summaryrefslogtreecommitdiff
path: root/python
AgeCommit message (Collapse)Author
2022-05-28firewall: T970: Add firewall group domain-groupViacheslav Hletenko
Domain group allows to filter addresses by domain main Resolved addresses as elements are stored to named "nft set" that used in the nftables rules Also added a dynamic "resolver" systemd daemon vyos-domain-group-resolve.service which starts python script for the domain-group addresses resolving by timeout 300 sec set firewall group domain-group DOMAINS address 'example.com' set firewall group domain-group DOMAINS address 'example.org' set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 source group domain-group 'DOMAINS' set interfaces ethernet eth0 firewall local name 'FOO' nft list table ip filter table ip filter { set DOMAINS { type ipv4_addr flags interval elements = { 192.0.2.1, 192.0.2.85, 203.0.113.55, 203.0.113.58 } } chain NAME_FOO { ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10" counter packets 0 bytes 0 return comment "FOO default-action accept" } }
2022-05-09Merge pull request #1279 from nicolas-fort/T990Christian Poessinger
Firewall: T990: Add snat and dnat connection status on firewall
2022-04-25vyos.configdict: T4391: enable get_interface_dict() ti be used with ↵Christian Poessinger
ConfigTreeQuery() When VyOS is booting and an interface is brought up (PPPoE) which requires a user callback script that is executed asynchronously when the interface is up we can not use Config(). The problem is, Config() is not available when the system starts and the initial commit is still processed. We need to move to ConfigTreeQuery() which was build for this exact same purpose. TO reduce side effects and also dependencies on the entire vyos.configdict library the set_level()/get_level() calls got eliminated from within the library. All calls to functions like: * get_removed_vlans() * is_node_changed() * leaf_node_changed() * is_mirror_intf() * ... Now require that the full config path to the node is passed.
2022-04-24Merge pull request #1295 from dmbaturin/T4361John Estabrook
T4361: refactor and simplify vyos.config.exists()
2022-04-23Firewall: T990: Modifications for new connection-status cliNicolas Fort
2022-04-23verify: T4386: Fix traffic-policy key in verify_mirrorViacheslav Hletenko
Fix logic for verify traffic-policy in def verify_mirror_redirect It checks just "traffic_policy.in" and should also checks if 'mirror' or 'redirect' exists in config
2022-04-21pppoe: T4384: replace default-route CLI option with common CLI nodes already ↵Christian Poessinger
present for DHCP VyOS 1.4 still leverages PPPd internals on the CLI. pppd supports three options for a default route, none, auto, force. * none: No default route is installed on interface up * auto: Default route is only installed if there is yet no default route * force: overwrite any default route There are several drawbacks in this design for VyOS and the users. If auto is specified, this only counted for static default routes - but what about dynamic ones? Same for force, only a static default route got replaced but dynamic ones did not got taken into account. The CLI is changed and we now re-use already existing nodes from the DHCP interface configuration: * no-default-route: On link up no default route is installed, same as the previous default-route none * default-route-distance: We can now specify the distance of this route for the routing table on the system. This defaults to 210 as we have for DHCP interfaces. All this will be migrated using a CLI migration script.
2022-04-21vyos.ifconfig: T4384: get_interface_dict() should provide "ifname" key for VIFsChristian Poessinger
2022-04-21T4361: refactor and simplify vyos.config.exists()Daniil Baturin
2022-04-20Revert "vyos.configdict(): T4369: leaf_node_changed() must return True when ↵Christian Poessinger
node is added" This reverts commit c685c0f762ea054c7a220bde625fdab549bbbdd2.
2022-04-20Revert "vyos.configdict(): T4369: bugfix - execution order in ↵Christian Poessinger
leaf_node_changed()" This reverts commit 1a1094c28e32c3d6d072cf14a38aa631d51b8aee.
2022-04-20vyos.configdict: T4369: add is_node_changed() helperChristian Poessinger
2022-04-19pppoe: static: T4379: bugfix default-route lost after applying additional ↵Christian Poessinger
static routes Issue is identical to the problem in T3680 (05aa22dcb4ce) which was for DHCP based routes. Once a static route is added to the system, the PPPoE auto-installed default route is lost.
2022-04-18vxlan: geneve: T4370: support configuration of DF bit optionChristian Poessinger
set interfaces vxlan vxlan0 parameters ip df <set|unset|inherit> set interfaces geneve gnv0 parameters ip df <set|unset|inherit>
2022-04-18vyos.configdict(): T4369: bugfix - execution order in leaf_node_changed()Christian Poessinger
Commit c685c0f7 ("vyos.configdict(): T4369: leaf_node_changed() must return True when node is added") added a code path then a node was newly added to the CLI. Unfortunately it turned out that this introduced a regression: File "/usr/lib/python3/dist-packages/vyos/ifconfig/wireguard.py", line 230, in update super().update(config) File "/usr/lib/python3/dist-packages/vyos/ifconfig/interface.py", line 1428, in update for addr in list_diff(config['address_old'], new_addr): File "/usr/lib/python3/dist-packages/vyos/configdict.py", line 105, in list_diff return [item for item in first if item not in second] TypeError: 'bool' object is not iterable The execution order of the if statements is essential and the new check was moved to the bottom to not interfere with the existing logic.
2022-04-18vyos.configdict(): T4369: leaf_node_changed() must return True when node is ↵Christian Poessinger
added
2022-04-16vyos.base: use Warning() helper where applicableChristian Poessinger
2022-04-16salt-minion: T4364: issue warning - do not use sha1 hashing algorithmChristian Poessinger
2022-04-16dhcp(v6)-client: T4353: fix Jinja2 linting errorsChristian Poessinger
2022-04-14config: T4361: correct exists()/exists_effective() on value(s)John Estabrook
The check for existence of value(s) in config.exists relied solely on return_value, causing the return of a false negative on multi-valued nodes; this is corrected. Also, config.exists_effective did no check for existence of values; this is added.
2022-04-11vyos.ethtool: T4327: add Hyper-V NIC driver to speed/duplex ignore listChristian Poessinger
2022-04-11Firewall: T990: Add snat and dst connection status on firewallNicolas Fort
2022-04-11T4327: ignore PermissionError caused by ethtool spee/duplex/autoneg settingDaniil Baturin
Certain NICs seem to fail to report that they don't support speed/duplex setting, so they look as if it's supported, but the command fails in practice. It's probably better to preserve a working config in that case.
2022-04-08Firewall: T990: Add snat and dnat connection status on firewallNicolas Fort
2022-04-07ipv6: T4346: delete (migrate) CLI command to disable IPv6 address familyChristian Poessinger
2022-04-07vyos.base: T4346: add common DeprecationWarning() classChristian Poessinger
2022-04-07qos: T4284: verify mirror/redirect target interface existsChristian Poessinger
2022-04-07qos: T4284: support mirror and redirect on vlan subinterfacesChristian Poessinger
2022-04-07qos: T4284: support mirror and redirect on all interface typesChristian Poessinger
2022-04-06firewall: T4345: Fix incorrect rule limit rate syntaxsarthurdev
2022-04-05interfaces: T4331: Fix assign link-local static IPv6 addr to vrfViacheslav Hletenko
If we have link-local static address and vrf, for example: set interfaces ethernet eth2 address 'fe80::5200:ff:fe55:222/64' set interfaces ethernet eth2 vrf 'foo' This IPv6 address was assigned before vrf, as result after attaching the intreface to vrf we lose this static linklocal address DEBUG/IFCONFIG cmd 'ip addr add fe80::5200:ff:fe55:222/64 dev eth2' DEBUG/IFCONFIG cmd 'ip link set dev eth2 master foo' DEBUG/IFCONFIG cmd 'ip addr add fe80::5208:ff:fe13:2/64 dev eth2' This commit fixes this, the address is assigned after vrf assign
2022-04-01wwan: T4324: is_wwan_connected() must verify if ModemManager is runningChristian Poessinger
2022-04-01vyos.template: T4333: add Jinja2 plugin to test if a variable is defined and ↵Christian Poessinger
not none We have a lot of boiler plate template code like {% if config.interface is defined and config.interface.remote_as is defined and config.interface.remote_as is not none %} ... {% endif %} This can be stripped down using a custom test to: {% if config.interface.remote_as is vyos_defined %} ... {% endif %} In addition the new vyos_defined test supports comparison {% if foo.bar.baz is vyos_defined('zoo') %} ... {% endif %} So the above will only evaluate to true if the variable foo.bar.baz is defined and its content is zoo This is inspired from https://github.com/aristanetworks/ansible-avd/ which make heavy use of it. All new templates should be written in this new style.
2022-03-31vyos.ifconfig: T4330: MTU must be configured prior to any IPv6 option changeChristian Poessinger
This extends the fix from 53e20097 ("vyos.ifconfig: T4330: bugfix changing MTU when IPv6 is disabled") by ordering the execution in a way the Kernel does not complain.
2022-03-31vyos.ifconfig: T4330: bugfix changing MTU when IPv6 is disabledChristian Poessinger
Commit f8b3d8999c ("ipv6: T4319: do not configure IPv6 related settings if it's disabled") moved the MTU configuration part under the code path which is only run if IPv6 is enabled on the system. This prevented MTU changes on IPv6 disabled systems.
2022-03-30vyos.ifconfig: T4319: add_addr() should not add IPv6 address if it's disabledChristian Poessinger
2022-03-30vyos.util: T4319: add is_ipv6_enabled() helper functionChristian Poessinger
2022-03-30vyos.ifconfig: make add_addr() method more reader firendlyChristian Poessinger
2022-03-30T4319: do not try to add ::1/128 to lo if IPv6 is disabledDaniil Baturin
2022-03-27graphql: T3993: add unsettable gql option; this is not exposed by CLIJohn Estabrook
2022-03-26vyos.validate: T4321: make is_addr_assigned() VRF awareChristian Poessinger
Commit 1bfe09f9 ("vyos.validate: T4321: make is_intf_addr_assigned() VRF aware") added VRF support for an interface bound function. As an interface can only be bound to one VRF check makes less sense. This commit moves the VRF awareness from is_intf_addr_assigned() to is_addr_assigned() so we check the VRF assignment even prior of calling is_intf_addr_assigned() and fail fast.
2022-03-26vyos.validate: T4321: make is_intf_addr_assigned() VRF awareChristian Poessinger
2022-03-25vyos.util: T4319: rename sysctl() -> sysctl_write()Christian Poessinger
2022-03-25ipv6: T4319: do not configure IPv6 related settings if it's disabledChristian Poessinger
2022-03-25vyos.util: T4319: provide generic sysctl_read() helperChristian Poessinger
2022-03-21qos: T4284: initial XML interface definitions for rewriteChristian Poessinger
2022-03-11[Ethtool] T4297: Update drivers supporting speed/flow/duplexDaniel Berlin
The iavf, ice, and i40e drivers do not support speed, flow, or duplex control using ethtool. As a result, interface configuration changes fail to commit when using those drivers. This patch fixes that by correctly marking those drivers as not supporting those controls.
2022-03-10Revert "component_version: T4291: consolidate read/write functions"John Estabrook
This reverts commit 534f677d36285863decb2cdff179687b4fd690cb. Revert while investigating failure in vyos-configtest.
2022-03-10Revert "save-config: T4292: rewrite vyatta-save-config.pl to Python"John Estabrook
This reverts commit c4d389488970c8510200cac96a67182e9333b891. Revert while investigating failure in vyos-configtest.
2022-03-08save-config: T4292: rewrite vyatta-save-config.pl to PythonJohn Estabrook