summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2022-08-26smoketest: T4643: Delete vpn sstp from config as we have HTTPViacheslav Hletenko
HTTP and sstp cannot work together and in the test config 1.4-rolling-202106290839 we didnot have configurable port for such services So we shoud delete sstp from this smoketest config test In fact it is never working at all 'smoketest/configs/pki-misc' It commits without errors before but in the real life we get 3 services (https openconnect sstp) that bound the same port
2022-08-25graphql: T4640: add schema defs and resolver support for op-mode errorsJohn Estabrook
2022-08-25Merge pull request #1458 from sever-sever/T4594Christian Poessinger
ipsec: T4594: Rewrite op-mode 'show vpn ipsec sa' to the new format
2022-08-25proxy: T4642: allow https proxy transportsChristian Poessinger
2022-08-25ifconfig: T2223: add vlan switch for Section.interfaces()Christian Poessinger
Sometimes we are only interested in the parent interfaces without any VLAN subinterfaces. Extend the API with a vlan argument that defaults to True to keep the current behavior in place.
2022-08-25ssh: T2185: use reload-or-restart on configuration changesChristian Poessinger
2022-08-25ntp: T2185: use reload-or-restart on configuration changesChristian Poessinger
2022-08-25telegraf: T3872: re-use existing XML building blocksChristian Poessinger
2022-08-25telegraf: T4617: add VRF supportChristian Poessinger
2022-08-25Merge pull request #1497 from sever-sever/T4645Christian Poessinger
op-mode: T4645: Show nat source statistics missing argument --family
2022-08-25Merge pull request #1495 from sever-sever/T4643Christian Poessinger
smoketest: T4643: Change openconnect default port
2022-08-25Merge pull request #1496 from sever-sever/T4644Christian Poessinger
sstp: T4644: Check SSTP bind port before commit
2022-08-25op-mode: T4645: Show nat source stat missing argument --familyViacheslav Hletenko
As we use in commit 8d4205a9 argument '--family' for the function '_get_raw_data_rules(direction, family)' we must use it and for 'nat.py show_statistics' as it get raw data from the same function
2022-08-25sstp: T4644: Check SSTP bind port before commitViacheslav Hletenko
By default SSTP bind port '443' and this port can be used by another service like 'service https' or 'vpn openconnect' Check if port bound to another service
2022-08-25smoketest: T4643: Change openconnect default portViacheslav Hletenko
Change openconnect port as both ocserv and sstp bind by default the same port 443
2022-08-25Merge pull request #1478 from sever-sever/T4622Christian Poessinger
firewall: T4622: Add TCP MSS option
2022-08-24T3896: update group syntax per PR1463RageLtMan
2022-08-24T4630: can not use same source-interface for macsec and pseudo-ethernetChristian Poessinger
A macsec interface requires a dedicated source interface, it can not be shared with another macsec or a pseudo-ethernet interface. set interfaces macsec macsec10 address '192.168.2.1/30' set interfaces macsec macsec10 security cipher 'gcm-aes-256' set interfaces macsec macsec10 security encrypt set interfaces macsec macsec10 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4232e44b7fda6f8e2d88a07bf78a7aff4' set interfaces macsec macsec10 security mka ckn '09924585a6f3010208cf5222ef24c821405b0e34f4b4f63b1f0ced474b9bb6e6' set interfaces macsec macsec10 source-interface 'eth1' commit set interfaces pseudo-ethernet peth0 source-interface eth1 commit Reuslts in FileNotFoundError: [Errno 2] failed to run command: ip link add peth0 link eth1 type macvlan mode private returned: exit code: 2 noteworthy: cmd 'ip link add peth0 link eth1 type macvlan mode private' returned (out): returned (err): RTNETLINK answers: Device or resource busy [[interfaces pseudo-ethernet peth0]] failed Commit failed
2022-08-24Merge pull request #1491 from sever-sever/T4626Christian Poessinger
nat66: T4626: Rewrite op-mode show nat66 rules
2022-08-24Merge pull request #1490 from aapostoliuk/T1070-sagittaChristian Poessinger
opennhrp: T1070: Fixed removal all SAs in script
2022-08-24smoketest: bgp: T4634: validate "disable-connected-check" optionChristian Poessinger
2022-08-24proxy: T4642: bugfix regex, add hyphen to allow listChristian Poessinger
2022-08-24op-mode: T4390: migrate "show log vpn" to journalctlChristian Poessinger
2022-08-24op-mode: extend "monitor log vpn" optionChristian Poessinger
support monitoring * all * l2tp * sstp * pptp
2022-08-24ipsec: T2185: use systemd to start/stop serviceChristian Poessinger
2022-08-24Merge pull request #1483 from roedie/T4634Christian Poessinger
BGP: T4634: Allow configuration of disable-connected-check
2022-08-24Merge pull request #1486 from roedie/T4526-2Christian Poessinger
keepalived: T4526: keepalived-fifo.py unable to load config
2022-08-24Merge pull request #1488 from sever-sever/T4597Christian Poessinger
https: T4597: Verify bind port before apply HTTPS API service
2022-08-24Merge pull request #1489 from sever-sever/T4623Christian Poessinger
conntrack: T4623: Add conntrack statistics for op-mode
2022-08-24Merge pull request #1492 from nicolas-fort/T4641Christian Poessinger
Policy: T4641: allow only ipv4 prefixes on prefix-list
2022-08-24Policy: T4641: allow only ipv4 prefixes on prefix-listNicolas Fort
2022-08-24nat66: T4626: Rewrite op-mode show nat66 rulesViacheslav Hletenko
Rewrite op-mode "show nat66 source|destination rules" to the new format use "show_rules --direction <direction> --family <inet|inet6>" Delete old script show_nat66_rules.py
2022-08-24opennhrp: T1070: Fixed removal all SAs in scriptaapostoliuk
Fixed removal all dmvpn SAs. Changed vici terminate by child-sa name on terminate by ike-id
2022-08-23graphql: T3993: reorganize/rename directory structureJohn Estabrook
2022-08-23conntrack: T4623: Add conntrack statistics for op-modeViacheslav Hletenko
2022-08-23https: T4597: Verify bind port before apply HTTPS API serviceViacheslav Hletenko
If Nginx address/port is already binded to another service (for exampmle openconnect default port 443) https api cannot start and we don't see any error in the output. Add this check before applying service/commit
2022-08-22keepalived: T4526: keepalived-fifo.py unable to load configSander Klein
keepalived-fifo.py cannot load the VyOS config because the script is started before the commit is completely finished. This change makes sure the script waits for the commit to be completed. It retries every 0.5 seconds. If the commit is still not completed it will continue as did the original implementation.
2022-08-22graphql: T4544: fix for directly running on system for testingJohn Estabrook
2022-08-22graphql: T3993: add missing sys.exit()John Estabrook
2022-08-22bridge: T4632: vlan aware bridge lacks CPU forwardingChristian Poessinger
The VLAN aware bridge was forwarding traffic between member ports, but traffic destined torwards the CPU was dropped. This resulted in a gateway not reachable or DHCP leases that could not be handed out. Tested via: VyOS set interfaces bridge br0 enable-vlan set interfaces bridge br0 member interface eth1 allowed-vlan '10' set interfaces bridge br0 member interface eth1 allowed-vlan '20' set interfaces bridge br0 member interface eth1 allowed-vlan '30' set interfaces bridge br0 member interface eth1 allowed-vlan '40' set interfaces bridge br0 member interface eth1 native-vlan '40' set interfaces bridge br0 member interface eth2 allowed-vlan '30' set interfaces bridge br0 member interface eth2 allowed-vlan '20' set interfaces bridge br0 member interface eth2 allowed-vlan '10' set interfaces bridge br0 member interface eth2 allowed-vlan '40' set interfaces bridge br0 vif 10 address '10.0.10.1/24' set interfaces bridge br0 vif 20 address '10.0.20.1/24' set interfaces bridge br0 vif 30 address '10.0.30.1/24' set interfaces bridge br0 vif 40 address '10.0.40.1/24' Arista vEOS vlan 10,20,30,40 interface Ethernet1 switchport trunk allowed vlan 10,20,30,40 interface Vlan10 ip address 10.0.10.2/24 interface Vlan20 ip address 10.0.20.2/24 interface Vlan30 ip address 10.0.30.2/24 interface Vlan40 ip address 10.0.40.2/24 interface Ethernet1 switchport trunk allowed vlan 10,20,30,40 switchport mode trunk spanning-tree portfast Cisco vIOS interface GigabitEthernet0/0 ip address 10.0.40.3 255.255.255.0 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/0.10 encapsulation dot1Q 10 ip address 10.0.10.3 255.255.255.0 ! interface GigabitEthernet0/0.20 encapsulation dot1Q 20 ip address 10.0.20.3 255.255.255.0 ! interface GigabitEthernet0/0.30 encapsulation dot1Q 30 ip address 10.0.30.3 255.255.255.0 !
2022-08-22BGP: T4634: Allow configuration of disable-connected-checkSander Klein
2022-08-20nat66: T4631: Add port and protocol to nat66Viacheslav Hletenko
Ability to configure src/dst/translation port and protocol for SNAT and DNAT IPv6
2022-08-20Merge pull request #1481 from sever-sever/T4597Christian Poessinger
ocserv: T4597: Fix check bounded port by service itself
2022-08-20ocserv: T4597: Fix check bounded port by service itselfViacheslav Hletenko
We check listen port before commit service if is port available and not bounded, but when we start openconnect our own port starts be bounded by "ocserv-main" process and next commit will be fail as port is already bound To fix it, extend check if port already bonded and it is not our self process "ocserv-main"
2022-08-19Merge pull request #1476 from sever-sever/T4620Christian Poessinger
UPnP: T4211: T4620 Fix upnp template
2022-08-19ethernet: T4538: fix wrong systemd unit used for EAPoLChristian Poessinger
When MACsec was bound to an ethernet interface and the underlaying source-interface got changed (even description only) this terminated the MACsec session running on top of it. The root cause is when EAPoL was implemented in commit d59354e52a8a7f we re-used the same systemd unit which is responsible for MACsec. That indeed lead to the fact that wpa_supplicant was always stopped when anything happened on the underlaying source-interface that was not related to EAPoL.
2022-08-19UPnP: T4611: Rule must be as prefix instead of an addressViacheslav Hletenko
From the doc miniupnpd IP/mask format must be nnn.nnn.nnn.nnn/nn Comment out invalid option "anchor"
2022-08-18T3896: update groupconfig syntax per PR1463RageLtMan
Address @sever-sever's suggestion to refactor how groupconfig is defined, parsed, and set (with his proposed conditional string appending Py-sugar). Use the disable-mobike refactor as template for XML simplification. Testing: None yet
2022-08-18firewall: T4622: Add TCP MSS optionViacheslav Hletenko
Ability to drop|accept packets based on TCP MSS size set firewall name <tag> rule <tag> tcp mss '501-1460'
2022-08-18T3896: Use group selector and forced dns tunnelingRageLtMan
Enterprise RADIUS configurations often utilize group selectors for authentication and attribute distribution for connecting clients. Ocserv implements this functionality via the `select-group` config file attribute, repeating for multiple groups. When a user selects their membership group and the request is passed to the RADIUS server, ocserv will match the returned Class attribute against the value selected by the user. This functionality also works for local group membership resolution, although VyOS currently doesn't have group membership configuration for this. Expose the tunnel-all-dns option in the ocserv config file allowing users who deploy default routes to select split-dns and those who do not to enable full DNS tunneling. Testing: Smoketests & build Configured groups in openconnect profile and verified existence in /run/ocserv/ocserv.conf Configured forced dns tunneling and verified presence of setting in /run/ocserv/ocserv.conf