summaryrefslogtreecommitdiff
path: root/python
AgeCommit message (Collapse)Author
2022-11-17firewall: T4821: add support for adding conf_mode script dependenciesJohn Estabrook
2022-11-16firewall: T4821: add utility to load script as moduleJohn Estabrook
2022-11-10migration: T4808: print configtree operations during migrationJohn Estabrook
Print configtree operations to stdout during migration; the migrator will log the output.
2022-11-10migration: T4808: replace custom logging with standard Python loggingJohn Estabrook
2022-11-10T4789: Ability to get op-mode raw data for PPPoE L2TP SSTP IPoEViacheslav Hletenko
Ability to get 'raw' data sessions and statistics for accel-ppp protocols IPoE/PPPoE/L2TP/PPTP/SSTP server
2022-11-03Merge pull request #1633 from sarthurdev/fqdnChristian Poessinger
firewall: T970: T1877: Add source/destination fqdn, refactor domain resolver, firewall groups in NAT
2022-11-03nat: T1877: T970: Add firewall groups to NATsarthurdev
2022-11-03firewall: T970: Refactor domain resolver, add firewall source/destination ↵sarthurdev
`fqdn` node
2022-11-01op-mode: T4791: decamelize raw output of 'show_*' before normalizationJohn Estabrook
2022-10-28Merge pull request #1624 from dmbaturin/op-mode-bytesViacheslav Hletenko
T4779: output raw memory and storage values in bytes
2022-10-28Merge pull request #1619 from jestabro/component-version-stringJohn Estabrook
T4291: consolidate component version string read/write functions
2022-10-28T4765: handle non-string fields in the raw op mode output normalizerDaniil Baturin
2022-10-28T4779: add vyos.util.human_to_bytesDaniil Baturin
2022-10-28T4291: consolidate component version string read/write functionsJohn Estabrook
2022-10-25vyos.util: T4773: add camel_to_snake_case conversionJohn Estabrook
2022-10-21T4765: support list and primitives in op mode output normalizationcreate with ansible
2022-10-20T4765: normalize fields only if 'raw' is true; output must be dictJohn Estabrook
2022-10-20T4765: normalize dict fields in op mode ouputsDaniil Baturin
2022-10-14http-api: T4749: transition to config_dictJohn Estabrook
2022-10-09firewall: T3907: Fix firewall state-policy loggingsarthurdev
When log-level was introduced node `state-policy x log` was removed without migrator. This commit adds it back and improves log handling.
2022-09-27Merge pull request #1560 from nicolas-fort/T4700Christian Poessinger
T4700: Firewall: add interface matching criteria
2022-09-26ethernet: T4689: support asymetric RFS configuration on multiple interfacesChristian Poessinger
The initial implementation from commit ac4e07f9 ("rfs: T4689: Support RFS (Receive Flow Steering)") always adjusted the global rps_sock_flow_entries configuration. So if RFS was enabled for one NIC but not the other - it did not work. According to the documentation: RFS is only available if the kconfig symbol CONFIG_RPS is enabled (on by default for SMP). The functionality remains disabled until explicitly configured. The number of entries in the global flow table is set through: /proc/sys/net/core/rps_sock_flow_entries The number of entries in the per-queue flow table are set through: /sys/class/net/<dev>/queues/rx-<n>/rps_flow_cnt Both of these need to be set before RFS is enabled for a receive queue. Values for both are rounded up to the nearest power of two. The suggested flow count depends on the expected number of active connections at any given time, which may be significantly less than the number of open connections. We have found that a value of 32768 for rps_sock_flow_entries works fairly well on a moderately loaded server. This commit sets rps_sock_flow_entries via sysctl on bootup leafing the RFS configuration to the interface level.
2022-09-26T4700: Firewall: add interface matching criteriaNicolas Fort
2022-09-25wireguard: ifconfig: T2653: move Config() import to be local to consumerChristian Poessinger
2022-09-25wireguard: ifconfig: T2653: use NamedTemporaryFile() when dealing with ↵Christian Poessinger
private key This prevents habing any leftover private-key files in /tmp directory.
2022-09-24ethernet: T3171: enable RPS (Receive Packet Steering) for all RX queuesChristian Poessinger
The initial implementation in commit 9fb9e5cade ("ethernet: T3171: add CLI option to enable RPS (Receive Packet Steering)" only changed the CPU affinity for RX queue 0. This commit takes all RX queues into account.
2022-09-22Merge pull request #1521 from sever-sever/T3476Christian Poessinger
update-check: T3476: Allow update-check for VyOS images
2022-09-22Merge pull request #1552 from sarthurdev/nat_refactorChristian Poessinger
nat: nat66: T4605: T4706: Refactor NAT/NAT66 and use new table name
2022-09-21nat: T4605: Refactor static NAT to use python module for parsing rulessarthurdev
* Rename table to vyos_nat * Add static NAT smoketest
2022-09-21nat66: T4605: Refactor NAT66 to use python module for parsing rulessarthurdev
* Rename table to vyos_nat * Refactor tests to use `verify_nftables` format
2022-09-21nat: T4605: Refactor NAT to use python module for parsing rulessarthurdev
* Rename table to vyos_nat * Refactor tests to use `verify_nftables` format
2022-09-21ipoe: T4678: T4703: rewrite to get_config_dict()Christian Poessinger
In addition to the rewrite to make use of get_config_dict() the CLI is slightly adjusted as specified in T4703. * Rename vlan-id and vlan-range to simply vlan * Rename network-mode to simply mode * Re-use existing common Jinja2 template for Accel-PPP which are shared with PPPoE and SSTP server. * Retrieve default values via defaultValue XML node
2022-09-17Merge pull request #1546 from nicolas-fort/fwall-jumpChristian Poessinger
T4699: Firewall: Add jump action in firewall ruleset
2022-09-17wireguard: T4702: actively revoke peer if it gets disabledChristian Poessinger
When any configured peer is set to `disable` while the Wireguard tunnel is up and running it does not get actively revoked and removed. This poses a security risk as connections keep beeing alive. Whenever any parameter of a peer changes we actively remove the peer and fully recreate it on the fly.
2022-09-17pppoe-server: T4703: combine vlan-id and vlan-range into single CLI nodeChristian Poessinger
The initial Accel-PPP PPPoE implementation used: set service pppoe-server interface <name> vlan-id <id> set service pppoe-server interface <name> vlan-range <start-stop> This is actually a duplicated CLI node.
2022-09-16T4699: Firewall: Add jump action in firewall rulestNicolas Fort
2022-09-15ethernet: rfs: T4689: remove redundant codeChristian Poessinger
2022-09-15Merge branch 'T4689' of https://github.com/jack9603301/vyos-1x into currentChristian Poessinger
* 'T4689' of https://github.com/jack9603301/vyos-1x: rfs: T4689: Support RFS(Receive Flow Steering)
2022-09-15rfs: T4689: Support RFS(Receive Flow Steering)jack9603301
2022-09-14Merge pull request #1530 from sever-sever/T4679Christian Poessinger
openvpn: T4679: Fix incorrect verify local and remote address
2022-09-14openvpn: T4679: Fix incorrect verify local and remote addressViacheslav Hletenko
In the OpenVPN site-to-site config we can use IPv6 peers without IPv4 configurations but "verify()" checks also local and remote IPv4 addresses that in this case will be empty lists For example: set interfaces openvpn vtun2 local-address 2001:db8::1 set interfaces openvpn vtun2 remote-address 2001:db8::2 Check in the commit (v4loAddr == v4remAddr) <= both empty lists commit DEBUG: [] == [] or ['2001:db8::2'] == [] So we should also check v4loAddr, v4remAddr, v6loAddr, v6remAddr are not empty
2022-09-13firewall: T4605: Rename filter tables to vyos_filtersarthurdev
2022-09-12Revert "rfs: T4689: Support RFS(Receive Flow Steering)"Christian Poessinger
This reverts commit 53355271a2864d844daca89a064c21e514e10adb.
2022-09-12rfs: T4689: Support RFS(Receive Flow Steering)jack9603301
2022-09-07update-check: T3476: Allow update-check for VyOS imagesViacheslav Hletenko
Ability to autocheck available new images Parse remote URL JSON image-version.json file and compare version VyOS with a local current version, if find diff sent wall message that the new image is available Also, add op-mode command to check images "show system image" With option "auto-check" check will be once per 12 hours set system update-check auto-check set system update-check url 'http://example.com/image-version.json' If new version is available shows it per login (MOTD)
2022-09-07T1024: Firewall and Policy route: add option to match dscp value, both on ↵Nicolas Fort
firewall and in policy route
2022-09-03Merge branch 'firewall' into currentChristian Poessinger
* firewall: firewall: T4651: re-implement packet-length CLI option to use <multi/> firewall: T3568: improve default-action help string firewall: T3568: add XML include block for eq,gt,lt options smoketest: firewall: add re-usable variables when running testcases Firewall: T4651: Change proposed cli from ip-length to packet-length Firewall: T4651: Add options to match packet size on firewall rules.
2022-09-03firewall: T4651: re-implement packet-length CLI option to use <multi/>Christian Poessinger
2022-09-02bonding: T4668: fix live bonding member add or removeinitramfs
Fixes several bugs around bonding member interface states not matching the committed configuration, including: - Disabled removed interfaces coming back up - Newly added disabled interfaces not staying down - Newly added interfaces not showing up in the bond
2022-09-02Merge branch 'T4651' of https://github.com/nicolas-fort/vyos-1x into firewallChristian Poessinger
* 'T4651' of https://github.com/nicolas-fort/vyos-1x: Firewall: T4651: Change proposed cli from ip-length to packet-length Firewall: T4651: Add options to match packet size on firewall rules.