summaryrefslogtreecommitdiff
path: root/python/vyos
AgeCommit message (Collapse)Author
2024-02-13dhcpv6-server: T5993: Add subnet `interface` node, link subnet to locally ↵sarthurdev
connected interfaces Prior dhcpd behaviour implicitly handled requests for locally connected subnets. Kea requires an explicit link between subnets and an interface.
2024-02-11pki: T6034: add OpenSSH key supportChristian Breunig
set pki openssh rpki private key ... set pki openssh rpki public key ... set pki openssh rpki public type 'ssh-rsa'
2024-02-09T6028: Fix QoS policy shaper wrong class_id_max and default_minor_idViacheslav Hletenko
The `class_id_max` is wrong due to `tmp.sort` of Strings If we have class 5 and class 10 we get sorted max value 5, expected 10 ``` >>> tmp = ['5', '10'] >>> tmp.sort() >>> tmp ['10', '5'] >>> >>> hex(5+1) '0x6' >>> >>> hex(10+1) '0xb' >>> ``` This way we get wrong default maximum class value: ``` tc qdisc replace dev eth1 root handle 1: htb r2q 444 default 6 ``` Expect: ``` tc qdisc replace dev eth1 root handle 1: htb r2q 444 default b ``` Fix this converting Strings to Integers and get max value.
2024-02-08Merge pull request #2950 from aapostoliuk/T5960-circinusDaniil Baturin
T5960: Rewritten authentication node in PPTP to a single view
2024-02-08Merge pull request #2507 from erkin/image-toolsDaniil Baturin
op-mode: T4038: Python rewrite of image tools
2024-02-07Merge pull request #2959 from c-po/init-T2044-rpki-part-2Christian Breunig
init: T2044: only start rpki if cache is configured
2024-02-07init: T2044: only start rpki if cache is configuredChristian Breunig
This extends commit 9199c87cf ("init: T2044: always start/stop rpki during system boot") to check the bootup configuration if an RPKI cache is defined. Only start RPKI if this is the case.
2024-02-07T5960: Rewritten authentication node in PPTP to a single viewaapostoliuk
Rewritten authentication node in accel-ppp services to a single view. In particular - PPTP authentication.
2024-02-07T6021: Fix QoS shaper r2q calculationViacheslav Hletenko
The current calculation `r2q` is wrong as it uses `Floor division` but expecting `division` This way `math.ceil` calculate wrong value as we expect round a number upward to its nearest integer For example for speed 710 mbits expected value `444` but we get `443` ``` from math import ceil MAXQUANTUM = 200000 speed = 710000000 speed_bps = int(speed) // 8 >>> speed_bps // MAXQUANTUM 443 >>> speed_bps / MAXQUANTUM 443.75 >>> >>> >>> ceil(speed_bps // MAXQUANTUM) 443 >>> ceil(speed_bps / MAXQUANTUM) 444 >>> ```
2024-02-05image-tools: T6016: wait for umount in cleanup functionJohn Estabrook
2024-02-02configdict: T5894: preserve old behavior when dealing with PKIChristian Breunig
Commit b152b5202 ("configdict: T5894: add get_config_dict() flag with_pki") added the generic PKI flag but if there was no PKI subsystem available in the configuration, no pki dict key ever manifested in the resulting dictionary requested by the caller. This is different to the old behavior (which each caller implementing the call itself) where there always was a pki key present - even if it was empty. This triggered a bug in the IPSec script Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/vpn_ipsec.py", line 600, in <module> verify(ipsec) File "/usr/libexec/vyos/conf_mode/vpn_ipsec.py", line 372, in verify verify_pki_rsa(ipsec['pki'], rsa) ~~~~~^^^^^^^ KeyError: 'pki' As it wanted to verify keys, but there was no pki dictionary key available. This commit restores the previous behavior.
2024-02-02Merge pull request #2748 from MattKobayashi/t5848Christian Breunig
qos: T5848: Add triple-isolate option to CAKE policy config
2024-02-02Merge pull request #2889 from sarthurdev/kea-hooksChristian Breunig
dhcpv6: T3771: Installation of routes for delegated prefixes, add excluded-prefix to PD
2024-02-02Merge pull request #2891 from aapostoliuk/T5971-circinusViacheslav Hletenko
T5971: Rewritten ppp options in accel-ppp services
2024-02-01Merge pull request #2756 from nicolas-fort/T4839Christian Breunig
T4839: firewall: Add dynamic address group in firewall configuration
2024-02-01Merge pull request #2860 from indrajitr/ddclient-update-20240119Christian Breunig
ddclient: T5966: Adjust dynamic dns config address subpath
2024-02-01Merge pull request #2883 from sever-sever/T5974Viacheslav Hletenko
T5974: Fix QoS shape bandwidth and ceil calculation for default
2024-01-29T5971: Rewritten ppp options in accel-ppp servicesaapostoliuk
Rewritten 'ppp-options' to the same view in all accel-ppp services. Adding IPv6 support to PPTP.
2024-01-27remote: T5994: fix typo in check_storage for Ftp classJohn Estabrook
2024-01-25op-mode: T4038: Python rewrite of image toolserkin
2024-01-25T4839: firewall: Add dynamic address group in firewall configuration, and ↵Nicolas Fort
appropiate commands to populate such groups using source and destination address of the packet.
2024-01-24image-tools: T5983: fix regression in prune_vyos_versionsJohn Estabrook
2024-01-24dhcpv6: T3316: Add support for excluded-prefix in prefix delegationsarthurdev
2024-01-23image-tools: T5980: add support for configurable kernel boot optionsJohn Estabrook
2024-01-23T5974: Fix QoS shape bandwidth and ceil calculation for defaultViacheslav Hletenko
The default `bandwidth` and `ceiling` should calculate values based on <tag> bandwidth but currently it gets the value from qos.base `/sys/class/net/{self._interface}/speed` ``` set qos policy shaper SHAPER bandwidth '20mbit' set qos policy shaper SHAPER default bandwidth '95%' set qos policy shaper SHAPER default ceiling '100%' ``` It causes wrong calculations for class `default` i.e 950Mbit for bandwidth (expected 95% of bandwidth, 19Mbit) 1Gbit for ceil (expected 100% of bandwidth, 20Mbit) Gets incorrect values ``` r4# tc class show dev eth1 class htb 1:1 root rate 20Mbit ceil 20Mbit burst 1600b cburst 1600b class htb 1:a parent 1:1 leaf 8053: prio 0 rate 200Kbit ceil 200Kbit burst 1Mb cburst 1600b class htb 1:b parent 1:1 leaf 8054: prio 7 rate 950Mbit ceil 1Gbit burst 15200b cburst 1375b ``` Fix this
2024-01-23ethernet: T5978: hw-tc-offload does not actually get enabled on the NICChristian Breunig
Typo (missaligned -/_) in the code causes hw-tc-offload to never be enabled in the underlaying hardware via ethtool.
2024-01-22T5957: fix removal of interface in firewall rules.Nicolas Fort
2024-01-22T2719: Add 'update' in standard op-mode function listIndrajit Raychaudhuri
2024-01-21Merge pull request #2852 from sever-sever/T5958Viacheslav Hletenko
T5958: QoS add basic implementation of policy shaper-hfsc
2024-01-20T5961: Fix QoS policy shaper class match vifViacheslav Hletenko
If we have QoS policy shaper class match `vif` (VLAN) we have to use `basic match "meta(vlan mask 0xfff eq xxx)` instead of `action policy` Actual incorrect TC filter: tc filter add dev eth1 parent 1: protocol all prio 1 action police rate 100000000 burst 15k flowid 1:64 The correct TC filter after fix: tc filter add dev eth1 parent 1: protocol all prio 1 basic match "meta(vlan mask 0xfff eq 100)" flowid 1:64
2024-01-19T5964: add missing imports for is_wwan_connected()Adam Smith
2024-01-19T5963: Fix QoS shaper rate calculations and set defaul 1GbitViacheslav Hletenko
It is impossible to detect interface speed for some devices for exmaple virtio interfaces: ``` vyos@r4:~$ cat /sys/class/net/eth1/speed -1 ``` It causes wrong negative calcultaions like: - bandwidth: -1000000 - 4% of bandwidth: -40000 tc class replace dev eth1 parent 1: classid 1:1 htb rate -1000000 tc class replace dev eth1 parent 1:1 classid 1:a htb rate -40000 Fix this with checking negative value. Add default interface speed to 1000 Mbit if we cannot detect the interface speed, the current default value 10 Mbit is too low for nowadays
2024-01-18T5958: QoS add basic implementation of policy shaper-hfscViacheslav Hletenko
QoS policy shaper-hfsc was not implemented after rewriting the traffic-policy to qos policy. We had CLI but it does not use the correct class. Add a basic implementation of policy shaper-hfsc. Write the class `TrafficShaperHFS`
2024-01-18ethernet: T4638: deleting parent interface does not delete underlying VIFsChristian Breunig
2024-01-17Merge pull request #2832 from aapostoliuk/T5865-circinusChristian Breunig
T5865: Moved ipv6 pools to named ipv6 pools in accel-ppp
2024-01-16Merge pull request #2818 from jestabro/serial-console-config-modeDaniil Baturin
image-tools: T5923: update system_console.py for new GRUB file structure
2024-01-16T5865: Moved ipv6 pools to named ipv6 pools in accel-pppaapostoliuk
Moved ipv6 pools to named ipv6 pools in accel-ppp services
2024-01-12image-tools: T5923: update system_console.py for new GRUB file structureJohn Estabrook
Add util function to set serial console speed in accordance with revised GRUB file structure; in keeping with the intentions of the config_mode script, adjust the GRUB var 'console_speed' to only modify ttyS0.
2024-01-13dhcpv6: T3316: Move options to separate node and extend scopessarthurdev
* Also migrate `address-range` to `range` tag node for consistency with dhcpv4 server syntax
2024-01-11dns: T5791: use common pattern for exclude check of dynamic interfacesChristian Breunig
This uses a more common pattern froma base class while the original code from 0a1c9bc38 ("T5791: DNS dynamic exclude check for dynamic interfaces PPPoE") is still retained.
2024-01-11dhcp: dhcpv6: T3316: Add `subnet-id` so leases remain mapped to entries in ↵Simon
the lease file (#2796)
2024-01-10Merge pull request #2785 from sarthurdev/kea-optionsChristian Breunig
dhcp: T3316: T5787: T5912: Extend scope of DHCP options, bugfixes
2024-01-10dhcp: T3316: Workaround to append domain suffix to hostfile entriessarthurdev
2024-01-10dhcp: T3316: Fix `listen-address` handling and add `listen-interface` as ↵sarthurdev
supported by Kea
2024-01-10dhcp: T3316: Move options to separate node and extend scopessarthurdev
2024-01-09https: T5902: remove virtual-host configurationChristian Breunig
We have not seen the adoption of the https virtual-host CLI option. What it did? * Create multiple webservers each listening on a different IP/port (but in the same VRF) * All webservers shared one common document root * All webservers shared the same SSL certificates * All webservers could have had individual allow-client configurations * API could be enabled for a particular virtual-host but was always enabled on the default host This configuration tried to provide a full webserver via the CLI but VyOS is a router and the Webserver is there for an API or to serve files for a local-ui. Changes Remove support for virtual-hosts as it's an incomplete and thus mostly useless "thing". Migrate all allow-client statements to one top-level allow statement.
2024-01-07smoketest: T5195: fix BasicInterfaceTest tearDown() timeout penaltyChristian Breunig
Commit ad9bdfc24 ("T5195: add timeout argument to process_named_running()") added a 2*10 seconds penalty for every interface test (dhcp and dhcpv6). This leads to long runs of "make test" after an ISO build. There is no need to wait 10 seconds for a test that checks for a process not running. The timeout is there to give the process some time to startup.
2024-01-07Merge pull request #2760 from bluknight/currentChristian Breunig
image: T5898: fix kernel-level partition rescan
2024-01-07Merge pull request #2758 from c-po/certbot-T5886Christian Breunig
pki: T5886: add support for ACME protocol (LetsEncrypt)
2024-01-06T5195: add timeout argument to process_named_running()Christian Breunig
Smoketests heavily rely on process_named_running() so in order to "relax" system constraints during a test we will add a timeout of 10 seconds for every testcase provided by base_interfaces_test.py