summaryrefslogtreecommitdiff
path: root/python/vyos
AgeCommit message (Collapse)Author
2023-11-03wireguard: T5707: remove previously deconfigured peerChristian Breunig
Changing the public key of a peer (updating the key material) left the old WireGuard peer in place, as the key removal command used the new key. WireGuard only supports peer removal based on the configured public-key, by deleting the entire interface this is the shortcut instead of parsing out all peers and removing them one by one. Peer reconfiguration will always come with a short downtime while the WireGuard interface is recreated. (cherry picked from commit 2fc8738bc9c2fb6364a22d86079e8635cee91949)
2023-11-01T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher ↵Nicolas Fort
firewal, nat and nat66. (cherry picked from commit 51abbc0f1b2ccf4785cf7f29f1fe6f4af6007ee6)
2023-10-31vxlan: T5668: add CLI knob to enable ARP/ND suppressionChristian Breunig
In order to minimize the flooding of ARP and ND messages in the VXLAN network, EVPN includes provisions [1] that allow participating VTEPs to suppress such messages in case they know the MAC-IP binding and can reply on behalf of the remote host. In Linux, the above is implemented in the bridge driver using a per-port option called "neigh_suppress" that was added in kernel version 4.15. [1] https://www.rfc-editor.org/rfc/rfc7432#section-10 (cherry picked from commit ec9a95502daa88b9632af12524e7cefebf86bab6)
2023-10-30vxlan: T5699: migrate "external" CLI know to "parameters external"Christian Breunig
As we have a bunch of options under "paramteres" already and "external" is clearly one of them it should be migrated under that node as well. (cherry picked from commit cc7ba8824a5e9ec818f0bbe7fb85e1713a591527)
2023-10-30Merge pull request #2400 from vyos/mergify/bp/sagitta/pr-2355Viacheslav Hletenko
T5643: nat: add interface-groups to nat. Use same cli structure for i… (backport #2355)
2023-10-24Merge pull request #2399 from nicolas-fort/T5637-sagittaDaniil Baturin
T5637: Firewall: add new rule at the end of base chains for default-a…
2023-10-24T5643: nat: add interface-groups to nat. Use same cli structure for ↵Nicolas Fort
interface-name|interface-group as in firewall. (cherry picked from commit 2f2c3fa22478c7ba2e116486d655e07df878cdf4)
2023-10-23T5637: Firewall: add new rule at the end of base chains for default-actions. ↵Nicolas Fort
This enables logs capabilities for default-action in base chains.
2023-10-23T5675: use addr_prefix instead of addr in NAT66 ruleAdam Smith
(cherry picked from commit 0c046a1f5a020af30c9522011aa5c86524874a47)
2023-10-22Merge pull request #2394 from vyos/mergify/bp/sagitta/pr-2391Christian Breunig
T5299: Add missed option ceiling for QoS shaper (backport #2391)
2023-10-22T5299: Add missed option ceiling for QoS shaperViacheslav Hletenko
Add missed option `ceil` for QoS class 'trafficshaper' (cherry picked from commit 5218241e6293317f8837b3f7c3893d653d960993)
2023-10-22bonding: T5254: Fixed changing ethernet when it is a bond memberaapostoliuk
If ethernet interface is a bond memeber: 1. Allow for changing only specific parameters which are specified in EthernetIf.get_bond_member_allowed_options function. 2. Added inheritable parameters from bond interface to ethernet interface which are scpecified in BondIf.get_inherit_bond_options. Users can change inheritable options under ethernet interface but in commit it will be copied from bond interface. 3. All other parameters are denied for changing. Added migration script. It deletes all denied parameters under ethernet interface if it is a bond member. (cherry picked from commit aa0282ceb379df1ab3cc93e4bd019134d37f0d89)
2023-10-19vyos.configdict: T5670: move from str to list when calling conf.exists()Christian Breunig
We have had a mix of both string and list arguments to conf.exists(), stremaline this to only make use of list calls. (cherry picked from commit 3f17de7c32621353b51f782ca889a83cad7a6cfd)
2023-10-17configdep: T5662: fix incorrect inspect.stack index of calling scriptJohn Estabrook
(cherry picked from commit eff58d8b8842e0bac9fe123cebf93801a92f05d3)
2023-10-14remote: T5650: Resize-aware progressbar implementationerkin
(cherry picked from commit 799d24eba18d6710219b7380cbafb954b9eec5ce)
2023-10-05config: T5631: save copy of config in JSON format on commitJohn Estabrook
(cherry picked from commit 27605426a4ad613f45d36e7db5b1664dc3192981)
2023-10-05T4320: remove references to obsoleted legacy version filesJohn Estabrook
(cherry picked from commit aeb0138c9df73b57489eced152f026c0666d1ee5)
2023-09-28firewall: T5614: Add support for matching on conntrack helpersarthurdev
(cherry picked from commit 81dee963a9ca3224ddbd54767a36efae5851a001)
2023-09-27conf-mode: T5412: add support for supplemental dependency definitionsJohn Estabrook
Add support for defining config-mode dependencies in add-on packages. (cherry picked from commit d9ad551816e34f38280534ad75d267697e4f096f)
2023-09-22op-mode: raid: T5608: define add/delete raid memberJohn Estabrook
(cherry picked from commit 2d3f3297b575f88662495e14a7c7324ff73b6bfc)
2023-09-22vyos.utils: T5609: get disk device by partial idJohn Estabrook
(cherry picked from commit ede0b5b1a19c37547c19d875743e78b0278628d4)
2023-09-19utils: T5239: add low-level read from config.bootJohn Estabrook
(cherry picked from commit 56d3f75de487c1dcfd075cf7b65cb16b6501d0ca)
2023-09-19T5594: vrrp: extend function is_ipv6_tentative to analysis all type of ipv6 ↵Nicolas Fort
address, and not only global ipv6 address. This allows to configure ipv6 link local address on vrrp hello-source-address parameter. (cherry picked from commit b6ae59354b5d69751cc7ea75e0aa4ac0070afa47)
2023-09-11Merge pull request #2215 from jestabro/T5353-sagittaJohn Estabrook
config-mgmt: T5353: normalize archive updates and commit log entries
2023-09-11vxlan: T3700: Revert change to `vyos.utils.process.cmd`sarthurdev
(cherry picked from commit e46afa2c58eea2d81df84e2630a6f346f1f51c2a)
2023-09-09vxlan: T3700: support VLAN tunnel mapping of VLAN aware bridgesChristian Breunig
FRR supports a new way of configuring VLAN-to-VNI mappings for EVPN-VXLAN, when working with the Linux kernel. In this new way, the mapping of a VLAN to a VNI is configured against a container VXLAN interface which is referred to as a 'Single VXLAN device (SVD)'. Multiple VLAN to VNI mappings can be configured against the same SVD. This allows for a significant scaling of the number of VNIs since a separate VXLAN interface is no longer required for each VNI. Sample configuration of SVD with VLAN to VNI mappings is shown below. set interfaces bridge br0 member interface vxlan0 set interfaces vxlan vxlan0 external set interfaces vxlan vxlan0 source-interface 'dum0' set interfaces vxlan vxlan0 vlan-to-vni 10 vni '10010' set interfaces vxlan vxlan0 vlan-to-vni 11 vni '10011' set interfaces vxlan vxlan0 vlan-to-vni 30 vni '10030' set interfaces vxlan vxlan0 vlan-to-vni 31 vni '10031' (cherry picked from commit 7f6624f5a6f8bd1749b54103ea5ec9f010adf778)
2023-09-08config-mgmt: T5556: fix bug in revision to archive updateJohn Estabrook
(cherry picked from commit fd5517b38191f5bb5897912ef62f5a8d1156b7b3)
2023-09-08config-mgmt: T5353: after updated save-config, one can include init revJohn Estabrook
The legacy config-mgmt/save-config tools had an abiding bug that would raise an error if comparing/reading the init archive; this is no longer an issue. (cherry picked from commit 52e4b4431ef440f0cffb570ca61c428c78699ee6)
2023-09-08config-mgmt: T5353: correct update check during bootJohn Estabrook
(cherry picked from commit 730e744931e4ccc1f214d3e5bff0e6a2e589fd50)
2023-09-08config-mgmt: T5353: only add log entry if archivingJohn Estabrook
(cherry picked from commit 73e317bee57c03b719019daabd578842d912b761)
2023-09-04T5533: Fix VRRP IPv6 group enters in FAULT stateViacheslav Hletenko
Checks if an IPv6 address on a specific network interface is in the tentative state. IPv6 tentative addresses are not fully configured and are undergoing Duplicate Address Detection (DAD) to ensure they are unique on the network. inet6 2001:db8::3/125 scope global tentative It tentative state the group enters in FAULT state. Fix it
2023-08-31Merge pull request #2190 from sarthurdev/T4782Christian Breunig
eapol: T4782: Support multiple CA chains
2023-08-31eapol: T4782: Support multiple CA chainssarthurdev
2023-08-28T5519: Fix `vyos.utils.process.call` hangsYuxiang Zhu
See https://vyos.dev/T5519 for more information.
2023-08-25interface: T3509: Add per-interface IPv6 source validationsarthurdev
2023-08-23save-config: T4292: rewrite vyatta-save-config.pl to PythonJohn Estabrook
2023-08-23Merge pull request #2162 from nicolas-fort/T5472Christian Breunig
T5472: nat redirect: allow redirection without defining redirected port
2023-08-23vrf: T5428: move helpers to common vyos.utils.network moduleChristian Breunig
Helper functions can and will be re-use din different code places.
2023-08-23Merge pull request #2142 from nicolas-fort/T5450Christian Breunig
T5450: allow inverted matcher for interface and interface-group
2023-08-23T5472: nat redirect: allow redirection without defining redirected portNicolas Fort
2023-08-23T5450: update smoketest and interface definition in order to work with new ↵Nicolas Fort
firewall cli
2023-08-23Merge pull request #2156 from giga1699/T5447Christian Breunig
T5447: Initial support for MACsec static keys
2023-08-20T5447: Remove redundant self.set_admin_stateGiga Murphy
2023-08-20T5447: Update copyright yearsGiga Murphy
2023-08-20T5447: Corrected comment in _create headerGiga Murphy
2023-08-20T5447: Corrected comment for interface downGiga Murphy
2023-08-20T5447: Implement maintainer feedbackGiga Murphy
2023-08-18T5447: Initial support for MACsec static keysGiga Murphy
2023-08-17Merge pull request #2130 from aapostoliuk/T5409-sagittaChristian Breunig
wireguard: T5409: Added 'set interfaces wireguard wgX threaded'
2023-08-17wireguard: T5409: rename threaded CLI not to per-client-threadChristian Breunig
Using threaded as CLI node is a very deep term used by kernel threads. To make this more understandable to users, rename the node to per-client-thread. It's also not necessary to test if any one peer is configured and probing if the option is set. There is a base test which requires at least one peer to be configured.