summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-02-06T5921: Fix OpenConnect verify for local usersViacheslav Hletenko
Fix verify error for the VPN OpenConnect configuration with local authentication and without any user File "/usr/libexec/vyos/conf_mode/vpn_openconnect.py", line 94, in verify if not ocserv["authentication"]["local_users"]: KeyError: 'local_users' (cherry picked from commit 71644dfed63f6248525db3c3bc9493c059707a2a)
2024-02-06Merge pull request #2942 from srividya0208/debug-ipsecViacheslav Hletenko
op-mode:T6015:Fix for charon file generated by ipsec debug script
2024-02-06op-mode:T6015:Fix the charon file generated by ipsec debug scriptsrividya0208
2024-02-06Merge pull request #2939 from vyos/mergify/bp/sagitta/pr-2936Christian Breunig
rpki: T6011: known-hosts-file is no longer supported by FRR (backport #2936)
2024-02-06rpki: T6011: known-hosts-file is no longer supported by FRRChristian Breunig
(cherry picked from commit 586863bf3a9cb1dd1c0d74b628d00096b905740f)
2024-02-05Merge pull request #2938 from vyos/mergify/bp/sagitta/pr-2937John Estabrook
T6018: adjust smoketest for update to FastAPI web framework (backport #2937)
2024-02-05T6018: adjust smoketest for update to FastAPI web frameworkJohn Estabrook
(cherry picked from commit e1b63b9b1704a55ccbf75e7131651c85dd318107)
2024-02-03Merge pull request #2934 from vyos/mergify/bp/sagitta/pr-2932Christian Breunig
ipsec: T5998: add replay-windows setting (backport #2932)
2024-02-03ipsec: T5998: add replay-windows settingChristian Breunig
The replay_window for child SA will always be 32 (hence enabled). Add a CLI node to explicitly change this. * set vpn ipsec site-to-site peer <name> replay-window <0-2040> (cherry picked from commit 4d943d8fbf1253154897179b0e3ea2d93b898197)
2024-02-03Merge pull request #2933 from vyos/mergify/bp/sagitta/pr-2931Christian Breunig
configdict: T5894: preserve old behavior when dealing with PKI (backport #2931)
2024-02-03configdict: T5894: preserve old behavior when dealing with PKIChristian Breunig
Commit b152b5202 ("configdict: T5894: add get_config_dict() flag with_pki") added the generic PKI flag but if there was no PKI subsystem available in the configuration, no pki dict key ever manifested in the resulting dictionary requested by the caller. This is different to the old behavior (which each caller implementing the call itself) where there always was a pki key present - even if it was empty. This triggered a bug in the IPSec script Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/vpn_ipsec.py", line 600, in <module> verify(ipsec) File "/usr/libexec/vyos/conf_mode/vpn_ipsec.py", line 372, in verify verify_pki_rsa(ipsec['pki'], rsa) ~~~~~^^^^^^^ KeyError: 'pki' As it wanted to verify keys, but there was no pki dictionary key available. This commit restores the previous behavior. (cherry picked from commit 9b56a86def674886721a367c02371f9da65c3fd3)
2024-02-02Merge pull request #2930 from vyos/mergify/bp/sagitta/pr-2748Christian Breunig
qos: T5848: Add triple-isolate option to CAKE policy config (backport #2748)
2024-02-02qos: T5848: improve flow-isolation help stringsChristian Breunig
(cherry picked from commit 762be96f45bb1d9705e45ff554ad483c9d4e10ff)
2024-02-02qos: T5848: Add triple-isolate option to CAKE policy configMatthew Kobayashi
(cherry picked from commit 61342083d7db8c30d015474fae5cb71f480487d8)
2024-02-02Merge pull request #2929 from vyos/mergify/bp/sagitta/pr-2927Viacheslav Hletenko
container: T5955: add uid/gid settings (backport #2927)
2024-02-02smoketest: T5955: verify container uid/gid settingChristian Breunig
(cherry picked from commit faa4c87d93c7808c6a4edd8eddd29049ec8ec3fa)
2024-02-02container: T5955: allow setting uid/gidPiotr Maksymiuk
(cherry picked from commit 52e9707a43290f5f826766e2c42c5f0db3c9adec)
2024-02-02Merge pull request #2928 from vyos/mergify/bp/sagitta/pr-2891Viacheslav Hletenko
T5971: Rewritten ppp options in accel-ppp services (backport #2891)
2024-02-02Merge pull request #2921 from vyos/mergify/bp/sagitta/pr-2903Viacheslav Hletenko
dns forwarding: T5687: Implement ECS settings for PowerDNS recursor (backport #2903)
2024-02-02Merge pull request #2926 from indrajitr/sagitta-ddclient-T5966Christian Breunig
ddclient: T5966: Adjust dynamic dns config address subpath (manual backport #2860)
2024-02-02T5971: Rewritten ppp options in accel-ppp servicesaapostoliuk
Rewritten 'ppp-options' to the same view in all accel-ppp services. Adding IPv6 support to PPTP. (cherry picked from commit d9e57fe65dd538c6ea80637f4f6f23cf11dc583d)
2024-02-01op-mode: T5966: Ensure top level property to avoid empty nodeIndrajit Raychaudhuri
Since, we don't have op-mode operation for 'dns dynamic' anymore, we need to add a top level property to avoid empty `templates-op/update/node.def`.
2024-02-01ddclient: T5966: Streamline dynamic dns op-mode configurationIndrajit Raychaudhuri
Update op-mode for dynamic dns to standardize on `vyos.opmode`. All methods of `op_mode/dns_dynamic.py` are now available in standardized `op_mode/dns.py`. Move op-mode command `update dns dynamic` to `reset dns dynamic` to reflect that it is not an update but a reset of the dynamic dns service. Also, make the help texts more consistent for all op-mode commands for `dns dynamic` and `dns forwarding`.
2024-02-01T2719: Add 'update' in standard op-mode function listIndrajit Raychaudhuri
2024-02-01ddclient: T5966: Update smoketest for dynamic dns config subpath changeIndrajit Raychaudhuri
2024-02-01ddclient: T5966: Migration script for dynamic dns config subpath changeIndrajit Raychaudhuri
2024-02-01ddclient: T5966: Adjust dynamic dns config address subpathIndrajit Raychaudhuri
Modify the dynamic dns configuration 'address' subpath for better clarity on how the address is obtained. Additionally, remove `web-options` and fold those options under the path `address web`.
2024-02-01Merge pull request #2925 from vyos/mergify/bp/sagitta/pr-2897Christian Breunig
T5989 fix: Add ipv4-prefix as a valid option for UPnP ACLs. (backport #2897)
2024-02-01Merge pull request #2924 from vyos/mergify/bp/sagitta/pr-2756Christian Breunig
T4839: firewall: Add dynamic address group in firewall configuration (backport #2756)
2024-02-01smoketest: T5687: simplify "dns forwarding" test setupChristian Breunig
Commit eb76729d6324 ("dns forwarding: T5687: Implement ECS settings for PowerDNS recursor") added a helper "_set_required_options()" method to reduce duplicate code when setting up the base interface test. This refactors the test class to call this code always in setUp() so we have it written only once. (cherry picked from commit 112376a4ccb96ceee647a4cba5c4f131597b0ea4)
2024-02-01dns forwarding: T5687: add missing constraints on ecs-add-for CLI nodeChristian Breunig
Completion help suggests only IPv4 and IPv6 prefixes are supported, thus add a proper constraint enforcing this. (cherry picked from commit 049560725b93de49ec2d5a779e391e61d568ceb6)
2024-02-01dns forwarding: T5687: Implement ECS settings for PowerDNS recursorkhramshinr
Fix option descriptions (cherry picked from commit c4b6c156549ea03262793c78532c2456e8713b81)
2024-02-01dns forwarding: T5687: Implement ECS settings for PowerDNS recursorkhramshinr
(cherry picked from commit eb76729d63245e2e8f06f4d6d52d2fd4aab4fb1f)
2024-02-01Merge pull request #2922 from vyos/mergify/bp/sagitta/pr-2854Christian Breunig
dns: T5959: Streamline dns forwarding service (backport #2854)
2024-02-01upnp: T5989: add ipv4-prefix as a valid option for UPnP ACLsChris Buechler
(cherry picked from commit 0307801b8928bbaaa20caf5bd10b928bae459490)
2024-02-01T4839: firewall: Add dynamic address group in firewall configuration, and ↵Nicolas Fort
appropiate commands to populate such groups using source and destination address of the packet. (cherry picked from commit 6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122)
2024-02-01Merge pull request #2916 from vyos/mergify/bp/sagitta/pr-2832Christian Breunig
T5865: Moved ipv6 pools to named ipv6 pools in accel-ppp (backport #2832)
2024-02-01dns: T5959: Avoid using reserved ports for testingIndrajit Raychaudhuri
For example, port 5353 is reserved for multicast DNS, this means tests will fail if the host running the tests is also running a mDNS server. (cherry picked from commit 22c8bea36da0a546abcc528dc12a97cd6a0c3b10)
2024-02-01dns: T5959: Streamline dns forwarding serviceIndrajit Raychaudhuri
Streamline configuration and operation of dns forwarding service in following ways: - Remove `dns_forwarding_reset.py` as its functionality is now covered by `dns.py` - Adjust function names in `dns.py` to disambiguate between DNS forwarding and dynamic DNS - Remove `dns_forwarding_restart.sh` as its functionality is inlined in `dns-forwarding.xml` - Templatize systemd override for `pdns-recursor.service` and move the generated override files in /run. This ensures that the override files are always generated afresh after boot - Simplify the systemd override file by removing the redundant overrides - Relocate configuration path for pdns-recursor to `/run/pdns-recursor` and utilize the `RuntimeDirectory` default that pdns-recursor expects - We do not need to use custom `--socket-dir` path anymore, the default path (viz., `/run/pdns-recursor` is fine) (cherry picked from commit 1c1fb5fb4bd7c0d205b28caf90357ad56423464f)
2024-02-01dns: T4578: Remove unnecessary dns forwarding statistics scriptIndrajit Raychaudhuri
(cherry picked from commit 119efb6d8d353482d598287f49e22aa68a22e960)
2024-02-01Merge pull request #2919 from vyos/mergify/bp/sagitta/pr-2883Christian Breunig
T5974: Fix QoS shape bandwidth and ceil calculation for default (backport #2883)
2024-02-01Merge pull request #2915 from vyos/mergify/bp/sagitta/pr-2914Christian Breunig
bgp: T5930: Denied using rt vpn 'export/import' with 'both' together (backport #2914)
2024-02-01Merge pull request #2917 from vyos/mergify/bp/sagitta/pr-2890Christian Breunig
T5941: Migration policy delete orphaned interface policy (backport #2890)
2024-02-01Merge pull request #2918 from vyos/mergify/bp/sagitta/pr-2892Christian Breunig
T5941: Migration QoS delete orphaned interface traffic-policy (backport #2892)
2024-02-01T5974: Fix QoS shape bandwidth and ceil calculation for defaultViacheslav Hletenko
The default `bandwidth` and `ceiling` should calculate values based on <tag> bandwidth but currently it gets the value from qos.base `/sys/class/net/{self._interface}/speed` ``` set qos policy shaper SHAPER bandwidth '20mbit' set qos policy shaper SHAPER default bandwidth '95%' set qos policy shaper SHAPER default ceiling '100%' ``` It causes wrong calculations for class `default` i.e 950Mbit for bandwidth (expected 95% of bandwidth, 19Mbit) 1Gbit for ceil (expected 100% of bandwidth, 20Mbit) Gets incorrect values ``` r4# tc class show dev eth1 class htb 1:1 root rate 20Mbit ceil 20Mbit burst 1600b cburst 1600b class htb 1:a parent 1:1 leaf 8053: prio 0 rate 200Kbit ceil 200Kbit burst 1Mb cburst 1600b class htb 1:b parent 1:1 leaf 8054: prio 7 rate 950Mbit ceil 1Gbit burst 15200b cburst 1375b ``` Fix this (cherry picked from commit 6ddfe6328e1cbdde1b70763b39e3a87f8374755a)
2024-02-01T5941: Migration QoS delete orphaned interface traffic-policyViacheslav Hletenko
We can get an orphaned interface traffic-policy when the traffic-policy name is removed from the interface, but the node `trffic-policy` is still attached to the interface For exmaple we have orphaned node traffic-policy on an interface: ``` set interfaces bonding bond0 vif 995 traffic-policy ``` This causes of incorrect migration and we do not see VLANs on the bonding interface after update. Delete traffic-policy from all interfaces if traffic-policy does not exist (cherry picked from commit ca43e517408168ad1f12a3e5bc6f2d97f510faee)
2024-02-01T5941: Migration policy delete orphaned interface policyViacheslav Hletenko
We can get orphaned interface policy when the policy name was removed from the interface but the node `policy` still attached to the interface For exmaple we have orphaned node policy on interface: ``` set interfaces bonding bond0 vif 995 policy ``` This causes of incorrect migration and we do not see VLANs on the bonding interface after update. Delete policy from all interfaces if policy does not exist (cherry picked from commit 53670e1fb201cf1d27b01b4bc796ff097f82552d)
2024-02-01T5865: Moved ipv6 pools to named ipv6 pools in accel-pppaapostoliuk
Moved ipv6 pools to named ipv6 pools in accel-ppp services (cherry picked from commit d187803c31175e471397dd4f77040ab56d2e1073)
2024-02-01GitHub: update PR request laballer to v5.0.0 tagChristian Breunig
(cherry picked from commit 32183aa0f0f9c51126d21693db0eafa256419b31)
2024-02-01bgp: T5930: Denied using rt vpn 'export/import' with 'both' togetheraapostoliuk
Denied using command 'route-target vpn export/import' with 'both' together in bgp configuration. (cherry picked from commit 32a13411f47beffcbe4b49a869c99cb42374d729)