summaryrefslogtreecommitdiff
path: root/smoketest/scripts
AgeCommit message (Collapse)Author
2024-09-18T973: add basic node_exporter implementationrebortg
2024-09-11T6294: Service dns forwarding add the ability to configure ZonetoCachekhramshinr
2024-09-11Merge pull request #4023 from nvollmar/T6679Christian Breunig
T6679: add group option for nat66
2024-09-11Merge pull request #4028 from alainlamar/T6693Christian Breunig
T6693: wireless: Enable WiFi-6 (802.11ax) for 2.4GHz AccessPoints
2024-09-10T6698: firewall: add matcher for vlan type. (#4027)Nicolás Fort
2024-09-07T6693: wireless: Enable WiFi-6 (802.11ax) for 2.4GHz AccessPointsAlain Lamar
2024-09-06container: T6702: re-add missing UNIX API socketChristian Breunig
During podman upgrade and a build from the original source the UNIX socket definition for systemd got lost in translation. This commit re-adds the UNIX socket which is started on boot to interact with Podman. Example: curl --unix-socket /run/podman/podman.sock -H 'content-type: application/json' \ -sf http://localhost/containers/json
2024-09-02T6679: add destination groupsNicolas Vollmar
2024-09-02Merge pull request #4018 from nicolas-fort/T6647Daniil Baturin
T6647: firewall. Introduce patch for accepting invalid ARP and DHCP
2024-09-01smoketest: T6681: radvd: verify new "no-send-interval" CLI optionChristian Breunig
2024-08-28T6647: firewall. Introduce patch for accepting ARP and DHCP replies on ↵Nicolas Fort
stateful bridge firewall. This patch is needed because ARP and DHCP are marked as invalid connections. Also, add ehternet-type matcher in bridge firewall.
2024-08-25T6671: add smoketest for dependency deferred to priorityJohn Estabrook
2024-08-21T6672: Fix system option ssh-client source-interfaceViacheslav Hletenko
Fix for system option ssh-client source-interface For the `verify_source_interface` the key `ifname` if required
2024-08-20Merge pull request #3975 from lucasec/t6183Christian Breunig
T6183: interfaces openvpn: suppport specifying IP protocol version
2024-08-16Merge pull request #3987 from natali-rs1985/T6649-currentDaniil Baturin
ipoe_server: T6649: Accel-ppp separate vlan-mon from listen interfaces
2024-08-15T6649: Accel-ppp separate vlan-mon from listen interfacesNataliia Solomko
2024-08-15Merge pull request #3982 from nicolas-fort/T6636Christian Breunig
T6636: firewall: fix firewall template in order print logs for default-action
2024-08-14T6636: firewall: fix firewall template in order to write logs for ↵Nicolas Fort
default-action in order to match same structure as in rules. This way op-mode command for showing firewall log prints logs for default-actions too
2024-08-14T6646: conntrack: in ignore rules, if protocols=all, do not append it to the ↵Nicolas Fort
rule
2024-08-13T6183: interfaces openvpn: suppport specifying IP protocol versionLucas Christian
2024-08-09T6643: firewall: fix ip address range parsing on firewall rules.Nicolas Fort
2024-08-06smoketest: T6614: add op-mode test for Kernel version (#3946)Christian Breunig
2024-08-05sysctl: T3204: restore sysctl setttings overwritten by tunedChristian Breunig
2024-08-05smoketest: T6555: openvpn: NameError: name 'elf' is not definedChristian Breunig
2024-08-05smoketest: T6555: openvpn: SyntaxError: '(' was never closedChristian Breunig
2024-08-05Merge branch 'current' into feature/T4694/gre-match-fieldsChristian Breunig
2024-08-05Merge pull request #3920 from fett0/T6555Christian Breunig
OPENVPN: T6555: add server-bridge options in mode server
2024-08-04firewall: T4694: Adding GRE flags & fields matches to firewall rulesAndrew Topp
* Only matching flags and fields used by modern RFC2890 "extended GRE" - this is backwards-compatible, but does not match all possible flags. * There are no nftables helpers for the GRE key field, which is critical to match individual tunnel sessions (more detail in the forum post) * nft expression syntax is not flexible enough for multiple field matches in a single rule and the key offset changes depending on flags. * Thus, clumsy compromise in requiring an explicit match on the "checksum" flag if a key is present, so we know where key will be. In most cases, nobody uses the checksum, but assuming it to be off or automatically adding a "not checksum" match unless told otherwise would be confusing * The automatic "flags key" check when specifying a key doesn't have similar validation, I added it first and it makes sense. I would still like to find a workaround to the "checksum" offset problem. * If we could add 2 rules from 1 config definition, we could match both cases with appropriate offsets, but this would break existing FW generation logic, logging, etc. * Added a "test_gre_match" smoketest
2024-08-04Merge pull request #3901 from nicolas-fort/T4072-extend-bridge-fwallChristian Breunig
T4072: firewall extend bridge firewall
2024-08-02T6619: Remove the remaining uses of per-protocol FRR configs (#3916)Roman Khramshin
2024-08-02OPENVPN: T6555: fix name to bridgefett0
2024-08-02T4072: change same helpers in xml definitions; add notrack action for ↵Nicolas Fort
prerouting chain; re introduce <set vrf> in policy; change global options for passing traffic to IPvX firewall; update smoketest
2024-08-01T4072: firewall: extend firewall bridge smoketestNicolas Fort
2024-08-01Merge pull request #3221 from lucasec/t5873Christian Breunig
T5873: ipsec remote access VPN: support VTI interfaces.
2024-07-31OPENVPN: T6555: add server-bridge options in mode serverfett0
2024-07-30Merge pull request #3883 from c-po/vrf-conntrackChristian Breunig
vrf: T6603: conntrack ct_iface_map must only contain one entry for iifname/oifname
2024-07-30pbr: T6430: Allow forwarding into VRFs by name as well as route table IDsAndrew Topp
* PBR can only target table IDs up to 200 and the previous PR to extend the range was rejected * PBR with this PR can now also target VRFs directly by name, working around targeting problems for VRF table IDs outside the overlapping 100-200 range * Validation ensures rules can't target both a table ID and a VRF name (internally they are handled the same) * Added a simple accessor (get_vrf_table_id) for runtime mapping a VRF name to table ID, based on vyos.ifconfig.interface._set_vrf_ct_zone(). It does not replace that usage, as it deliberately does not handle non-VRF interface lookups (would fail with a KeyError). * Added route table ID lookup dict, global route table and VRF table defs to vyos.defaults. Table ID references have been updated in code touched by this PR. * Added a simple smoketest to validate 'set vrf' usage in PBR rules
2024-07-29Merge pull request #3804 from HollyGurza/T6362Daniil Baturin
T6362: Create conntrack logger daemon
2024-07-29Merge pull request #3823 from srividya0208/T6571Daniil Baturin
OpenVPN CLI-option: T6571: rename ncp-ciphers with data-ciphers
2024-07-28Merge pull request #3874 from c-po/unused-importChristian Breunig
smoketest: T6592: remove unused "import os"
2024-07-28Merge pull request #3888 from c-po/op-mode-smoketestChristian Breunig
smoketest: T6614: initial support for op-mode command testing
2024-07-28Merge pull request #3889 from c-po/syslog-smoketestChristian Breunig
smoketest: T5705: use locally connected remote syslog servers
2024-07-28firewall: T4694: Adding rt ipsec exists/missing match to firewall configs ↵talmakion
(#3616) * Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for fw rules * Add ipsec match-ipsec-out and match-none-out * Change all the points where the match-ipsec.xml.i include was used before, making sure the new includes (match-ipsec-in/out.xml.i) are used appropriately. There were a handful of spots where match-ipsec.xml.i had snuck back in for output hooked chains already (the common-rule-* includes) * Add the -out generators to rendered templates * Heavy modification to firewall config validators: * I needed to check for ipsec-in matches no matter how deeply nested under an output-hook chain(via jump-target) - this always generates an error. * Ended up retrofitting the jump-targets validator from root chains and for named custom chains. It checks for recursive loops and improper IPsec matches. * Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation" smoketests
2024-07-28smoketest: T5705: use locally connected remote syslog serversChristian Breunig
As there has been no route to the configured syslog servers, smoketests produced: rsyslogd: omfwd: socket 8: error 101 sending via udp: Network is unreachable Rather use some fake syslog servers from 127.0.0.0/8 which are directly connected and we do not need to look up a route, which will suppress the above error message.
2024-07-27smoketest: T6614: initial support for op-mode command testingChristian Breunig
2024-07-26T5873: vpn ipsec: re-write of ipsec updown hookLucas Christian
2024-07-26vrf: T6603: conntrack ct_iface_map must only contain one entry for ↵Christian Breunig
iifname/oifname When any of the following features NAT, NAT66 or Firewall is enabled, for every VRF on the CLI we install one rule into nftables for conntrack: chain vrf_zones_ct_in { type filter hook prerouting priority raw; policy accept; counter packets 3113 bytes 32227 ct original zone set iifname map @ct_iface_map counter packets 8550 bytes 80739 ct original zone set iifname map @ct_iface_map counter packets 5644 bytes 67697 ct original zone set iifname map @ct_iface_map } This is superfluous.
2024-07-25OpenVPN CLI-option: T6571: rename ncp-ciphers with data-cipherssrividya0208
2024-07-25smoketest: T6592: remove unused "import os"Christian Breunig
2024-07-25Merge pull request #3857 from c-po/vrf-interface-part-2Christian Breunig
interface: T6592: remove interface from conntrack ct_iface_map on deletion