summaryrefslogtreecommitdiff
path: root/python/vyos/ifconfig
AgeCommit message (Collapse)Author
2021-07-19pki: wireguard: T3642: Migrate Wireguard private key directly into CLIsarthurdev
Also renames peer pubkey to public-key for consistency
2021-07-17Merge pull request #927 from zdc/T3655-sagittaChristian Poessinger
VRF: T3655: proper connection tracking for VRFs
2021-07-17VRF: T3655: proper connection tracking for VRFszsdc
Currently, all VRFs share the same connection tracking table, which can lead to problems: - traffic leaks to a wrong VRF - improper NAT rules handling when multiple VRFs contain the same IP networks - stateful firewall rules issues The commit implements connection tracking zones support. Each VRF utilizes its own zone, so connections will never mix up. It also adds some restrictions to VRF names and assigned table numbers, because of nftables and conntrack requirements: - VRF name should always start from a letter (interfaces that start from numbers are not supported in nftables rules) - table number must be in the 100-65535 range because conntrack supports only 65535 zones
2021-07-13T3663: use inotify-based watching in "show vrrp".Daniil Baturin
2021-06-28ipsec: T1441: switch from vti to xfrm interfacesChristian Poessinger
XFRM interfaces are similar to VTI devices in their basic functionality but offer several advantages: * No tunnel endpoint addresses have to be configured on the interfaces. Compared to VTIs, which are layer 3 tunnel devices with mandatory endpoints, this resolves issues with wildcard addresses (only one VTI with wildcard endpoints is supported), avoids a 1:1 mapping between SAs and interfaces, and easily allows SAs with multiple peers to share the same interface. * Because there are no endpoint addresses, IPv4 and IPv6 SAs are supported on the same interface (VTI devices only support one address family). * IPsec modes other than tunnel are supported (VTI devices only support tunnel mode). * No awkward configuration via GRE keys and XFRM marks. Instead, a new identifier (XFRM interface ID) links policies and SAs with XFRM interfaces.
2021-06-27op-mode: bond: T2546: implement "show interface bond * slaves" commandChristian Poessinger
Add implementation with XML and Python.
2021-06-21Python: T3641: adjust to changes in latest vesion of netifaces libraryChristian Poessinger
2021-06-17ethernet: T3633: Add LRO offloadViacheslav
2021-06-13wwan: T3620: rename "wirelessmodem wlm" interfaces to new wwan interface treeChristian Poessinger
2021-05-28vti: ipsec: T2816: interfaces must be created using the vyos.ifconfig libraryChristian Poessinger
2021-05-24tunnel: T3555: add "ignore-df" support for GRE tunnelsChristian Poessinger
2021-05-21vlan: T3551: support runtime changing of ingress and egress QoS settingsJACK
2021-05-15vyos.ifconfig: T3532: re-create Q-in-Q interface on protocol changeChristian Poessinger
It is not possible to change the VLAN encapsulation protocol "on-the-fly". For this "quirk" we need to actively delete and re-create the VIF-S interface.
2021-05-14vyos.ifconfig: T3535: add helper to get only IPv4 or IPv6 interface addressesChristian Poessinger
2021-05-13bonding: T3543: add support to configure lact-rate (slow or fast)Christian Poessinger
Option specifying the rate in which we'll ask our link partner to transmit LACPDU packets in 802.3ad mode. set interfaces bonding bond0 lacp-rate <slow|fast> slow: Request partner to transmit LACPDUs every 30 seconds (default) fast: Request partner to transmit LACPDUs every 1 second
2021-04-25tunnel: T3468: add interfaces to completion helper for bridgeChristian Poessinger
2021-04-05tunnel: T3030: move erspan type into regular tunnel interfaceChristian Poessinger
Instead of having a dedicated ERSPAN interface type, rather move the specifics into "interface tunnel". A migrator is not needed as there is yet no LTS release with this feature and this is considered experimental.
2021-03-30xdp: T3448: bail out early on platforms not supporting xdp (e.g. RaspberryPi)Christian Poessinger
2021-03-27vrf: vlan: T3438: do not automatically delete upper interfaceChristian Poessinger
Removing a VLAN (VIF) interface from the CLI always deleted all interfaces the kernel listed as "upper" in the /sys/class/net folder. This had the drawback that when deleting a VIF, also the VRF interface was simply deleted - killing all VRF related services.
2021-03-19bridge: T3415: add port isolation / private-vlan optionChristian Poessinger
Private VLAN, also known as port isolation, is a technique in computer networking where a VLAN contains switch ports that are restricted such that they can only communicate with a given "uplink". The restricted ports are called "private ports". Each private VLAN typically contains many private ports, and a single uplink. The uplink will typically be a port (or link aggregation group) connected to a router, firewall, server, provider network, or similar central resource. Q: https://en.wikipedia.org/wiki/Private_VLAN
2021-03-07T3357: Fix invoking TunnelIf() from op-modeChristian Poessinger
As we can also use the TunnelIf() class from op-mode we must ensure that read-only access to the class works even if required configuration keys as "encapsulation" are not passed to the class on invokation. This fixes an isse where "show interfaces tunnel" returned: Traceback (most recent call last): File "/usr/libexec/vyos/op_mode/show_interfaces.py", line 313, in <module> args.vrrp File "/usr/libexec/vyos/op_mode/show_interfaces.py", line 48, in handled_function function(*args, **kwargs) File "/usr/libexec/vyos/op_mode/show_interfaces.py", line 222, in run_show_intf_brief for interface in filtered_interfaces(ifnames, iftypes, vif, vrrp): File "/usr/libexec/vyos/op_mode/show_interfaces.py", line 77, in filtered_interfaces interface = klass(ifname, create=False, debug=False) File "/usr/lib/python3/dist-packages/vyos/ifconfig/tunnel.py", line 99, in __init__ if self.iftype in ['gretap', 'ip6gretap']: AttributeError: 'TunnelIf' object has no attribute 'iftype'
2021-03-07T3388: "show interfaces" op-mode command lacks PPPoE interfacesChristian Poessinger
Commit e5b335830ef ("vyos.ifconfig: T1579: remove calls to vyos.ifconfig.Interface.get_config()") removed the PPPoEIf class as it seemed to be unused. It turns out it is required by the op-mode commands for e.g. "show interfaces".
2021-03-04Merge pull request #729 from bstepler/T3300Christian Poessinger
dhcp: T3300: add DHCP default route distance
2021-03-03tunnel: T2966: add ip6gretap encapsulation supportChristian Poessinger
2021-03-03geneve: T1799: add additional per tunnel optionsChristian Poessinger
Support setting additional options to the GENEVE tunnel like: - ttl - tos - do not fragment bit - ipv6 flowlabel
2021-03-03smoketest: vxlan: extend testcase to verify additional tunnel parametersChristian Poessinger
Verify proper configuration of VXLAN parameters for - source-interface - source-address - remote - vni - group Before it was only verified if the VXLAN tunnel interface was configured at all but not if the parameters are correct, too.
2021-02-28vif: T3349: use fixed ordering when enabling parent and child interfaceChristian Poessinger
When a VIF/VLAN interface is placed in admin down state but the lower interface, serving the vlan, is moved from admin down -> admin up, all its vlan interfaces will be placed in admin up state, too. This is bad as a VLAN interface will become admin up even if its specified as admin down after a reboot. To reproduce: set interfaces ethernet eth1 vif 20 disable set interfaces ethernet eth1 disable commit delete interfaces ethernet eth1 disable commit Now check the interface state and it returns UP,LOWER_UP 7: eth1.20@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 00:50:56:b3:09:07 brd ff:ff:ff:ff:ff:ff inet6 fe80::250:56ff:feb3:907/64 scope link valid_lft forever preferred_lft forever
2021-02-28vxlan: T1513: add dont-fragment CLI optionChristian Poessinger
2021-02-28l2tpv3: T3366: migrate local-ip and remote-ip CLI optionsChristian Poessinger
Rename CLI options local-ip to source-address and remote-ip to remote to get a consistent CLI experience for the user.
2021-02-28tunnel: T3366: rename remote-ip to remoteChristian Poessinger
Streamline the CLI configuration where we try to use remote on other interfaces like vxlan, geneve.
2021-02-28tunnel: T3366: rename local-ip to source-addressChristian Poessinger
Streamline the CLI configuration where we try to use source-address when creating connections which are especially sourced from a discrete address.
2021-02-28tunnel: T3364: rename encapsulation mode "gre-bridge" to "gretap"Christian Poessinger
The following list shows the mapping of VyOS tunnel encapsulation modes to the corresponding Linux modes. VyOS Linux gre gre gre-bridge gretap ipip ipip ipip6 ipip6 ip6ip6 ip6ip6 ip6gre ip6gre sit sit Besides gre-bridge this is pretty consistent. As bridge interfaces are also called tap interfaces gre-bridge will be renamed to gretap to make the post-processing much easier. This means (in detail) that there are no more child classes of _Tunnel and there will be now one geneirc TunnelIf class handling all sorts of encapsulation.
2021-02-28vyos.ifconfig: T1579: remove calls to vyos.ifconfig.Interface.get_config()Christian Poessinger
Interface.get_config() was always a pure helper which exposed a "per interface type" dictionary which was then fed by the caller to create interfaces by iproute2 which required additional options during creation time. Such interfaces had been: * tunnel * vxlan * geneve * macsec * wifi * macvlan / pseudo-ethernet The code was always duplicated to convert from the VyOS CLI based get_config_dict() to a dict which can be used to feed iproute2. This path has been removed and we now always feed in the entire dictionary retrieved by get_config_dict() or in the interfaces case, it's high-level wrapper get_interface_dict() to the interface we wan't to create. This also adds the - personally long awaited - possibility to get rid of the derived tunnel classes for e.g. GRE, IPIP, IPIP6 and so on.
2021-02-22vyos.ifconfig: extend debug option to print input dictChristian Poessinger
2021-02-15dhcp: T3300: add DHCP default route distanceBrandon Stepler
2021-02-11mirror: T3297: redirect stderr to /dev/nullJACK
2021-02-02tunnel: T3030: Modify the command line to streamline configuration (support ↵jack9603301
package type automatic detection)
2021-02-02tunnel: T3030: Add erspan protocol supportjack9603301
2021-01-27dhcpv6: T3262: don't run DHCPv6 client when only dhcpv6-options is configuredBrandon Stepler
If dhcpv6-options is configured without requesting a DHCPv6 address or PD, the dhcpv6pd variable is assigned an empty dict.
2021-01-20tunnel: T3173: bugfix nopmtu raw keyChristian Poessinger
The raw key was not copied into the class member variable. Also added a smoketest to ensure the configured parameters are always set.
2021-01-17bridge: T3137: Fix variable errors in VLAN sensor bridge configuration programjack9603301
2021-01-16bridge: T3137: Support disable native VLANjack9603301
2021-01-16Merge pull request #677 from jack9603301/T3137Christian Poessinger
bridge: T3137: Let VLAN aware bridge approach the behavior of professional equipment
2021-01-15tunnel: T3173: path MTU discovery option should be valuelessChristian Poessinger
2021-01-15bridge: T3137: Delete blank linesjack9603301
2021-01-15bridge: T3137: Better implementation of VLAN aware Bridgejack9603301
2021-01-15bridge: T3137: Let VLAN aware bridge approach the behavior of professional ↵jack9603301
equipment According to the consensus, the specific behavior of a VLAN aware bridge should conform to the behavior of professional equipment. This commit makes a significant change to the behavior of VLAN aware bridge, and has the following behaviors: 1. Disable `vif 1` configuration 2. When the VLAN aware bridge is enabled, the parent interface is always VLAN 1 3. When `native-vlan` is not configured, the default behavior of the device is `native-vlan 1` 4. The VLAN ids forwarded by the bridge are determined by `vif` 5. It has an `enable-vlan` node to enable VLAN awareness 6. VLAN configuration is allowed only when VLAN aware bridge is activated
2021-01-13ifconfig: T2653: return empty string when there is no interface descriptionChristian Poessinger
After switching to iproute2 in commit 92f36735 ("ifconfig: T2653: use iproute2 commands for alias, mac and mtu set()/get()" it is necessary to return an empty string as iproute2 returns None.
2021-01-12ifconfig: T2653: use iproute2 commands for alias, mac and mtu set()/get()Christian Poessinger
2021-01-12tunnel: T3205: bugfix gre-bridge interfacesChristian Poessinger