Age | Commit message (Collapse) | Author |
|
By default VyOS used to restart all containers it managed. This makes no sense
as it will be service disrupting. Instead only restart the containers that had
changes on the CLI beeing made.
(cherry picked from commit 52e51ffbb84996aee9d5b94eebf64589ead31225)
|
|
(cherry picked from commit 05e00b986a563681b038b226c86c83a29d6da820)
|
|
Event-handler allows executing a custom script when detects
some configured "pattern regex"
set service event-handler event first filter pattern '.*ssh2.*'
set service event-handler event first script arguments '192.0.2.5'
set service event-handler event first script environment interface value 'eth0'
set service event-handler event first script path '/config/scripts/hello.sh'
It is the backport from 1.4
|
|
|
|
Ability setting container hostname
This host name is used as /etc/hostname
set container name <tag> host-name 'mybox'
(cherry picked from commit c68d73e6720a7df2b48df17ac7b9b4c906e0294c)
|
|
options for containers
(cherry picked from commit 53aebddb4ca54b0cc4a296d6cc4c4d960c5f1d73)
|
|
openconnect: T4955: Removed wrong authserver in radiusclient.conf
|
|
As we have the same variable name 'default_values' for container
name, port and volume, it rewrites default container parameters
with default port parameters
Fix it
(cherry picked from commit 679efe8ac7998ba1b8f3c7c4bfc7508d8869907d)
|
|
After merging config dictionary with default values,
radius port the default value was merged not in a proper way.
It is added as a server.
After creating radiusclient.conf added
and the illegal authserver equal 'port'.
Backported from 1.4
|
|
Replace links to the phabricator site from https://phabricator.vyos.net to
https://vyos.dev
(cherry-picked form commit bd9416a6aa9d5d0a746dc2cebc8d0330fd27d1a2)
|
|
This reverts commit 7b36c363cd5b0168bd83c399f50a0a360ba3ee58.
A general solution is implemented in Commit ae9dde04 ("T4975: always sync()
filesystem after commit").
|
|
User profile files are not saved to disk after configuration is fully applied.
Because of this, after a fast system reset, profile files can be empty, and CLI
is broken.
This fix adds a `sync()` call after the user's configuration, which should
protect from data loss and fix the problem with profiles.
|
|
Whenever a container is used and a folder is mounted, this happenes as
read-write which is the default in Docker/Podman - so is the default in VyOS.
A new option is added "set container name foo volume mode <ro|rw>" to specify
explicitly if rw (default) or ro should be used for this mounted folder.
(cherry picked from commit 275ea7303cfdb79c042da1b710622aee17a488a8)
|
|
Changed restart to reload-or-restart in the commit.
It allows to reload the config
and not restart webproxy service during the commit.
Backported from 1.4
|
|
used
We need to ensure that source-address is assigned on source-interface before
applying the configuration, else SSH client will have a hard time talking to
someone.
(cherry picked from commit d1ef90e1eb51334b99ad716969e17c7f257e1a39)
|
|
(cherry picked from commit 87cc636bd2baf576a2a5ece7a4f8318eb4f69c2e)
|
|
Commit 846e306700a ("ssh: T2651: add cli options for source address") added
support for a basic SSH client option, but it grabbed the entire
/etc/ssh/ssh_config file without the ability to make custom user
adjustments via the /etc/ssh/ssh_config.d/ folder.
This commit places the VyOS SSH options under /etc/ssh/ssh_config.d/ leaving
the common override system alive.
(cherry picked from commit 7763de6c4b93d3372ab3f4572d9fa6b7536102b3)
|
|
|
|
T3810: Fixed all issues in T3810
|
|
1. Added in script update webproxy blacklists generation of all DBs
2. Fixed: if the blacklist category does not have generated db,
the template generates an empty dest category
in squidGuard.conf and a Warning message.
3. Added template generation for local's categories
in the rule section.
4. Changed syntax in the generation dest section for blacklist's
categories
5. Fixed generation dest local sections in squidGuard.conf
6. Fixed bug in syntax. The word 'allow' changed to the word 'any'
in acl squidGuard.conf
7. Backported all changes from 1.4 to 1.3 which were made in T3810
8. Fixed webproxy smoketest
|
|
backport: T4515: T4219: policy local-route6 and inbound-interface support
|
|
firewall: T4709: fix firewall MSS clamping issues
|
|
This commit fixes MSS clamping ranges as well as reintroduces the
clamp-mss-to-pmtu option value to clamp to PMTU instead.
|
|
When any configured peer is set to `disable` while the Wireguard tunnel is up
and running it does not get actively revoked and removed. This poses a security
risk as connections keep beeing alive.
Whenever any parameter of a peer changes we actively remove the peer and fully
recreate it on the fly.
(cherry picked from commit a4feb96af9ac45aff41ded1744cf302b5c5a9e7e)
|
|
T4630: disallow same source-interface for macsec and pseudo-ethernet
|
|
In the OpenVPN site-to-site config we can use IPv6 peers
without IPv4 configurations but "verify()" checks also local and
remote IPv4 addresses that in this case will be empty lists
For example:
set interfaces openvpn vtun2 local-address 2001:db8::1
set interfaces openvpn vtun2 remote-address 2001:db8::2
Check in the commit (v4loAddr == v4remAddr) <= both empty lists
commit
DEBUG: [] == [] or ['2001:db8::2'] == []
So we should also check v4loAddr, v4remAddr, v6loAddr, v6remAddr
are not empty
|
|
A macsec interface requires a dedicated source interface, it can not be
shared with another macsec or a pseudo-ethernet interface.
set interfaces macsec macsec10 address '192.168.2.1/30'
set interfaces macsec macsec10 security cipher 'gcm-aes-256'
set interfaces macsec macsec10 security encrypt
set interfaces macsec macsec10 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4232e44b7fda6f8e2d88a07bf78a7aff4'
set interfaces macsec macsec10 security mka ckn '09924585a6f3010208cf5222ef24c821405b0e34f4b4f63b1f0ced474b9bb6e6'
set interfaces macsec macsec10 source-interface 'eth1'
commit
set interfaces pseudo-ethernet peth0 source-interface eth1
commit
Reuslts in
FileNotFoundError: [Errno 2] failed to run command: ip link add peth0 link eth1 type macvlan mode private
returned:
exit code: 2
noteworthy:
cmd 'ip link add peth0 link eth1 type macvlan mode private'
returned (out):
returned (err):
RTNETLINK answers: Device or resource busy
[[interfaces pseudo-ethernet peth0]] failed
Commit failed
(cherry picked from commit eb4a7ee3afc0765671ce0fa379ab5e3518e9e49e)
|
|
Fixes several bugs around bonding member interface states not matching
the committed configuration, including:
- Disabled removed interfaces coming back up
- Newly added disabled interfaces not staying down
- Newly added interfaces not showing up in the bond
|
|
Refactor interfaces-bonding.py to simplify existing code and to remove
potentially bugprone sections in preparation for member add/remove
fixes for T4668.
|
|
When MACsec was bound to an ethernet interface and the underlaying
source-interface got changed (even description only) this terminated the
MACsec session running on top of it.
The root cause is when EAPoL was implemented in commit d59354e52a8a7f we
re-used the same systemd unit which is responsible for MACsec. That indeed lead
to the fact that wpa_supplicant was always stopped when anything happened on
the underlaying source-interface that was not related to EAPoL.
(cherry picked from commit f92a23ef9ab8be59681e5b7ba627e399d89bce53)
|
|
To reproduce:
set vpn openconnect authentication mode local
commit
Traceback (most recent call last):
File "/usr/libexec/vyos/conf_mode/vpn_openconnect.py", line 147, in <module>
verify(c)
File "/usr/libexec/vyos/conf_mode/vpn_openconnect.py", line 64, in verify
if not ocserv["authentication"]["local_users"] or not ocserv["authentication"]["local_users"]["username"]:
KeyError: 'local_users'
|
|
(cherry picked from commit 993961f60ead2a18912eb577b1152463d4eb8b4e)
|
|
(cherry picked from commit 82d8494d349edd7707c3811a71ca0e9c0648204e)
|
|
|
|
bridge: bugfixes for equuleus
|
|
(cherry picked from commit a09359828e38c5b51a4579af16b5ea263a98233f)
|
|
Allows preferred lifetime for prefix advertisements to equal the
configured valid lifetime as per RFC 4861.
(cherry picked from commit f6efe3035d352970dc492450c3c9ddf710dda5fe)
|
|
(cherry picked from commit 54227591a0eb3c7aa8c896c6ec8b1826ce070ddf)
|
|
snmp: T2763: Add protocol TCP for service SNMP
|
|
equuleus: Bond and Bridge interface fixes + new smoketests
|
|
(cherry picked from commit 81e0f4a8dece85da7169ba05448e870206aaf57b)
|
|
It makes no sense to enslave an interface to a bond or a bridge device if it is
bound to a given VRF. If VRFs should be used - the encapuslating/master
interface should be part of the VRF.
Error out if the member interface is part of a VRF.
(cherry picked from commit 87d2dff241d9ab4de9f3a2c7fbf9852934557aef)
|
|
VRF names: "add, all, broadcast, default, delete, dev, get, inet,
mtu, link, type, vrf" are reserved and cannot be used for vrf name
(cherry picked from commit 52342f389af2da2995b858d026e6fbcad5c8bfaa)
|
|
When is_member() is inspecting the bridge/Bond member interfaces it must work
with the real interface (e.g. eth1) under the "ethernet" node and not work on
the "member interface eth1" CLI tree, that makes no sense at all.
(cherry picked from commit 3915791216998a18bf6831450df68ee199e2e4f8)
|
|
Ability to listen TCP port for service SNMP
set service snmp protocol tcp
|
|
VRF names: "add, all, broadcast, default, delete, dev, get, inet,
mtu, link, type, vrf" are reserved and cannot be used for vrf name
(cherry picked from commit 52342f389af2da2995b858d026e6fbcad5c8bfaa)
|
|
accel-ppp: T4373: T4507: Add options multiplier for shaper
|
|
ntp: T4456: support listening on specified interface (equuleus)
|
|
dns: T4509: Add dns64-prefix option (equuleus)
|
|
(cherry picked from commit ee603b3a0f9f3add72c1e5ac2277c013d40cf5a4)
|