exists/missing match to firewall configs ↵talmakion
(#3616) * Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for fw rules * Add ipsec match-ipsec-out and match-none-out * Change all the points where the match-ipsec.xml.i include was used before, making sure the new includes (match-ipsec-in/out.xml.i) are used appropriately. There were a handful of spots where match-ipsec.xml.i had snuck back in for output hooked chains already (the common-rule-* includes) * Add the -out generators to rendered templates * Heavy modification to firewall config validators: * I needed to check for ipsec-in matches no matter how deeply nested under an output-hook chain(via jump-target) - this always generates an error. * Ended up retrofitting the jump-targets validator from root chains and for named custom chains. It checks for recursive loops and improper IPsec matches. * Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation" smoketests
2024-07-28smoketest: T5705: use locally connected remote syslog serversChristian Breunig
As there has been no route to the configured syslog servers, smoketests produced: rsyslogd: omfwd: socket 8: error 101 sending via udp: Network is unreachable Rather use some fake syslog servers from 127.0.0.0/8 which are directly connected and we do not need to look up a route, which will suppress the above error message.
2024-07-27smoketest: T6614: initial support for op-mode command testingChristian Breunig
2024-07-27Merge pull request #3879 from natali-rs1985/T5744-currentChristian Breunig
op_mode: T5744: PKI import OpenVPN shared key includess unexpected BEGIN and END
2024-07-26T5873: vpn ipsec remote-access: improve child ESP session namingLucas Christian
2024-07-26T5873: vpn ipsec: ignore dhcp/vti settings when connection disabledLucas Christian
2024-07-26T5873: vpn ipsec: re-write of ipsec updown hookLucas Christian
2024-07-26vrf: T6603: improve code runtime when retrieving info from nftables vrf zoneChristian Breunig
2024-07-26vrf: T6603: conntrack ct_iface_map must only contain one entry for ↵Christian Breunig
iifname/oifname When any of the following features NAT, NAT66 or Firewall is enabled, for every VRF on the CLI we install one rule into nftables for conntrack: chain vrf_zones_ct_in { type filter hook prerouting priority raw; policy accept; counter packets 3113 bytes 32227 ct original zone set iifname map @ct_iface_map counter packets 8550 bytes 80739 ct original zone set iifname map @ct_iface_map counter packets 5644 bytes 67697 ct original zone set iifname map @ct_iface_map } This is superfluous.
2024-07-25op_mode: T5744: PKI import OpenVPN shared key includess unexpected BEGIN and ENDNataliia Solomko
2024-07-25OpenVPN CLI-option: T6571: rename ncp-ciphers with data-cipherssrividya0208
2024-07-25Merge pull request #3873 from c-po/podmanChristian Breunig
Debian: T6598: depend on podman version >=4.9.5
2024-07-25smoketest: T6592: remove unused "import os"Christian Breunig
2024-07-25Debian: T6598: depend on podman version >=4.9.5Christian Breunig
2024-07-25T6605: restore configd error formatting to be consistent with CLI (#3868)John Estabrook
2024-07-25Merge pull request #3857 from c-po/vrf-interface-part-2Christian Breunig
interface: T6592: remove interface from conntrack ct_iface_map on deletion
2024-07-24Merge pull request #3856 from c-po/verify-vrfChristian Breunig
vrf: T6602: verify supplied VRF name on all interface types
2024-07-24smoketest: T6592: verify no interface stalls in conntrack ct_iface_map on ↵Christian Breunig
deletion Now that interfaces are deleted from ct_iface_map during deletion it's time to also add a smoketest ensuring there is no entry in the ct_iface_map once an interface was deleted from the CLI.