summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-12-26firewall: T5834: Add support for default log for route policyIndrajit Raychaudhuri
One can now do `set policy route foo default-log` which will add log to the policy route chain.
2023-12-26firewall: T5834: Migration for 'enable-default-log' to 'default-log'Indrajit Raychaudhuri
2023-12-26firewall: T5834: Rename 'enable-default-log' to 'default-log'Indrajit Raychaudhuri
Rename chain level defaults log option from `enable-default-log` to `default-log` for consistency.
2023-12-26Merge pull request #2691 from indrajitr/ddclient-update-20231224-02Christian Breunig
ddclient: T5144: Warn against configuration with broken IP lookup service
2023-12-26ddclient: T5144: Warn against configuration with broken IP lookup serviceIndrajit Raychaudhuri
We always enable HTTPS in ddclient configuration, however `http://checkip.dyndns.org` is HTTP only and does not support HTTPS. Warn the user if they are using this service. Also, make `url` in `web-options` mandatory.
2023-12-26Merge pull request #2686 from indrajitr/ddclient-update-20231224-01Christian Breunig
ddclient: T5144: Migrate web-options url to stricter format
2023-12-25Merge pull request #2689 from c-po/eee-t5311-t5566Daniil Baturin
ethernet: T5566: disable energy efficient ethernet (EEE) for interfaces
2023-12-25ethernet: T5566: disable energy efficient ethernet (EEE) for interfacesChristian Breunig
VyOS is a routing (packet pushing) platform, thus supporting EEE which potentially causes issues is not a good idea. Some recent Intel drivers enable EEE by default, thus we will disable this for every NIC supporting EEE.
2023-12-25Merge pull request #2687 from c-po/lldp-snmp-t5855Christian Breunig
snmp: T5855: migrate "set service lldp snmp enable" to "set service lldp snmp"
2023-12-25snmp: T5855: migrate "set service lldp snmp enable" to "set service lldp snmp"Christian Breunig
2023-12-25snmp: T5855: add GPL license headerChristian Breunig
2023-12-25ddclient: T5144: Migrate web-options url to stricter formatIndrajit Raychaudhuri
Legacy ddclient allowed arbitrary URLs in web-options, but the new has stricter validations. Apply migration to the old URLs. Also migrate checkip.dyndns.org to https://domains.google.com/checkip for better TLS support.
2023-12-24ddclient: T5791: Adjust migration to normalize underscore in config namesIndrajit Raychaudhuri
2023-12-24Merge pull request #2682 from c-po/node-changed-t5837Christian Breunig
configdict: T5837: add support to return added nodes when calling node_changed()
2023-12-24Merge pull request #2683 from c-po/snmp-T5865Viacheslav Hletenko
snmp: 5856: fix service removal error
2023-12-24snmp: 5856: fix service removal errorChristian Breunig
When deleting SNMP from CLI the 'delete' key was not honored in the config dictionary, leading to a false process startup causing the following error: Job for snmpd.service failed because the control process exited with error code. See "systemctl status snmpd.service" and "journalctl -xeu snmpd.service" for details.
2023-12-24configdict: T5837: add support to return added nodes when calling node_changed()Christian Breunig
In the past, node_changed() suggested it would also return nodes that got added (function comment) but in reality only deleted keys got accounted for. This commit changes the signature and adds an argument expand_nodes to specify the users interest of a node was deleted (default), added (expand_nodes=Diff.ADD) or even both (expand_nodes=Diff.ADD|Diff.DELETE).
2023-12-24T5837: cleanup use of calls to vyos.configdict.node_changed()Christian Breunig
node_changed() will return a list of changed keys under "path". We are not always interested what changed, sometimes we are only interested if something changed at all, that what vyos.configdict.is_node_changed() is for.
2023-12-24Merge pull request #2677 from sever-sever/T160Christian Breunig
T160: NAT64 add match firewall mark feature
2023-12-24T160: NAT64 add match firewall mark featureViacheslav Hletenko
Match mark allows to use firewall marks of packet to use a specific pool Example of instance config /run/jool/instance-100.json ``` ... "pool4": [ { "protocol": "TCP", "prefix": "192.0.2.10", "port range": "1-65535", "mark": 23 }, ... ```
2023-12-24veth: T5853: fix typo in constraintErrorMessagezero13th
2023-12-24Merge pull request #2679 from jestabro/allow-embedded-overrideChristian Breunig
xml: T5854: clear empty paths left by embedded override of defaultValue
2023-12-23xml: T5854: clear empty paths left by embedded override of defaultValueJohn Estabrook
2023-12-22Merge pull request #2676 from sever-sever/T5840Christian Breunig
T5840: Add override for systemd kea-ctrl-agent.service
2023-12-22T5840: Add override for systemd kea-ctrl-agent.serviceViacheslav Hletenko
After update KEA to 2.4.x in the bf04cd8fea44d375fb7d93d75a1f31c220730c88 there is a file that expects ConditionFileNotEmpty=/etc/kea/kea-api-password It cause the unit `kea-ctrl-agent.service` cannot start systemd[1]: kea-ctrl-agent.service - Kea Control Agent was skipped because of an unmet condition check (ConditionFileNotEmpty=/etc/kea/kea-api-password) Override systemd kea-ctrl-agent.service do not check this file
2023-12-21dhcp: T3316: Update smoketest for hostname, DUID, MAC in reservationIndrajit Raychaudhuri
Also, have the smoketest start with a clean CLI instance.
2023-12-21dhcp: T3316: Apply migration for valid hostname, and identifier (DUID)Indrajit Raychaudhuri
2023-12-21dhcp: T3316: Support hostname, DUID and MAC address in reservationIndrajit Raychaudhuri
Reinstate support for hostname in DHCP reservation. Having `hostname` in allows for server-side assignment of hostname. This is useful for static lookup of hostname. Ensure that hostname is a valid FQDN (doesn't have underscore, etc.) Additionally, support using either of DUID or MAC address for reservation. While MAC address is typically used for IPv4, and DUID is typically used for IPv6, either of them can be used in IPv4 and IPv6 reservations in Kea.
2023-12-21T5781: use dynamic minisign key listKyleM
Updated image_installer.py to try and validate image with all minisign public keys in /usr/share/vyos/keys/
2023-12-21Merge pull request #2663 from c-po/srv6-part2Christian Breunig
srv6: T591: enable SR enabled packet processing on defined interfaces
2023-12-21Merge pull request #2665 from c-po/ndp-proxyChristian Breunig
T2898: add ndp-proxy service
2023-12-21Merge pull request #2670 from indrajitr/duid-refactor-T5846-3Christian Breunig
dhcp: T5846: Ensure DUID regex range is bound
2023-12-21dhcp: T5846: Ensure DUID regex range is boundIndrajit Raychaudhuri
The DUID regex was missing a lower bound, which could cause it not to match when it should. We have to specify the lower bound explicitly as 0 to keep the regex behavior similar to that in Python (in Python, omitting the lower bound is equivalent to specifying 0).
2023-12-21Merge pull request #2668 from c-po/currentChristian Breunig
frr: T4020: re-enable watchfrr in config as it is always running
2023-12-21Merge pull request #2667 from indrajitr/duid-refactor-T5846-2Christian Breunig
dhcp: T5846: Fix include path
2023-12-21frr: T4020: re-enable watchfrr in config as it is always runningChristian Breunig
2023-12-21dhcp: T5846: Fix include pathIndrajit Raychaudhuri
2023-12-21Merge pull request #2664 from indrajitr/duid-refactor-T5846Christian Breunig
dhcp: T5846: Refactor and simplify DUID definition
2023-12-21dhcp: T5846: Refactor and simplify DUID definitionIndrajit Raychaudhuri
Refactor DUID XML definition in conf-mode to be reusable. Additionally, remove explicit call to a separate validator `ipv6-duid` and inline the regex into the XML definition.
2023-12-20T2898: add ndp-proxy serviceChristian Breunig
VyOS CLI command set service ndp-proxy interface eth0 prefix 2001:db8::/64 mode 'static' Will generate the following NDP proxy configuration $ cat /run/ndppd/ndppd.conf # autogenerated by service_ndp-proxy.py # This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route route-ttl 30000 # This sets up a listener, that will listen for any Neighbor Solicitation # messages, and respond to them according to a set of rules proxy eth0 { # Turn on or off the router flag for Neighbor Advertisements router no # Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds) timeout 500 # Control how long a valid or invalid entry remains in the cache (milliseconds) ttl 30000 # This is a rule that the target address is to match against. If no netmask # is provided, /128 is assumed. You may have several rule sections, and the # addresses may or may not overlap. rule 2001:db8::/64 { static } }
2023-12-20srv6: T591: enable SR enabled packet processing on defined interfacesChristian Breunig
The Linux Kernel needs to be told if IPv6 SR enabled packets whether should be processed or not. This is done using /proc/sys/net/conf/<iface>/seg6_* variables: seg6_enabled - BOOL Accept or drop SR-enabled IPv6 packets on this interface. Relevant packets are those with SRH present and DA = local. 0 - disabled (default) not 0 - enabled Or the VyOS CLI command: * set protocols segment-routing interface eth0 srv6
2023-12-20vrf: T591: define sysctl setting for net.vrf.strict_modeChristian Breunig
Enable/Disable VRF strict mode, when net.vrf.strict_mode=0 (default) it is possible to associate multiple VRF devices to the same table. Conversely, when net.vrf.strict_mode=1 a table can be associated to a single VRF device. A VRF table can be used by the VyOS CLI only once (ensured by verify()), this simply adds an additional Kernel safety net, but a requirement for IPv6 segment routing headers.
2023-12-20Merge pull request #2661 from dmbaturin/T5844Viacheslav Hletenko
Allow the HTTPS API server to start without any configured keys when GraphQL JWT auth is configured
2023-12-20https api: T5844: allow the server to start without API keysDaniil Baturin
and use only PAM auth and JWT
2023-12-20https api: T5844: issue a warning about the classic API unavailabilityDaniil Baturin
when no API keys are set
2023-12-20T5801: Rewritten L2TP to get_config_dictaapostoliuk
Rewritten L2TP to get_config_dict Rewritten L2TP xml to accel-ppp patterns Migrated 'idle' to 'ppp-options.lcp-echo-timeout' Migrated 'authentication.mppe' to 'ppp-options.mppe' Migrated 'authentication.radius.dae-server' to 'authentication.radius.dynamic-author' Migrated 'authentication.require' to 'authentication.protocol' Added 'authentication.radius.acct-interim-jitter' Added 'authentication.radius.preallocate-vif' Added 'authentication.radius.server.<IP>.acct-port' Added 'ppp-options.ipv4' Added smoke-tests Fixed 'preallocate-vif' in SSTP
2023-12-19Merge pull request #2643 from mcbridematt/t5828-grub-arm64-fixDaniil Baturin
T5828: fix grub installation on arm64-efi machines
2023-12-19smoketest: bgp: T4163: use explicit kill to respawn bgpd processChristian Breunig
2023-12-19smoketest: bgp: T4163: add explicit timeout when starting BMPChristian Breunig
2023-12-19Revert "smoketest: bgp: temporary disable BMP test"Christian Breunig
This reverts commit 7036c761e74bcd48e3ba714dec4545208ee0e313.