summaryrefslogtreecommitdiff
path: root/python/vyos
AgeCommit message (Collapse)Author
2022-07-01Merge pull request #1380 from sarthurdev/ovpn-multi-caChristian Poessinger
openvpn: T4485: Accept multiple tls ca-certificate values
2022-07-01vti: T2455: add link-local IPv6 address supportChristian Poessinger
Interface should receive an auto generated link-local IPv6 address as we do with all VyOS interfaces by default.
2022-06-29openvpn: T4485: Update PKI migrator to handle full CA chain migrationsarthurdev
* Also determines and maps to correct CA for migrated CRL
2022-06-29bridge: add option to enable/disable IGMP/MLD snoopingYuxiang Zhu
This PR adds an config option to enable/disable IGMP/MLD snooping. ``` set interfaces bridge brN igmp snooping ```
2022-06-29openvpn: T4485: Accept multiple `tls ca-certificate` valuessarthurdev
2022-06-25interfaces: dhcp: T4482: toggle of "dhcp-options no-default-route" has no effectChristian Poessinger
Error introduced by commit 85d6c8f7c ("vyos.configdict: T4391: enable get_interface_dict() ti be used with ConfigTreeQuery()"). Reason was the still in use relative path on calls to node_changed(), these got replaced with absolute config paths and the new implementation if is_node_changed().
2022-06-25dhcp: pppoe: T4384: bugfix not honoring no-default-route CLI optionChristian Poessinger
Commit a2ab95ff68b ("pppoe: T4384: replace default-route CLI option with common CLI nodes already present for DHCP") had an issue as the PPPoE interface options and also DHCP interface options did not honor the no-default-route option. This has been fixed.
2022-06-16vyos.ifconfig: T4384: fix file permission (664) on interface.pyChristian Poessinger
2022-06-14firewall: T970: Use set prefix to domain groupssarthurdev
2022-06-14firewall: T4147: Use named sets for firewall groupssarthurdev
* Refactor nftables clean-up code * Adds policy route test for using firewall groups
2022-06-11firewall: T4299: Add support for GeoIP filteringsarthurdev
2022-06-10Merge pull request #1356 from sarthurdev/nested_groupsChristian Poessinger
firewall: T478: Add support for nesting groups
2022-06-10firewall: T478: Add support for nesting groupssarthurdev
2022-06-10Firewall:T4458: Add ttl match option in firewallNicolas Fort
2022-06-10Merge pull request #1322 from nicolas-fort/T3907-fwall-logDaniil Baturin
Firewall: T3907: add log-level options in firewall
2022-06-09Merge pull request #1327 from sever-sever/T970Christian Poessinger
firewall: T970: Add firewall group domain-group
2022-06-05firewall: T970: Maintain a domain state to fallback if resolution failssarthurdev
2022-05-31pki: T3642: Update conf scripts using changed PKI objectssarthurdev
2022-05-30pki: T3642: Add ability to import files into PKi configurationsarthurdev
2022-05-29vyos.frr: T2472: add wigrpd supportChristian Poessinger
2022-05-28firewall: T970: Add firewall group domain-groupViacheslav Hletenko
Domain group allows to filter addresses by domain main Resolved addresses as elements are stored to named "nft set" that used in the nftables rules Also added a dynamic "resolver" systemd daemon vyos-domain-group-resolve.service which starts python script for the domain-group addresses resolving by timeout 300 sec set firewall group domain-group DOMAINS address 'example.com' set firewall group domain-group DOMAINS address 'example.org' set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 source group domain-group 'DOMAINS' set interfaces ethernet eth0 firewall local name 'FOO' nft list table ip filter table ip filter { set DOMAINS { type ipv4_addr flags interval elements = { 192.0.2.1, 192.0.2.85, 203.0.113.55, 203.0.113.58 } } chain NAME_FOO { ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10" counter packets 0 bytes 0 return comment "FOO default-action accept" } }
2022-05-27Firewall: T3907: Revert migration script 6-to-7 and add new 7-to-8Nicolas Fort
2022-05-25Merge pull request #1333 from sever-sever/T4442John Estabrook
http-api: T4442: Add action reset
2022-05-26http-api: T4442: Add action resetViacheslav Hletenko
Add action 'reset' (op-mode) for HTTP-API http://localhost/reset curl --unix-socket /run/api.sock -X POST -Fkey=mykey \ -Fdata='{"op": "reset", "path": ["ip", "bgp", "192.0.2.14"]}' \ http://localhost/reset
2022-05-25configtest: T4382: bgp migration scripts need to follow quagga scriptsJohn Estabrook
The configs bgp_bfd_communities and bgp_big_as_cloud reveal a counterexample to the independence of component migration scripts: quagga migration scripts must precede those of bgp; explicitly reorder from lexical order.
2022-05-19T4432: display load averages normalized for the number of CPU coresDaniil Baturin
2022-05-11Firewall: T3907: add log-level options in firewallNicolas Fort
2022-05-09Merge pull request #1279 from nicolas-fort/T990Christian Poessinger
Firewall: T990: Add snat and dnat connection status on firewall
2022-04-25vyos.configdict: T4391: enable get_interface_dict() ti be used with ↵Christian Poessinger
ConfigTreeQuery() When VyOS is booting and an interface is brought up (PPPoE) which requires a user callback script that is executed asynchronously when the interface is up we can not use Config(). The problem is, Config() is not available when the system starts and the initial commit is still processed. We need to move to ConfigTreeQuery() which was build for this exact same purpose. TO reduce side effects and also dependencies on the entire vyos.configdict library the set_level()/get_level() calls got eliminated from within the library. All calls to functions like: * get_removed_vlans() * is_node_changed() * leaf_node_changed() * is_mirror_intf() * ... Now require that the full config path to the node is passed.
2022-04-24Merge pull request #1295 from dmbaturin/T4361John Estabrook
T4361: refactor and simplify vyos.config.exists()
2022-04-23Firewall: T990: Modifications for new connection-status cliNicolas Fort
2022-04-23verify: T4386: Fix traffic-policy key in verify_mirrorViacheslav Hletenko
Fix logic for verify traffic-policy in def verify_mirror_redirect It checks just "traffic_policy.in" and should also checks if 'mirror' or 'redirect' exists in config
2022-04-21pppoe: T4384: replace default-route CLI option with common CLI nodes already ↵Christian Poessinger
present for DHCP VyOS 1.4 still leverages PPPd internals on the CLI. pppd supports three options for a default route, none, auto, force. * none: No default route is installed on interface up * auto: Default route is only installed if there is yet no default route * force: overwrite any default route There are several drawbacks in this design for VyOS and the users. If auto is specified, this only counted for static default routes - but what about dynamic ones? Same for force, only a static default route got replaced but dynamic ones did not got taken into account. The CLI is changed and we now re-use already existing nodes from the DHCP interface configuration: * no-default-route: On link up no default route is installed, same as the previous default-route none * default-route-distance: We can now specify the distance of this route for the routing table on the system. This defaults to 210 as we have for DHCP interfaces. All this will be migrated using a CLI migration script.
2022-04-21vyos.ifconfig: T4384: get_interface_dict() should provide "ifname" key for VIFsChristian Poessinger
2022-04-21T4361: refactor and simplify vyos.config.exists()Daniil Baturin
2022-04-20Revert "vyos.configdict(): T4369: leaf_node_changed() must return True when ↵Christian Poessinger
node is added" This reverts commit c685c0f762ea054c7a220bde625fdab549bbbdd2.
2022-04-20Revert "vyos.configdict(): T4369: bugfix - execution order in ↵Christian Poessinger
leaf_node_changed()" This reverts commit 1a1094c28e32c3d6d072cf14a38aa631d51b8aee.
2022-04-20vyos.configdict: T4369: add is_node_changed() helperChristian Poessinger
2022-04-19pppoe: static: T4379: bugfix default-route lost after applying additional ↵Christian Poessinger
static routes Issue is identical to the problem in T3680 (05aa22dcb4ce) which was for DHCP based routes. Once a static route is added to the system, the PPPoE auto-installed default route is lost.
2022-04-18vxlan: geneve: T4370: support configuration of DF bit optionChristian Poessinger
set interfaces vxlan vxlan0 parameters ip df <set|unset|inherit> set interfaces geneve gnv0 parameters ip df <set|unset|inherit>
2022-04-18vyos.configdict(): T4369: bugfix - execution order in leaf_node_changed()Christian Poessinger
Commit c685c0f7 ("vyos.configdict(): T4369: leaf_node_changed() must return True when node is added") added a code path then a node was newly added to the CLI. Unfortunately it turned out that this introduced a regression: File "/usr/lib/python3/dist-packages/vyos/ifconfig/wireguard.py", line 230, in update super().update(config) File "/usr/lib/python3/dist-packages/vyos/ifconfig/interface.py", line 1428, in update for addr in list_diff(config['address_old'], new_addr): File "/usr/lib/python3/dist-packages/vyos/configdict.py", line 105, in list_diff return [item for item in first if item not in second] TypeError: 'bool' object is not iterable The execution order of the if statements is essential and the new check was moved to the bottom to not interfere with the existing logic.
2022-04-18vyos.configdict(): T4369: leaf_node_changed() must return True when node is ↵Christian Poessinger
added
2022-04-16vyos.base: use Warning() helper where applicableChristian Poessinger
2022-04-16salt-minion: T4364: issue warning - do not use sha1 hashing algorithmChristian Poessinger
2022-04-16dhcp(v6)-client: T4353: fix Jinja2 linting errorsChristian Poessinger
2022-04-14config: T4361: correct exists()/exists_effective() on value(s)John Estabrook
The check for existence of value(s) in config.exists relied solely on return_value, causing the return of a false negative on multi-valued nodes; this is corrected. Also, config.exists_effective did no check for existence of values; this is added.
2022-04-11vyos.ethtool: T4327: add Hyper-V NIC driver to speed/duplex ignore listChristian Poessinger
2022-04-11Firewall: T990: Add snat and dst connection status on firewallNicolas Fort
2022-04-11T4327: ignore PermissionError caused by ethtool spee/duplex/autoneg settingDaniil Baturin
Certain NICs seem to fail to report that they don't support speed/duplex setting, so they look as if it's supported, but the command fails in practice. It's probably better to preserve a working config in that case.
2022-04-08Firewall: T990: Add snat and dnat connection status on firewallNicolas Fort