summaryrefslogtreecommitdiff
path: root/src/conf_mode
AgeCommit message (Collapse)Author
2021-11-17snmp: T3996: fix invalid IPv6 localhost handling when using listen-addressChristian Poessinger
We need to use a temporary variable when validating the tuple if address is used. If not the else branch will always add the tuple to the list of addresses used for listen-address. (cherry picked from commit d13b91462487e090b32c0d1ecf9139a2271b4837)
2021-11-17openvpn: T3995: implement systemd reload supportChristian Poessinger
(cherry picked from commit eceaa3a787929f5a514b9c45da52936c0d4d4a54)
2021-11-17OpenVPN: T3350: Changed custom options for OpenVPN processingzsdc
Custom OpenVPN options moved back to the command line from a configuration file. This should keep full compatibility with the `crux` branch, and allows to avoid mistakes with parsing options that contain `--` in the middle. The only smart part of this - handling a `push` option. Because of internal changes in OpenVPN, previously it did not require an argument in the double-quotes, but after version update in `equuleus` and `sagitta` old syntax became invalid. So, all the `push` options are processed to add quotes. The solution is still not complete, because if a single config line contains `push` with other options, it will not work, but it is better than nothing. (cherry picked from commit 3fd2ff423b6c6e992b2ed531c7ba99fb9e1a2123)
2021-11-17T3912: add additional newline after "Welcome to VyOS"Christian Poessinger
(cherry picked from commit 77eca49bffede005f546b7d9d3660bf2e32c7e8e)
2021-11-15l2tp: T3724: allow setting accel-ppp l2tp host-nameMarek Isalski
(cherry picked from commit 3d00140453b3967370c77ddd9dac4af223a7ddce)
2021-11-08T3912: remove duplicate "Welcome to VyOS!" already shown by pre-loginChristian Poessinger
(cherry picked from commit 73be449b1cd09f3ca86400753630fb4804fbeca7)
2021-11-07http-api: T3440: give uvicorn time to initialize before starting NginxJohn Estabrook
(cherry picked from commit 889e16a77517549fb833a90d047455533be02f06)
2021-11-07T3912: use a more informative default login bannerChristian Poessinger
(cherry picked from commit 5d39a113bdef82e201aa43f848217c30db2f6fd9)
2021-10-31tunnel: T3956: GRE key check must not be run on our own interface instanceChristian Poessinger
2021-10-31netflow: T3953: use warning if "netflow source-ip" does not exist instead of ↵Christian Poessinger
error (cherry picked from commit 17215846b512851e7df8cdfcfc06c18b1d27f763)
2021-10-31console: T3954: bugfix RuntimeError: dictionary keys changed during iterationChristian Poessinger
(cherry picked from commit f227987ccf41e01d4ddafb6db7b36ecf13148c78)
2021-10-27vrrp: T3944: reload daemon instead of restart when already runningChristian Poessinger
This prevents a failover from MASTER -> BACKUP when changing any MASTER related configuration. (cherry picked from commit 2c82c9acbde2ccca9c7bb5e646a45fd646463afe)
2021-10-22sstp: T2566: Fix verify section for pool ipv6 onlyViacheslav
2021-10-21dhcp-server: T3610: Allow configuration for non-primary ip addressViacheslav
(cherry picked from commit 78cfb949cc6bceab744271cf23f269276b178182)
2021-10-21dhcp: T3626: Prevent to disable only one configured networkViacheslav
(cherry picked from commit 9c825a3457a88a4eebc6475f92332822e5102889)
2021-10-20tunnel: T3921: bugfix KeyError for source-addressChristian Poessinger
2021-10-20dhcpv6-server: T3918: Fix subnets verify raise ConfigErrorViacheslav
(cherry picked from commit ead10909ba9104733930bb3f59c90610138bd047)
2021-10-08tunnel: T3893: harden logic when validating tunnel parametersChristian Poessinger
Different types of tunnels have different keys set in get_interface_config(). Thus it should be properly verified (by e.g. using dict_search()) that the key in question esits to not raise KeyError. (cherry picked from commit 5aadf673497b93e2d4ad304e567de1cd571f9e25)
2021-10-02dns: forwarding: T3882: remove deprecated code to work with PowerDNS 4.5Christian Poessinger
2021-10-01vrrp: T3877: remove debug outputChristian Poessinger
2021-09-30vrrp: T3877: backport handlers to solve "default rfc3768-compatibility" issueJohn Estabrook
Do not create rfc3768-compatibility interfaces by default because of wrong Jinja2 syntax. Backporting the entire system makes it easier in the future to additional bugfixes.
2021-09-22vrrp: keepalived: T616: bugfix for invalid os.unlink()Christian Poessinger
Commit 260f3832 ("vrrp: keepalived: T616: drop /etc/default/keepalived") dropped the old daemon configuration but there was one line of code that tried to delete the file which was no longer present. This resulted in: KeyError: 'daemon'
2021-09-21vrrp: keepalived: T616: drop /etc/default/keepalivedChristian Poessinger
This is a follow-up commit to 65398e5c8 ("vrrp: keepalived: T616: move configuration to volatile /run directory") as it makes no sense to store a static /etc/default/keepalived file marked as "Autogenerated by VyOS" that only enabled the SNMP option to keepalived. Better pass the --snmp switch via the systemd override file and drop all other references/files.
2021-09-21vrrp: keepalived: T616: move configuration to volatile /run directoryChristian Poessinger
Move keepalived configuration from /etc/keepalived to /run/keepalived. (cherry picked from commit b243795eba1b36cadd81c3149e833bdf5c5bea70)
2021-09-21vrrp: keepalived: T2720: adjust to Jinja2 trim_blocks featureChristian Poessinger
This is a successor to commit a2ac9fac16e ("vyos.template: T2720: always enable Jinja2 trim_blocks feature"). It only shifts the whitespaces / indents inside the keepalived configuration file. (cherry picked from commit c1ac0630cfe0ee65569fbe435cc006ade20fed22)
2021-09-19dhcp-server: T3672: re-add missing "name" CLI optionChristian Poessinger
This option is mandatory and must be user configurable as it needs to match on both sides. (cherry picked from commit 2985035bcb2f3732e15a41e3c2ee6c6c93a6836e)
2021-09-19dhcp-server: T3672: only one failover peer is supportedChristian Poessinger
(cherry picked from commit a8ccf72c222caad8cd7aaca9bca773be39e87f5c)
2021-09-19dhcp-server: T1968: allow multiple static-routes to be configuredChristian Poessinger
vyos@vyos# show service dhcp-server shared-network-name LAN { subnet 10.0.0.0/24 { default-router 10.0.0.1 dns-server 194.145.150.1 lease 88 range 0 { start 10.0.0.100 stop 10.0.0.200 } static-route 192.168.10.0/24 { next-hop 10.0.0.2 } static-route 192.168.20.0/24 { router 10.0.0.2 } } } (cherry picked from commit a4440bd589db645eb99f343a8163e188a700774c)
2021-09-14openvpn: T3822: fix certificate permissionsChristian Poessinger
Commit b8bb9f586 ("T3822: set the OpenVPN key file owner to openvpn:openvpn") changed the permissions only for file present in the "fix_permissions" list. The list did not contain all required certificates - this has been fixed.
2021-09-12T3822: set the OpenVPN key file owner to openvpn:openvpnDaniil Baturin
2021-09-11Merge pull request #1001 from erkin/equuleusDaniil Baturin
T3275: conntrack: Backport XML/Python implementation of conntrack CLI
2021-09-10T3275: conntrack: Backport XML/Python implementation of conntrack CLIerkin
2021-09-10ethernet: T3802: use only one implementation for get_driver_name()Christian Poessinger
Move the two implementations to get the driver name of a NIC from ethernet.py and ethtool.py to only ethtool.py.
2021-09-09openvpn: T3805: drop privileges using systemd - required for rtnetlinkChristian Poessinger
(cherry picked from commit 2647edc30f1e02840cae62fde8b44345d35ac720)
2021-09-09openvpn: T3805: use vyos.util.makedir() to create system directoriesChristian Poessinger
(cherry picked from commit 84e912ab2f583864e637c2df137f62f3d4cbeb14)
2021-09-07login: T971 allow quoting in public-keys optionsPaul Lettington
This patch allows the use of `"` in ssh public-key options which unlocks the ability to set the `from` option in a way that sshd will accept to limit what hosts a user can connect from. (cherry picked from commit 6b52387190f8213e7e02060e894c6ddd4fb7cb3d)
2021-09-06Merge pull request #999 from sever-sever/T2920-equChristian Poessinger
tunnel: T2920: Add checks tun with same source addr and keys
2021-09-06ifconfig: T3806: "ipv6 address no_default_link_local" required for MTU < 1280Christian Poessinger
This commit also extends the smoketest to verify that the exception for this error is raised. (cherry picked from commit 84a429b41175b95634ec9492e0cf3a564a47abdd)
2021-09-06tunnel: T2920: Add checks tun with same source addr and keysViacheslav
2 tunnels with the same local-address should has different keys Check existing tunnels (source-address key) with new tunnel.
2021-09-05name-server: T3804: merge "system name-servers-dhcp" into "system name-server"Christian Poessinger
We have "set system name-server <ipv4|ipv6>" to specify a name-server IP address we wan't to use. We also have "set system name-servers-dhcp <interface>" which does the same, but the name-server in question is retrieved via DHCP. Both CLI nodes are combined under "set system name-server <ipv4|ipv6|interface>" to keep things as they are in real life - we need a name-server.
2021-09-04T3697: do not try to restart charon if it's not requiredDaniil Baturin
The root cause is that the ipsec-settings.py script is run _twice_: first from "vpn ipsec options", then from the top level "vpn" node. The case when it's not required is when: * "vpn ipsec" configuration doesn't exist yet * user configured it with "vpn ipsec options" * the ipsec-settings.py script is run first time, from "vpn ipsec options" Trying to restart charon at that stage leads to a deadlock.
2021-09-02tunnel: T3788: Add check keys for ipip and sitViacheslav
Keys are not allowed with ipip and sit tunnels (cherry picked from commit 7e84566dedfdc532ffe05b404005daa6f21df567)
2021-09-02Merge pull request #990 from sever-sever/T3093Christian Poessinger
nipsec: T3093: Delete temporarily generated code
2021-09-02nipsec: T3093: Delete temporarily generated codeViacheslav
This code was generated before to rewrite IPSec to XML style And this was rewriten/fixed and used in the next 1.4 releases So we realy don't need it in 1.3 as we use old nodes for it.
2021-09-02login: T3792: bugfix for usernames containing a hyphenChristian Poessinger
While migrating to get_config_dict() in commit e8a1c291b1 ("login: radius: T3192: migrate to get_config_dict()") the user-name was not excluded from mangling (no_tag_node_value_mangle=True). This resulted in a username "vyos-user" from CLI to be actually created as "vyos_user" on the system. This commit also adds respective Smoketests to prevent this in the future. (cherry picked from commit 658de9ea0fbe91e593f9cf0a8c434791282af100)
2021-09-02sstp-server: T2661: Delete CA certificate redundancy checkDmitriyEshenko
2021-08-31vyos.ethtool: T3163: purify code to read and change flow-control settingsChristian Poessinger
It makes no sense to have a parser for the ethtool values in ethtool.py and ethernet.py - one instance ios more then enough! (cherry picked from commit 0229645c8248decb5664056df8aa5cd5dff41802)
2021-08-31ethernet: T3163: only change ring-buffer settings if requiredChristian Poessinger
Only update the RX/TX ring-buffer settings if they are different from the ones currently programmed to the hardware. There is no need to write the same value to the hardware again - this could cause traffic disruption on some NICs. (cherry picked from commit 29082959e0efc02462fba8560d6726096e8743e9)
2021-08-31ethernet: T2241: check if interface supports changing speed/duplex settingsChristian Poessinger
Not all interface drivers have the ability to change the speed and duplex settings. Known drivers with this limitation are vmxnet3, virtio_net and xen_netfront. If this driver is detected, an error will be presented to the user. (cherry picked from commit cc742d48579e4f76e5d3230d87e22f71f76f9301)
2021-08-31ethernet: T3514: bail out early on invalid adapter speed/duplex settingChristian Poessinger
Ethernet adapters have a discrete set of available speed and duplex settings. Instead of passing every value down to ethtool and let it decide, we can do this early in the VyOS verify() function for ethernet interfaces. (cherry picked from commit 91892e431349ca0edb5e3e3023e4f340ab9b777f)