Age | Commit message (Collapse) | Author |
|
T5767: HTTPS API add reboot and poweroff endpoints (backport #2516)
|
|
T5770 Enable MACsec encryption stanza (backport #2518)
|
|
T5419: firewall: backport firewall flowtable to Sagitta.
|
|
dhcp-client: T5760: add CLI option to pass user-class parameter (backport #2506)
|
|
Add ability to reboot and poweroff the system via API
curl -k --location --request POST 'https://vyos/reboot' \
--form data='{"op": "reboot", "path": ["now"]}' \
--form key='apikey'
curl -k --location --request POST 'https://vyos/poweroff' \
--form data='{"op": "poweroff", "path": ["now"]}' \
--form key='apikey'
(cherry picked from commit 36f3c329c2df0e78f2f5da933d9729a872fb2a11)
|
|
(cherry picked from commit 02a3e26e88f0ac3c7368e288769bfed38b41df46)
|
|
(cherry picked from commit a7a90e81ad03ec33acb32beeab71dbd5f27a2044)
|
|
|
|
PAM: T5577: Backported PAM settings from circinus
|
|
T5763: fix imprecise check for remote file name (backport #2511)
|
|
http: T5762: api: make API socket backend communication the one and only default (backport #2508)
|
|
Why: Smoketests fail as they can not establish IPv6 connection to uvicorn
backend server.
https://github.com/vyos/vyos-1x/pull/2481 added a bunch of new smoketests.
While debugging those failing, it was uncovered, that uvicorn only listens on
IPv4 connections
vyos@vyos# netstat -tulnp | grep 8080
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -
As the CLI already has an option to move the API communication from an IP to a
UNIX domain socket, the best idea is to make this the default way of
communication, as we never directly talk to the API server but rather use the
NGINX reverse proxy.
(cherry picked from commit f5e43b1361fb59a9c260739bdb28729d5119507c)
|
|
(cherry picked from commit fe9b08665367b8e7d9b906a0760d44efc9b5cafb)
|
|
This complements commit 5181ab60bb ("RADIUS: T5577: Added 'mandatory' and
'optional' modes for RADIUS") and commit 1c804685d0 ("TACACS: T5577: Added
'mandatory' and 'optional' modes for TACACS+"). As those new services
should also be cleaned during system boot.
|
|
After sources analysis, we found the next possible return statuses for PAM
modules:
1. pam_tacplus
Auth:
- PAM_AUTH_ERR
- PAM_AUTHINFO_UNAVAIL
- PAM_AUTHTOK_ERR
- PAM_BUF_ERR
- PAM_CRED_INSUFFICIENT
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_USER_UNKNOWN
Account:
- PAM_AUTH_ERR
- PAM_AUTHINFO_UNAVAIL
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_USER_UNKNOWN
Session:
- PAM_AUTHINFO_UNAVAIL
- PAM_SESSION_ERR
- PAM_SUCCESS
- PAM_USER_UNKNOWN
2. pam_radius_auth
Auth:
- PAM_ABORT
- PAM_AUTH_ERR
- PAM_AUTHINFO_UNAVAIL
- PAM_AUTHTOK_ERR
- PAM_BAD_ITEM
- PAM_BUF_ERR
- PAM_CONV_AGAIN
- PAM_CONV_ERR
- PAM_IGNORE
- PAM_NO_MODULE_DATA
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_SYSTEM_ERR
- PAM_USER_UNKNOWN
Account:
- PAM_SUCCESS
Session:
- PAM_ABORT
- PAM_AUTHINFO_UNAVAIL
- PAM_BAD_ITEM
- PAM_BUF_ERR
- PAM_CONV_AGAIN
- PAM_CONV_ERR
- PAM_IGNORE
- PAM_NO_MODULE_DATA
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_SYSTEM_ERR
- PAM_USER_UNKNOWN
PAM configurations were replaced with tuned versions to take this into account.
|
|
In CLI we can choose authentication logic:
- `mandatory` - if TACACS+ answered with `REJECT`, authentication must be
stopped and access denied immediately.
- `optional` (default) - if TACACS+ answers with `REJECT`, authentication
continues using the next module.
In `mandatory` mode authentication will be stopped only if TACACS+ clearly
answered that access should be denied (no user in TACACS+ database, wrong
password, etc.). If TACACS+ is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
|
|
In CLI we can choose authentication logic:
- `mandatory` - if RADIUS answered with `Access-Reject`, authentication must
be stopped and access denied immediately.
- `optional` (default) - if RADIUS answers with `Access-Reject`,
authentication continues using the next module.
In `mandatory` mode authentication will be stopped only if RADIUS clearly
answered that access should be denied (no user in RADIUS database, wrong
password, etc.). If RADIUS is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
|
|
We need separated groups for RADIUS and TACACS+ system users because they need
to be used in PAM rules independently.
|
|
Example:
set interfaces ethernet eth0 dhcp-options user-class VyOS
or
set interfaces ethernet eth0 dhcp-options user-class 56:79:4f:53
(cherry picked from commit 260645d0c6ff078cc89601f3a586195902f9c18e)
|
|
The string data type specifies either an NVT ASCII string enclosed in double
quotes, or a series of octets specified in hexadecimal, separated by colons.
For example:
set interfaces ethernet eth0 dhcp-options client-id CLIENT-FOO
or
set interfaces ethernet eth0 dhcp-options client-id 43:4c:49:45:54:2d:46:4f:4f
As of now there was no input validation performed.
(cherry picked from commit bed1cd01904ef89b5d31bd47de0f230214900f16)
|
|
frr: T5733: enable pim6 daemon
|
|
|
|
T2405: add Git support to commit-archive (backport #2241)
|
|
(cherry picked from commit e92667504e0c503b7c0d125d89d8795d6b6d5876)
|
|
vyos@vyos# set system config-management commit-archive location
Possible completions:
uri Uniform Resource Identifier
Unfortunately URI is a bit "less" specific - add proper help strings:
vyos@vyos# set system config-management commit-archive location
Possible completions:
http://<user>:<passwd>@<host>/<path>
https://<user>:<passwd>@<host>/<path>
ftp://<user>:<passwd>@<host>/<path>
sftp://<user>:<passwd>@<host>/<path>
scp://<user>:<passwd>@<host>/<path>
tftp://<user>:<passwd>@<host>/<path>
git+https://<user>:<passwd>@<host>/<path>
(cherry picked from commit dcb277ba0aed4a02f48572d10d3ba242942b8639)
|
|
(cherry picked from commit a89243cfbfc90854a8cddd53c0ffc987f75abcee)
|
|
T4072: firewall: backport bridge firewall to sagitta
|
|
T5749: Swap show interfaces and show interfaces summary (backport #2500)
|
|
By default show VRF, MAC, MTU for `show interfaces`
The original `show interfaces` moved to `show interfacces summary`
(cherry picked from commit 056885c02b8671279808c226a759de6c5356f578)
|
|
|
|
Remove stray whitespace in sed script and call Section.interfaces with
vlan=False instead of a custom filter.
This extends commit f19c92f25 ("tunnel: T3894: fix design when building
synthetic MAC addresses")
(cherry picked from commit c8ba5dccfa9b02533c6536903ecacd3ddb04351e)
|
|
(cherry picked from commit 019723aaa4217403f1fcbcd636f573ea403f909c)
|
|
T3983: show pki certificate Doesnt show x509 certificates (backport #2495)
|
|
(cherry picked from commit 36de14913e0f4370d7c4e2828032a5378d3bba77)
|
|
pim(6): T5733: add missing FRR related features (backport #2476)
|
|
smoketest: Extend HTTP-API tests (backport #2481)
|
|
(cherry picked from commit 15b5ede2cdd65af441be6de89b8b1df6d186f874)
|
|
T5747: op-mode add show interfaces summary (backport #2491)
|
|
Add op-mode "show interfaces summary"
Add MAC, VRF and MTU options:
vyos@r4# run show interfaces summary
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address MAC VRF MTU S/L Description
----------- ----------------- ----------------- ------- ----- ----- -------------
dum0 203.0.113.1/32 96:44:ad:c5:a1:a5 default 1500 u/u
eth0 192.168.122.14/24 52:54:00:f1:fd:77 default 1500 u/u WAN
eth1 192.0.2.1/24 52:54:00:04:33:2b foo 1500 u/u LAN-eth1
eth2 - 52:54:00:40:2e:af default 1504 u/u LAN-eth2
eth3 - 52:54:00:09:a4:b4 default 1500 A/D
(cherry picked from commit dc3906f04fbfe8014531e092a77c1c8c2d10dfe0)
|
|
op-mode: vrf: T5150: add "show vrf vni" and "show vrf <name> vni" commands (backport #2490)
|
|
vyos@vyos:~$ show vrf vni
VRF VNI VxLAN IF L3-SVI State Rmac
blue 2000 None None Down None
green 3000 None None Down None
red 1000 None None Down None
vyos@vyos:~$ show vrf blue vni
VRF VNI VxLAN IF L3-SVI State Rmac
blue 2000 None None Down None
(cherry picked from commit 2fb763ffbc5c5babe552ec97c06570c54ea4aad8)
|
|
(cherry picked from commit 64b4cfc71d402222fd6b034336b3588b5986ba24)
|
|
(cherry picked from commit 403d2ffd6e46cb082b1d16ddf515e1784bee968c)
# Conflicts:
# data/templates/frr/pim6d.frr.j2
# interface-definitions/protocols-pim6.xml.in
# smoketest/scripts/cli/test_protocols_pim6.py
# src/conf_mode/protocols_pim6.py
|
|
(cherry picked from commit 6ce2ecb10884a4b79a7643e22596a2d03d805a91)
|
|
(cherry picked from commit dd13213ae94f071bc30cc17f5fabef02fbf95939)
|
|
IGMP and PIM are two different but related things.
FRR has both combined in pimd. As we use get_config_dict() and FRR reload it
is better to have both centrally stored under the same CLI node (as FRR does,
too) to just "fire and forget" the commit to the daemon.
"set protocols igmp interface eth1" -> "set protocols pim interface eth1 igmp"
(cherry picked from commit bc83fb097719f5c4c803808572f690fbc367b9e5)
|
|
(cherry picked from commit 45ea9ed72ee11809f69619a40ae243df562de39f)
|
|
(cherry picked from commit c5e2c25f8968c0f06a9e4e992decc46a4f690868)
|
|
Migrate CLI configuration retrival to common get_config_dict(). In addition
add new functionality to VyOS that is PIM related and already available in FRR.
(cherry picked from commit 9abc02edcc237760f1f8aa1b3f08d7f4d18f866c)
# Conflicts:
# python/vyos/frr.py
# src/op_mode/restart_frr.py
|
|
T5732: generate firewall rule-resequence drops geoip country-code fro… (backport #2486)
|