summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-01-04ssh: T2651: extend verify() when both source-address and source-interface is ↵Christian Poessinger
used We need to ensure that source-address is assigned on source-interface before applying the configuration, else SSH client will have a hard time talking to someone.
2023-01-04ssh: T2651: add source-interface support ssh-clientChristian Poessinger
2023-01-04ssh: T2651: use Debian style include directve for ssh_config.dChristian Poessinger
Commit 846e306700a ("ssh: T2651: add cli options for source address") added support for a basic SSH client option, but it grabbed the entire /etc/ssh/ssh_config file without the ability to make custom user adjustments via the /etc/ssh/ssh_config.d/ folder. This vommit places the VyOS SSH options under /etc/ssh/ssh_config.d/ leaving the common override system alive.
2023-01-04qos: T4284: bugfix fair-queue queue-limit rangeChristian Poessinger
2023-01-04qos: T4284: replace qdisc/class instead of always adding itChristian Poessinger
This makes transitions/updates faster and less error prone
2023-01-04qos: T4284: add bandwidth percentage valueChristian Poessinger
2023-01-04T1237: Fix failover route install route with diff metricsViacheslav Hletenko
If there is no route in the routing table (requires install route) it checks routing table and returns best route None But if we have 2 routes to the same dest ip but with different metrics it doesn't get None (not first route install) It cause that bast metric route cannot be installed (wrong logic) Add func "is_route_exists" and check route/gateway/metric for the required route
2023-01-04Merge pull request #1735 from sever-sever/T4904Viacheslav Hletenko
T4904: keepalived virtual-server allow multiple ports with fwmark
2023-01-03Merge pull request #1729 from jestabro/cache-diffJohn Estabrook
configdiff: T4900: cache diff_tree/diff_dict in Config instance
2023-01-03Merge pull request #1736 from sever-sever/T4907Christian Poessinger
T4907: op-mode nat add missing option verbose
2023-01-03T4907: op-mode nat add missing option verboseViacheslav Hletenko
Add missing option "verbose" for op-mode NAT
2023-01-02xml: qos: T4284: fix DSCP CLI valuesChristian Poessinger
2023-01-02T4904: keepalived virtual-server allow multiple ports with fwmarkViacheslav Hletenko
Allow multiple ports for high-availability virtual-server The current implementation allows balance only one "virtual" address and port between between several "real servers" Allow matching "fwmark" to set traffic which should be balanced Allow to set port 0 (all traffic) if we use "fwmark" Add health-check script set high-availability virtual-server 203.0.113.1 fwmark '111' set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 health-check script '/bin/true' set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 port '0'
2023-01-02Merge pull request #1725 from sever-sever/T4893Christian Poessinger
T4893: Add ppp-options ipv6-interface-id for L2TP
2023-01-02smoketest: T4284: remove qos from dialup-router-medium-vpnChristian Poessinger
qos config migration is tested using qos-basic example config file.
2023-01-01qos: T4284: migrate percentaged bandwidth to absolute value in bit/sChristian Poessinger
2023-01-01Merge pull request #1663 from c-po/t4284-qosChristian Poessinger
QoS: T4284: re-implementation using XML and Python
2023-01-01qos: T2721: set fq-codel as default leaf qdisc for shaperChristian Poessinger
Set fq-codel as the default queuing discipline for the shaper traffic-policy if queue-type has not been configured. fq-codel has been the default qdisc for OpenWRT as well as systemd (and thus various linux distributions) for a decent while now. It has proven itself to be a highly effective qdisc for fighting bufferbloat whilst maintaining high link utilization. The combination of HTB + fq-codel has also seen wide deployment in cases when additional traffic classification and/or rate/burst management is required. This change will allow the configuration of a shaper traffic-policy with suitable defaults, saving the pain of having to specify fq-codel as a queue-type for every class.
2023-01-01qos: T4284: first implementation introducing a new vyos.qos moduleChristian Poessinger
2023-01-01qos: T4284: xml: fix path for completion helperChristian Poessinger
2023-01-01qos: T4284: activate new Python backendChristian Poessinger
2022-12-30ci: T4748: add a small delay to the PR title check to ensure that it gets a ↵Daniil Baturin
complete, finalized PR object from GitHub
2022-12-30dummy: T4898: add missing IPv6 options for smoketestsChristian Poessinger
2022-12-30smoketest: dummy: T4898: enable MTU testcaseChristian Poessinger
2022-12-30configdiff: T4900: cache diff_tree and diff_dict in Config instanceJohn Estabrook
2022-12-30T4748: Clarify the invalid PR object messageDaniil Baturin
2022-12-30T4893: Add ppp-options ipv6-interface-id for L2TPViacheslav Hletenko
Add ppp-options IPv6 interface id for vpn L2TP - fixed or random interface identifier for IPv6 - peer interface identifier for IPv6 - whether to accept peer’s interface identifier set vpn l2tp remote-access ppp-options ipv6-accept-peer-intf-id set vpn l2tp remote-access ppp-options ipv6-intf-id 'random' set vpn l2tp remote-access ppp-options ipv6-peer-intf-id 'calling-sid'
2022-12-30Merge pull request #1726 from vfreex/vxlan-fix-rebuildChristian Poessinger
T4897: vxlan: Fix setting `source-address` and `source-interface`
2022-12-30T4897: Fix virtual interface rebuild checksYuxiang Zhu
`leaf_node_changed` returns `[]` (empty list) after a leaf node is added. e.g. Setting `source-interface` doesn't work on an existing vxlan interface. Steps to reproduce: - Add a vxlan interface without `source-address` or `source-interface` options set: ``` set interfaces vxlan vxlan999 vni 999 set interfaces vxlan vxlan999 remote 192.168.100.100 commit ``` - Then set `source-address` or `source-interface`: ``` set interfaces vxlan vxlan999 source-interface eth0 commit ``` Actual result: Source address or source-interface are not set: ``` ip -d link show dev vxlan999 76: vxlan999: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/ether 56:08:ba:4d:4e:a8 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535 vxlan id 999 remote 192.168.100.100 srcport 0 0 dstport 8472 tos inherit ttl 16 ageing 300 udpcsum noudp6zerocsumtx noudp6zerocsumrx addrgenmode none numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 ``` Expected result: ``` 77: vxlan999: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/ether 9e:05:d9:58:1a:af brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535 vxlan id 999 remote 192.168.100.100 dev eth0 srcport 0 0 dstport 8472 tos inherit ttl 16 ageing 300 udpcsum noudp6zerocsumtx noudp6zerocsumrx addrgenmode none numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 ``` All invocations of leaf_node_changed() should be migrated to is_node_changes() if you are only interested in if something changed and don‘t care what exactly changed (content).
2022-12-30pseudo-ethernet: T4391: use is_node_changed() over error prone ↵Christian Poessinger
leaf_node_changed() We only need to use leaf_node_changed() if we are interested in the detailed change to a CLI node (what was the previous content). If we are only interested in if a node changed "at all" is_node_changed() should be used.
2022-12-30tunnel: T4391: use is_node_changed() over error prone leaf_node_changed()Christian Poessinger
We only need to use leaf_node_changed() if we are interested in the detailed change to a CLI node (what was the previous content). If we are only interested in if a node changed "at all" is_node_changed() should be used.
2022-12-30geneve: T4366: use is_node_changed() over error prone leaf_node_changed()Christian Poessinger
We only need to use leaf_node_changed() if we are interested in the detailed change to a CLI node (what was the previous content). If we are only interested in if a node changed "at all" is_node_changed() should be used.
2022-12-30Merge pull request #1727 from vfreex/dummy-mtuChristian Poessinger
T4898: Add mtu config option for dummy interfaces
2022-12-29T4898: Add mtu config option for dummy interfacesYuxiang Zhu
I use dummy interfaces in a VRF as source-interfaces for VXLAN in order to force VXLAN send underlay UDP traffic through the VRF where the dummy interface resides. However dummy interface has no mtu option so it always gets an MTU of 1500. This will cause an error when the mtu of dummy is not large enough for the VXLAN traffic. Adding this option in the config template will solve this.
2022-12-27strongSwan: T4593: add charon-systemd runtime dependencyChristian Poessinger
2022-12-27strongSwan: upgrade scripts to work with package version 5.9.8Christian Poessinger
2022-12-26static: T4883: add a description field for routing tablesDaniil Baturin
2022-12-25container: T2216: use defaultValue XML definition to define port protocolChristian Poessinger
Instead of hardcoding the default protocol as TCP in the Python script we shall use the XML based defaultValue approach instead. This also automatically exports the default to the CLI completion helper.
2022-12-25container: T2216: add verify() for port definitionChristian Poessinger
If port is specified on the CLI so must be source and destination under the port node.
2022-12-24container: T4870: remove manual user interaction during storage migrationChristian Poessinger
Commit 60c80df4 ("container: T4870: bump package version 0 -> 1 for filesystem change") introduced a fundamental change in the container storage driver that required a manual migration step from the user to not loose any data. This commit removes the manual user interaction and temporary exports the container images and re-imports them after the filesystem got changed. The only things that get lost are orphaned container images no longer referenced by the CLI - thats an adequate trade-off as those images can always be re-added to the system.
2022-12-24T4893: Move ppp-opt ipv6-intf-id to include section accel-pppViacheslav Hletenko
Move PPPoE-server ppp-options XML ipv6-intf-id to 'include' section accel-ppp It allows to use the same code for different accel-ppp services
2022-12-24container: T4870: update to overlay2 driverChristian Poessinger
overlay2 is the preferred storage driver for all currently supported Linux distributions, and requires no extra configuration.
2022-12-23Merge pull request #1724 from sarthurdev/fw_macChristian Poessinger
firewall: T2199: Add mac-address match to destination side
2022-12-23firewall: T2199: Fix typo in `rule-log-level.xml.i` headersarthurdev
2022-12-23firewall: T2199: Add mac-address match to `destination` sidesarthurdev
2022-12-23container: T4870: bump package version 0 -> 1 for filesystem changeChristian Poessinger
move from vfs to overlay driver The following pre iage upgrade script must be executed to have containers after the reboot: for pod in $(cli-shell-api listActiveNodes container name); do systemctl stop vyos-container-${pod//\'}.service done sed -i 's/vfs/overlay/g' /etc/containers/storage.conf /usr/share/vyos/templates/container/storage.conf.j2 rm -rf /usr/lib/live/mount/persistence/container/storage/libpod for pod in $(cli-shell-api listActiveNodes container name); do image=$(cli-shell-api returnActiveValue container name ${pod//\'} image) podman image pull $image systemctl start vyos-container-${pod//\'}.service done for dir in vfs vfs-containers vfs-images vfs-layers; do rm -rf /usr/lib/live/mount/persistence/container/storage/$dir done
2022-12-23Merge pull request #1702 from TGNThump/patch-1Christian Poessinger
container: T4870: Update podman to use overlay storage driver
2022-12-23ipsec: T4594: drop old show_ipsec_sa.py in favor of new implementation in ↵Christian Poessinger
ipsec.py
2022-12-23containers: T4585: remove redundant sudo calls in op-mode scriptChristian Poessinger
2022-12-23ipsec: T2816: do not explicitly call intepreter for python scriptChristian Poessinger
Our python scripts use the shebang logic to set an intepreter - we should rely on this and not use an external interpreter in front of the helper.