summaryrefslogtreecommitdiff
path: root/smoketest
AgeCommit message (Collapse)Author
2023-12-21Merge pull request #2673 from vyos/mergify/bp/sagitta/pr-2665Christian Breunig
T2898: add ndp-proxy service (backport #2665)
2023-12-21T2898: add ndp-proxy serviceChristian Breunig
VyOS CLI command set service ndp-proxy interface eth0 prefix 2001:db8::/64 mode 'static' Will generate the following NDP proxy configuration $ cat /run/ndppd/ndppd.conf # autogenerated by service_ndp-proxy.py # This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route route-ttl 30000 # This sets up a listener, that will listen for any Neighbor Solicitation # messages, and respond to them according to a set of rules proxy eth0 { # Turn on or off the router flag for Neighbor Advertisements router no # Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds) timeout 500 # Control how long a valid or invalid entry remains in the cache (milliseconds) ttl 30000 # This is a rule that the target address is to match against. If no netmask # is provided, /128 is assumed. You may have several rule sections, and the # addresses may or may not overlap. rule 2001:db8::/64 { static } } (cherry picked from commit 4d721a58020971d00ab854c37b68e88359999f9c)
2023-12-21srv6: T591: enable SR enabled packet processing on defined interfacesChristian Breunig
The Linux Kernel needs to be told if IPv6 SR enabled packets whether should be processed or not. This is done using /proc/sys/net/conf/<iface>/seg6_* variables: seg6_enabled - BOOL Accept or drop SR-enabled IPv6 packets on this interface. Relevant packets are those with SRH present and DA = local. 0 - disabled (default) not 0 - enabled Or the VyOS CLI command: * set protocols segment-routing interface eth0 srv6 (cherry picked from commit 774cc97eda61eb0b91df820797fb3c705d0073d5)
2023-12-21vrf: T591: define sysctl setting for net.vrf.strict_modeChristian Breunig
Enable/Disable VRF strict mode, when net.vrf.strict_mode=0 (default) it is possible to associate multiple VRF devices to the same table. Conversely, when net.vrf.strict_mode=1 a table can be associated to a single VRF device. A VRF table can be used by the VyOS CLI only once (ensured by verify()), this simply adds an additional Kernel safety net, but a requirement for IPv6 segment routing headers. (cherry picked from commit 10701108fecb36f7be7eb7ef5f1e54e63da5fb4e)
2023-12-19smoketest: bgp: T4163: use explicit kill to respawn bgpd processChristian Breunig
(cherry picked from commit b873112dd7253b64d323e183758dbabaa0f28b6e)
2023-12-19smoketest: bgp: T4163: add explicit timeout when starting BMPChristian Breunig
(cherry picked from commit 259a3d637081fad9f86a8edb39814d8f0fbf7b95)
2023-12-18T4163: Add BGP Monitoring Protocol BMP featureViacheslav Hletenko
Add BMP feature. BMP (BGP Monitoring Protocol, RFC 7854) is used to send monitoring data from BGP routers to network management entities https://docs.frrouting.org/en/latest/bmp.html Example: set system frr bmp commit run restart bgp set protocols bgp system-as '65001' set protocols bgp neighbor 192.0.2.11 address-family ipv4-unicast set protocols bgp neighbor 192.0.2.11 remote-as '65001' set protocols bgp bmp mirror-buffer-limit '256000000' set protocols bgp bmp target foo address '127.0.0.1' set protocols bgp bmp target foo port '5000' set protocols bgp bmp target foo min-retry '1000' set protocols bgp bmp target foo max-retry '2000' set protocols bgp bmp target foo mirror set protocols bgp bmp target foo monitor ipv4-unicast post-policy set protocols bgp bmp target foo monitor ipv4-unicast pre-policy set protocols bgp bmp target foo monitor ipv6-unicast post-policy set protocols bgp bmp target foo monitor ipv6-unicast pre-policy (cherry picked from commit 5523fccf4f7d05444c36c568128e94cd7b08c34f)
2023-12-16ocserv: T5796: add smoketest for new "http-security-headers" featureChristian Breunig
(cherry picked from commit 1c82e661e04e0979e09e487a58a801ffa9f438e8)
2023-12-15T5775: firewall: re-add state-policy to firewall. These commands are now ↵Nicolas Fort
included in <set firewall global-options state-policy> node.
2023-12-15firewall: T4502: add offload to firewall table actionsBjarke Istrup Pedersen
2023-12-15frr: T4020: add option to define number of open file descriptorsChristian Breunig
This allows the operator to control the number of open file descriptors each daemon is allowed to start with. The current assumed value on most operating systems is 1024. If the operator plans to run bgp with several thousands of peers then this is where we would modify FRR to allow this to happen. set system frr descriptors <n> (cherry picked from commit 892c28ccf634173d4c4952c248cb03974c560793)
2023-12-13srv6: T591: initial implementation to support locator definitionChristian Breunig
VyOS CLI set protocols segment-routing srv6 locator bar prefix '2001:b::/64' set protocols segment-routing srv6 locator foo behavior-usid set protocols segment-routing srv6 locator foo prefix '2001:a::/64' Will generate in FRR segment-routing srv6 locators locator bar prefix 2001:b::/64 block-len 40 node-len 24 func-bits 16 exit ! locator foo prefix 2001:a::/64 block-len 40 node-len 24 func-bits 16 behavior usid exit ! exit ! exit ! exit (cherry picked from commit ca301cdd4746187f96ff84e411fda6a84e33f237)
2023-12-13bgp: T591: add SRv6 support from FRRChristian Breunig
set protocols bgp sid vpn per-vrf export '99' set protocols bgp srv6 locator 'foo' set protocols bgp system-as '100' Will generate in FRR config router bgp 100 no bgp ebgp-requires-policy no bgp default ipv4-unicast no bgp network import-check ! segment-routing srv6 locator foo exit sid vpn per-vrf export 99 exit (cherry picked from commit af46fe54e56cf85d13b62ee771bec3d80f225ac5)
2023-12-10T5773: API add smoketest for load config via HTTP URLViacheslav Hletenko
Use a custom NGINX config to load config via URL (cherry picked from commit db0df8e75b85d39ab61bf900f211d589f6cb8506)
2023-12-08ddclient: T5791: use a fixed VRF table ID in smoketestsChristian Breunig
Fixes DEBUG - ====================================================================== DEBUG - ERROR: test_07_dyndns_vrf (__main__.TestServiceDDNS.test_07_dyndns_vrf) DEBUG - ---------------------------------------------------------------------- DEBUG - Traceback (most recent call last): DEBUG - File "/usr/libexec/vyos/tests/smoke/cli/test_service_dns_dynamic.py", line 302, in test_07_dyndns_vrf DEBUG - self.cli_set(['vrf', 'name', vrf_name, 'table', vrf_table]) DEBUG - File "/usr/libexec/vyos/tests/smoke/cli/base_vyostest_shim.py", line 68, in cli_set DEBUG - self._session.set(config) DEBUG - File "/usr/lib/python3/dist-packages/vyos/configsession.py", line 154, in set DEBUG - self.__run_command([SET] + path + value) DEBUG - File "/usr/lib/python3/dist-packages/vyos/configsession.py", line 143, in __run_command DEBUG - raise ConfigSessionError(output) DEBUG - vyos.configsession.ConfigSessionError: Number is not in any of allowed ranges (cherry picked from commit 7b4be76afae1af580bbe46f17e88d4a6c1088f15)
2023-12-08Merge pull request #2581 from vyos/mergify/bp/sagitta/pr-2578Viacheslav Hletenko
T160: add NAT64 (backport #2578)
2023-12-07Merge pull request #2577 from indrajitr/sagitta-ddclient-backports-T5791Christian Breunig
ddclient: T5791: Update dynamic dns configuration path (sagitta backport)
2023-12-07smoketest: add a dialout router config with IPv6-PD and WireGuard from 1.3.4Christian Breunig
2023-12-07T160: Rebase and fixes for NAT64Viacheslav Hletenko
- Update the base (rebase) - Move include/nat64-protocol.xml.i => include/nat64/protocol.xml.i - Delete unwanted `write_json`, use `write_file` instead - Remove unnecessary deleting of default values for tagNodes T2665 - Add smoketest Example: ``` set interfaces ethernet eth0 address '192.168.122.14/24' set interfaces ethernet eth0 address '192.168.122.10/24' set interfaces ethernet eth2 address '2001:db8::1/64' set nat64 source rule 100 source prefix '64:ff9b::/96' set nat64 source rule 100 translation pool 10 address '192.168.122.10' set nat64 source rule 100 translation pool 10 port '1-65535' ``` (cherry picked from commit 336bb5a071b59264679be4f4f9bedbdecdbe2834)
2023-12-05ddclient: T5791: Update smoketest for dynamic dns config path changeIndrajit Raychaudhuri
2023-12-01http-api: T5782: use single config-mode script for https and http-apiJohn Estabrook
2023-12-01policy: T4704: Allowed to set metric (MED) to (+/-)rttaapostoliuk
Allowed to set metric (MED) to (+/-)rtt in the route-map. (cherry picked from commit 5d98e806ef4edb4439620eff60215aaf30b5a592)
2023-11-30ddclient: T5708: Fix VRF table generation in smoketestIndrajit Raychaudhuri
Ensure that the random VRF table name is 4 digits long, not 5 and stays within the the range of 100 - 65535.
2023-11-30ddclient: T5708: Additional smoketests for web-optionsIndrajit Raychaudhuri
Add additional smoketests for web-options validation. Also, format error messages to optionally include protocol name.
2023-11-30ddclient: T5708: Migration to 3.11.1 and related improvementsIndrajit Raychaudhuri
- Migrate to ddclient 3.11.1 and enforce debian/control dependency - Add dual stack support for additional protocols - Restrict usage of `porkbun` protocol, VyOS configuration structure isn't compatible with porkbun yet - Improve and cleanup error messages
2023-11-30ddclient: T5708: Ensure password is always wrapped in quotesIndrajit Raychaudhuri
Migration to 3.11.1 follow-up: This should make `ddclient.conf` parsing more resilient to edge cases (particularly when `password` isn't the last option right before the host parameter). ddclient config parser applies special treatment to the password field and would unwrap the quotes automatically. Also, switch from now deprecated `use=no` to `use=disabled`.
2023-11-30ddclient: T5708: Migrate `timeout` to `interval`Indrajit Raychaudhuri
Time interval in seconds to wait between DNS updates would be a bit more intuitive as `interval` than `timeout`.
2023-11-30ddclient: T5574: Support per-service cache management for servicesIndrajit Raychaudhuri
Add support for per-service cache management for ddclient providers via `wait-time` and `expiry-time` options. This allows for finer-grained control over how often a service is updated and how long the hostname will be cached before being marked expired in ddclient's cache. More specifically, `wait-time` controls how often ddclient will attempt to check for a change in the hostname's IP address, and `expiry-time` controls how often ddclient to a forced update of the hostname's IP address. These options intentionally don't have any default values because they are provider-specific. They get treated similar to the other provider- specific options in that they are only used if defined.
2023-11-30ddclient: T5612: Additional refactoring for scripts and smoketestsIndrajit Raychaudhuri
Additional cleanup and refactoring for ddclient scripts including the smotektests.
2023-11-30ddclient: T5612: Relax hostname validation for apex and wildcard entryIndrajit Raychaudhuri
Some porvides (like 'namecheap') allow to use '@' or '*' as hostname prefix for apex and wildcard records. This commit relaxes the hostname validation to allow these prefixes.
2023-11-30ddclient: T5612: Enable TTL support for web-service based protocolsIndrajit Raychaudhuri
Enable TTL support for web-service based protocols in addition to RFC2136 based (nsupdate) protocol. Since TTL is not supported by all protocols, and thus cannot have a configuration default, the existing XML snippet `include/dns/time-to-live.xml.i` does not have common `<defaultValue>300</defaultValue>` anymore and is instead added explicitly whenever necessary.
2023-11-30ddclient: T5612: Fix VRF support for ddclient serviceIndrajit Raychaudhuri
Fix VRF support interface definition and configuration mode for ddclient to actually capture the VRF name and pass it to the template.
2023-11-30ddclient: T5573: Fix smoketest for updated ddclient configIndrajit Raychaudhuri
2023-11-30Merge pull request #2526 from vyos/mergify/bp/sagitta/pr-2503Daniil Baturin
vxlan: T5759: change default MTU from 1450 -> 1500 bytes (backport #2503)
2023-11-27smoketest: T5783: check for any abnormal daemon terminationChristian Breunig
We need to ensure when stressing FRR with the smoketests that no unexpected crash happens. We simply verify the PID of the individual FRR daemons. (cherry picked from commit 080e117884196136cd63e5d312ff43fba15f7182)
2023-11-23https api: T5772: check if keys are configuredDaniil Baturin
unless PAM auth is enabled for GraphQL (cherry picked from commit 8c450ea7f538beb0b2cd21d35c05d18db49a1802)
2023-11-22pppoe: T5630: make MRU default to MTU if unspecifiedChristian Breunig
This fixes the implementation in e062a8c11 ("pppoe: T5630: allow to specify MRU in addition to already configurable MTU") and restores the bahavior that MRU defaults to MTU if MRU is not explicitly set. This was the behavior in VyOS 1.3.3 and below before we added ability to define the MRU value. (cherry picked from commit ffd7339e2ea3eafdd97ac0763ca4a3913fe71bf3)
2023-11-22vxlan: T5759: change default MTU from 1450 -> 1500 bytesChristian Breunig
Found an odd behavior on Linux and the VyOS CLI implementation. If adding VXLAN interfaces using iproute2 the MTU differs depending on the creation syntax: ip -4 link add vxlan100 type vxlan dstport 4789 external df unset tos inherit \ ttl 16 nolearning vnifilter local 172.16.33.201 ip -4 link add vxlan200 type vxlan id 200 dstport 4789 local 172.16.33.201 dev eth0 ip -6 link add vxlan300 type vxlan id 300 dstport 4789 local 2001:db8:1::1 dev eth0 132: vxlan300: <BROADCAST,MULTICAST> mtu 1430 qdisc noop state DOWN group default qlen 1000 link/ether 4e:fb:e3:f5:d9:59 brd ff:ff:ff:ff:ff:ff 133: vxlan200: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000 link/ether 0e:4e:f4:76:59:3f brd ff:ff:ff:ff:ff:ff 134: vxlan100: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether ba:b6:b7:0c:b1:37 brd ff:ff:ff:ff:ff:ff VyOS always sets a default MTU of 1450 bytes which is correct for IPv4 p2p links or multicast, but invalid for IPv6 p2p. Also this will break EVPN deployments as ethernet bridges with MTU < 1500 bytes are less fun. Increase default MTU to 1500 bytes. Migrate old configurations to use 1450 bytes if not specified otherwise on the CLI. (cherry picked from commit 4a163b016333e58fee9d6ec6b53a09e0160b3213)
2023-11-22vxlan: T5753: add support for VNI filteringChristian Breunig
In a service provider network a service provider typically supports multiple bridge domains with overlapping vlans. One bridge domain per customer. Vlans in each bridge domain are mapped to globally unique VXLAN VNI ranges assigned to each customer. Without the ability of VNI filtering, we can not provide VXLAN tunnels with multiple tenants all requiring e.g. VLAN 10. To Test: set interfaces vxlan vxlan987 parameters external set interfaces vxlan vxlan987 source-interface eth0 set interfaces vxlan vxlan987 parameters vni-filter set interfaces vxlan vxlan987 vlan-to-vni 50 vni 10050 set interfaces vxlan vxlan987 vlan-to-vni 51 vni 10051 set interfaces vxlan vxlan987 vlan-to-vni 52 vni 10052 set interfaces vxlan vxlan987 vlan-to-vni 53 vni 10053 set interfaces vxlan vxlan987 vlan-to-vni 54 vni 10054 set interfaces vxlan vxlan987 vlan-to-vni 60 vni 10060 set interfaces vxlan vxlan987 vlan-to-vni 69 vni 10069 set interfaces bridge br0 member interface vxlan987 Add new op-mode command: show bridge vni Interface VNI ----------- ----------- vxlan987 10050-10054 vxlan987 10060 vxlan987 10069 (cherry picked from commit 35f6033d21053fa420e837f157cd9377a4ccd26a)
2023-11-22http: T5762: rename "virtual-host listen-port" -> "virtual-host port"Christian Breunig
This complements commit f5e43b136 ("http: T5762: api: make API socket backend communication the one and only default") so we have a consistent port CLI node across VyOS components. (cherry picked from commit 0e885f1bf01424130b6876e769cc42612b19351b)
2023-11-22Merge pull request #2520 from vyos/mergify/bp/sagitta/pr-2518Daniil Baturin
T5770 Enable MACsec encryption stanza (backport #2518)
2023-11-22Merge pull request #2517 from nicolas-fort/T5419-FT-SagittaDaniil Baturin
T5419: firewall: backport firewall flowtable to Sagitta.
2023-11-22Merge pull request #2510 from vyos/mergify/bp/sagitta/pr-2506Daniil Baturin
dhcp-client: T5760: add CLI option to pass user-class parameter (backport #2506)
2023-11-21smoketest: macsec: T5770: fix NameError: name 'cipher' is not definedChristian Breunig
(cherry picked from commit 02a3e26e88f0ac3c7368e288769bfed38b41df46)
2023-11-21macsec: T5770: enable iproute2 "encrypt on" stanzaGiga Murphy
(cherry picked from commit a7a90e81ad03ec33acb32beeab71dbd5f27a2044)
2023-11-21T5419: firewall: backport firewall flowtable to Sagitta.Nicolas Fort
2023-11-20http: T5762: api: make API socket backend communication the one and only defaultChristian Breunig
Why: Smoketests fail as they can not establish IPv6 connection to uvicorn backend server. https://github.com/vyos/vyos-1x/pull/2481 added a bunch of new smoketests. While debugging those failing, it was uncovered, that uvicorn only listens on IPv4 connections vyos@vyos# netstat -tulnp | grep 8080 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN - As the CLI already has an option to move the API communication from an IP to a UNIX domain socket, the best idea is to make this the default way of communication, as we never directly talk to the API server but rather use the NGINX reverse proxy. (cherry picked from commit f5e43b1361fb59a9c260739bdb28729d5119507c)
2023-11-20dhcp-client: T5760: add CLI option to pass user-class parameterChristian Breunig
Example: set interfaces ethernet eth0 dhcp-options user-class VyOS or set interfaces ethernet eth0 dhcp-options user-class 56:79:4f:53 (cherry picked from commit 260645d0c6ff078cc89601f3a586195902f9c18e)
2023-11-20dhcp-client: T5760: add constraints for dhclient string optionsChristian Breunig
The string data type specifies either an NVT ASCII string enclosed in double quotes, or a series of octets specified in hexadecimal, separated by colons. For example: set interfaces ethernet eth0 dhcp-options client-id CLIENT-FOO or set interfaces ethernet eth0 dhcp-options client-id 43:4c:49:45:54:2d:46:4f:4f As of now there was no input validation performed. (cherry picked from commit bed1cd01904ef89b5d31bd47de0f230214900f16)
2023-11-19Merge pull request #2498 from nicolas-fort/T4072-sagittaChristian Breunig
T4072: firewall: backport bridge firewall to sagitta