summaryrefslogtreecommitdiff
path: root/src/conf_mode
AgeCommit message (Collapse)Author
2024-01-14bgp: T591: add SRv6 per address-family SID supportChristian Breunig
set protocols bgp address-family ipv4-unicast sid vpn export <auto|1-1048575> set protocols bgp address-family ipv6-unicast sid vpn export <auto|1-1048575> (cherry picked from commit d7e248ba514108461ca9d5875c0be077c80ceca7)
2024-01-12bgp: T5306: fix verify_remote_as() to support v6only interface with peer-groupChristian Breunig
To test: set protocols bgp neighbor eth0 interface v6only peer-group 'fabric' set protocols bgp peer-group fabric address-family ipv4-unicast set protocols bgp peer-group fabric address-family ipv6-unicast set protocols bgp peer-group fabric capability extended-nexthop set protocols bgp peer-group fabric remote-as 'external' set protocols bgp system-as 64496 (cherry picked from commit 12e81dbb47b942b3d9a7a69189adefb5b176c4ef)
2024-01-11ipsec: T5918: warn when dynamic interfaces are used to bind ipsec daemonChristian Breunig
Fix after commit 8452d8f4921 ("T5918: Fix typo in verify vpn ipsec interface") so that dynamic interfaces can be used by ipsec but a warning is issued that this will only work after they are available on the system. PPPoE interfaces are the best example for this, as they are down during system bootup and will be available anytime after the boot once we've dialed into the BRAS. (cherry picked from commit 8c941e316035e56757d77b782cf39702c73546e0)
2024-01-11dns: T5791: use common pattern for exclude check of dynamic interfacesChristian Breunig
This uses a more common pattern froma base class while the original code from 0a1c9bc38 ("T5791: DNS dynamic exclude check for dynamic interfaces PPPoE") is still retained. (cherry picked from commit e5ce4222c6e9b24d276625678db7339ada0c54ef)
2024-01-11Merge pull request #2789 from vyos/mergify/bp/sagitta/pr-2777Christian Breunig
T5688: Changed 'range' to multi in 'client-ip-pool' for accell-ppp (backport #2777)
2024-01-10dhcp: T5787: Prevent duplicate IP addresses on static mappingssarthurdev
2024-01-10T5918: Fix typo in verify vpn ipsec interfaceViacheslav Hletenko
The correct CLI command is `interface` and not `interfaces` ``` set vpn ipsec interface xxx ``` (cherry picked from commit 8452d8f49216d224bc5d5751354414274982f5be)
2024-01-10T5688: Changed 'range' to multi in 'client-ip-pool' for accell-pppaapostoliuk
Changed node 'range' to multi in 'client-ip-pool' for accell-ppp services. Added completionHelp to default-pool and next-pool. Fixed verification in vpn l2tp config script. (cherry picked from commit 4ffec67d04670192d9b722353cbaef04cb0ba129)
2024-01-10T5916: Added segment routing check for index base size and SRGB base sizeCheeze_It
(cherry picked from commit cfb5b052c84ffba789d61a59350676b6b4a0a5f7)
2024-01-10Merge pull request #2783 from vyos/mergify/bp/sagitta/pr-2263Christian Breunig
T5530: isis: Adding loop free alternate feature (backport #2263)
2024-01-10T5530: isis: Adding loop free alternate featureCheeze_It
(cherry picked from commit 7a2b70bd73c8579a885348b93b8addfb20fb006c)
2024-01-10pki: T5911: fix service update algorithm if certificate name contains a ↵Christian Breunig
hyphen (-) When testing for changed PKI certificates using node_changed(), we should not use key_mangling=('-', '_'), as this will make certificate updates with a hypen not possible. (cherry picked from commit fc6926fdf32a7bdf9f943c7818ee6ea4a8131fba)
2024-01-10https: T5902: remove virtual-host configurationChristian Breunig
We have not seen the adoption of the https virtual-host CLI option. What it did? * Create multiple webservers each listening on a different IP/port (but in the same VRF) * All webservers shared one common document root * All webservers shared the same SSL certificates * All webservers could have had individual allow-client configurations * API could be enabled for a particular virtual-host but was always enabled on the default host This configuration tried to provide a full webserver via the CLI but VyOS is a router and the Webserver is there for an API or to serve files for a local-ui. Changes Remove support for virtual-hosts as it's an incomplete and thus mostly useless "thing". Migrate all allow-client statements to one top-level allow statement. (cherry picked from commit d0d3071e99eb65edb888c26ef2fdc9e038438887)
2024-01-08ipsec: T5905: use interface_exists() wrapper over raw calls to os.path.exists()Christian Breunig
(cherry picked from commit 410458c00e6202dd9a5c52b3c5ac00a90db5bc53)
2024-01-08pki: T5905: do not use expand_nodes=Diff.ADD|Diff.DELETE) in node_changed()Christian Breunig
This fixes a priority inversion when doing initial certificate commits. * pki subsystem is executed with priority 300 * vti uses priority 381 * ipsec uses priority 901 On commit pki.py will be executed first, detecting a change in dependencies for vpn_ipsec.py which will be executed second. The VTI interface was yet not created leading to ConfigError('VTI interface XX for site-to-site peer YY does not exist!') The issue is caused by this new line of code in commit b8db1a9d7ba ("pki: T5886: add support for ACME protocol (LetsEncrypt)") file src/conf_mode/pki.py line 139 which triggers the dependency update even if a key is newly added. This commit changes the "detection" based on the cerbot configuration on disk. (cherry picked from commit 9162631f12ade65392ea2fa53642ea4af39627c7)
2024-01-08https: T5886: migrate https certbot to new "pki certificate" CLI treeChristian Breunig
(cherry picked from commit 9ab6665c80c30bf446d94620fc9d85b052d48072)
2024-01-08pki: T5886: add support for ACME protocol (LetsEncrypt)Christian Breunig
The "idea" of this PR is to add new CLI nodes under the pki subsystem to activate ACME for any given certificate. vyos@vyos# set pki certificate NAME acme Possible completions: + domain-name Domain Name email Email address to associate with certificate listen-address Local IPv4 addresses to listen on rsa-key-size Size of the RSA key (default: 2048) url Remote URL (default: https://acme-v02.api.letsencrypt.org/directory) Users choose if the CLI based custom certificates are used set pki certificate EXAMPLE acme certificate <base64> or if it should be generated via ACME. The ACME server URL defaults to LetsEncrypt but can be changed to their staging API for testing to not get blacklisted. set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory Certificate retrieval has a certbot --dry-run stage in verify() to see if it can be generated. After successful generation, the certificate is stored in under /config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set interfaces ethernet eth0 eapol certificate EXAMPLE) we call vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the base64 encoded certificate into the JSON data structure normally used when using a certificate set by the CLI. Using this "design" does not need any change to any other code referencing the PKI system, as the base64 encoded certificate is already there. certbot renewal will call the PKI python script to trigger dependency updates. (cherry picked from commit b8db1a9d7baf91b70c1b735e58710f1e2bc9fc7a) # Conflicts: # debian/control
2024-01-06openvpn: T3214: warn when setting nopool and server-ipv6 is being usedAntonio Quartulli
Currently OpenVPN does not allow having an IPv6 subnet if 'nopool' was specified on the --server directive. For this eason warn if this specific configuration is being hit. This is probably something that should be fixed upstream, but for now we can't allow this combination of parameters. Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> (cherry picked from commit 7a0e40ce8df386c0ea2de84bce8fb6c81a0353ce)
2024-01-06openvpn: T3214: allow configuring server with v6 onlyAntonio Quartulli
Starting with v2.5.0 OpenVPN allows configuring a server with an IPv6 only tunnel. For this reason there is no need to depend on the existence of an IPv4 subnet anymore. Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> (cherry picked from commit 3072e507eb1cdc18cfe5429fd0c03d223d2576fe)
2024-01-04T5159: nat: add option to map network and ports. Feature used for large ↵Nicolás Fort
deployments in cgnat. (#2694) (cherry picked from commit 3fc76505d0642c32a3eae9c0ce6ab3dd2ec32dbd)
2024-01-04configdict: T5894: add get_config_dict() flag with_pkiChristian Breunig
VyOS has several services relaying on the PKI CLI tree to retrieve certificates. Consuming services like ethernet, openvpn or ipsec all re-implemented the same code to retrieve the certificates from the CLI. This commit extends the signature of get_config_dict() with a new option with_pki that defaults to false. If this option is set, the PKI CLI tree will be blended into the resulting dictionary. (cherry picked from commit b152b52023ba0cf0d4919eae39e92de28a458917)
2024-01-03Merge pull request #2719 from c-po/sagitta-backports-accel-pppChristian Breunig
Backports for Accel-PPP based serviced T5801, T5842 and T5688
2024-01-03Merge pull request #2732 from vyos/mergify/bp/sagitta/pr-2728Christian Breunig
T5880: verify_source_interface() should not allow dynamic interfaces like ppp, l2tp, ipoe or sstpc client interfaces (backport #2728)
2024-01-01T5842: Rewritten PPTP to get_config_dictaapostoliuk
Rewritten PPTP to get_config_dict Fixed 'dynamic-author' commands. These commands did not create anything in accel-ppp config. (cherry picked from commit f39eb894d991d296a82c69d1ab783011b5d0ed2f)
2024-01-01T5801: Rewritten L2TP to get_config_dictaapostoliuk
Rewritten L2TP to get_config_dict Rewritten L2TP xml to accel-ppp patterns Migrated 'idle' to 'ppp-options.lcp-echo-timeout' Migrated 'authentication.mppe' to 'ppp-options.mppe' Migrated 'authentication.radius.dae-server' to 'authentication.radius.dynamic-author' Migrated 'authentication.require' to 'authentication.protocol' Added 'authentication.radius.acct-interim-jitter' Added 'authentication.radius.preallocate-vif' Added 'authentication.radius.server.<IP>.acct-port' Added 'ppp-options.ipv4' Added smoke-tests Fixed 'preallocate-vif' in SSTP (cherry picked from commit 09e0a2ca035ee39a68a510b28cc74560669d0420)
2024-01-01login: T5875: restore home directory permissions only when neededChristian Breunig
This improves commit 3c990f49e ("login: T5875: restore home directory permissions when re-adding user account") in a way that the home directory owner is only altered if it differs from the expected owner. Without this change on every boot we would alter the owner which could increase the boot time if the home of a user is cluttered. (cherry picked from commit 1b364428f79b7e4588a000fca40582ef968fc7fd)
2024-01-01tunnel: T5879: properly verify source-interface used for tunnelsChristian Breunig
A tunnel interface can not properly be sourced from a pppoe0 interface when such interface is not (yet) connected to the BRAS. It might work on a running system, but subsequent reboots will fail as the source-interface most likely does not yet exist. (cherry picked from commit 66ce19058b7b8597536ddf63bbca027add2ca8a1)
2024-01-01T5474: establish common file name pattern for XML conf mode commandsChristian Breunig
We will use _ as CLI level divider. The XML definition filename and also the Python helper should match the CLI node. Example: set interfaces ethernet -> interfaces_ethernet.xml.in set interfaces bond -> interfaces_bond.xml.in set service dhcp-server -> service_dhcp-server-xml.in (cherry picked from commit 4ef110fd2c501b718344c72d495ad7e16d2bd465)
2023-12-30Merge pull request #2720 from vyos/mergify/bp/sagitta/pr-2718Christian Breunig
system: T5877: Shorten system domain-search config path (backport #2718)
2023-12-30login: T5875: restore home directory permissions when re-adding user accountChristian Breunig
After deleting a user account and working with a newly added account, we see that after rebooting in the previously saved configuration, the user is re-added but it's home directory might have an old UID set on the filesystem. This is due to the fact that vyos config does not store UIDs. When adding a user account to the system we now check if the home directory already exists and adjust the ownership to the new UID. (cherry picked from commit 3c990f49e2bf9347bd2cc478995baa995ee822fd)
2023-12-30system: T5877: Shorten system domain-search config pathIndrajit Raychaudhuri
Shorten and simplify `system domain-search` config path from: ``` set system domain-search domain <domain1> ``` to: ``` set system domain-search <domain1> ``` This will shorten the path and also make consistent with `domain-search` config in other places (like `dhcp-server`). (cherry picked from commit f77bf573c608b6c09182e1bad4312c4dd1e5195e)
2023-12-29nat: T5681: relax wording on non existing interface Warning messageChristian Breunig
Remove the word "error" from a Warning only message to not irritate the user. (cherry picked from commit 9f863a50f1ac6c81782df6c43f7df816d9e11b16)
2023-12-28Merge pull request #2697 from c-po/sagitta-T5829Daniil Baturin
container: T5829: verify container network used supports the given AFI (backport)
2023-12-28Merge pull request #2700 from vyos/mergify/bp/sagitta/pr-2501Daniil Baturin
accel-ppp: T5688: Standardized pool configuration in accel-ppp (backport #2501)
2023-12-28container: T5867: disable healthchecks due to upstream issueChristian Breunig
conmon 402de34b31388b5a2e1c <error>: Unable to send container stderr message to parent Broken pipe https://github.com/containers/conmon/issues/438 (cherry picked from commit 6c84ff41b92d7c2e0b239dca59955e8a247fecdb)
2023-12-28accel-ppp: T5688: Standardized pool configuration in accel-pppaapostoliuk
Standardized pool configuration for all accel-ppp services. 1. Only named pools are used now. 2. Allows all services to use range in x.x.x.x/mask and x.x.x.x-x.x.x.y format 3. next-pool can be used in all services 2. Allows to use in ipoe gw-ip-address without pool configuration which allows to use Fraimed-IP-Address attribute by radius. 3. Default pool name should be explicidly configured with default-pool. 4. In ipoe netmask and range subnet can be different. (cherry picked from commit 422eb463d413da812eabc28706e507a9910d7b53)
2023-12-28container: T5829: fix base key "container" re-use in for loopChristian Breunig
(cherry picked from commit 405cc66041d8035500f7b7116301983c48464a9b)
2023-12-28container: T5829: verify container network used supports the given AFIChristian Breunig
(cherry picked from commit e70ca62c474b4e2cc135851a6e5cceee037bf378)
2023-12-26ddclient: T5144: Warn against configuration with broken IP lookup serviceIndrajit Raychaudhuri
We always enable HTTPS in ddclient configuration, however `http://checkip.dyndns.org` is HTTP only and does not support HTTPS. Warn the user if they are using this service. Also, make `url` in `web-options` mandatory.
2023-12-26ddclient: T5791: Adjust the warning messages and minor refactoringIndrajit Raychaudhuri
2023-12-25snmp: T5855: migrate "set service lldp snmp enable" to "set service lldp snmp"Christian Breunig
(cherry picked from commit a9201e77110ce0695e2ba879304aef41b7ac9a0c)
2023-12-24T5837: cleanup use of calls to vyos.configdict.node_changed()Christian Breunig
node_changed() will return a list of changed keys under "path". We are not always interested what changed, sometimes we are only interested if something changed at all, that what vyos.configdict.is_node_changed() is for. (cherry picked from commit 5e7a8288d06a6d6beee5e1abd2e06698ab778650)
2023-12-24snmp: 5856: fix service removal errorChristian Breunig
When deleting SNMP from CLI the 'delete' key was not honored in the config dictionary, leading to a false process startup causing the following error: Job for snmpd.service failed because the control process exited with error code. See "systemctl status snmpd.service" and "journalctl -xeu snmpd.service" for details. (cherry picked from commit 20b98e780fda4131eb242921884d4955147ce51a)
2023-12-24T160: NAT64 add match firewall mark featureViacheslav Hletenko
Match mark allows to use firewall marks of packet to use a specific pool Example of instance config /run/jool/instance-100.json ``` ... "pool4": [ { "protocol": "TCP", "prefix": "192.0.2.10", "port range": "1-65535", "mark": 23 }, ... ``` (cherry picked from commit 8e1e79cfa24c155c8d504822fbbd3c20f890fb70)
2023-12-21Merge pull request #2675 from c-po/nat66-fix-sagittaDaniil Baturin
nat66: T2898: build fix after ndp-proxy backport
2023-12-21nat66: T2898: build fix after ndp-proxy backportChristian Breunig
2023-12-21Merge pull request #2673 from vyos/mergify/bp/sagitta/pr-2665Christian Breunig
T2898: add ndp-proxy service (backport #2665)
2023-12-21T2898: add ndp-proxy serviceChristian Breunig
VyOS CLI command set service ndp-proxy interface eth0 prefix 2001:db8::/64 mode 'static' Will generate the following NDP proxy configuration $ cat /run/ndppd/ndppd.conf # autogenerated by service_ndp-proxy.py # This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route route-ttl 30000 # This sets up a listener, that will listen for any Neighbor Solicitation # messages, and respond to them according to a set of rules proxy eth0 { # Turn on or off the router flag for Neighbor Advertisements router no # Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds) timeout 500 # Control how long a valid or invalid entry remains in the cache (milliseconds) ttl 30000 # This is a rule that the target address is to match against. If no netmask # is provided, /128 is assumed. You may have several rule sections, and the # addresses may or may not overlap. rule 2001:db8::/64 { static } } (cherry picked from commit 4d721a58020971d00ab854c37b68e88359999f9c)
2023-12-21srv6: T591: enable SR enabled packet processing on defined interfacesChristian Breunig
The Linux Kernel needs to be told if IPv6 SR enabled packets whether should be processed or not. This is done using /proc/sys/net/conf/<iface>/seg6_* variables: seg6_enabled - BOOL Accept or drop SR-enabled IPv6 packets on this interface. Relevant packets are those with SRH present and DA = local. 0 - disabled (default) not 0 - enabled Or the VyOS CLI command: * set protocols segment-routing interface eth0 srv6 (cherry picked from commit 774cc97eda61eb0b91df820797fb3c705d0073d5)
2023-12-21vrf: T591: define sysctl setting for net.vrf.strict_modeChristian Breunig
Enable/Disable VRF strict mode, when net.vrf.strict_mode=0 (default) it is possible to associate multiple VRF devices to the same table. Conversely, when net.vrf.strict_mode=1 a table can be associated to a single VRF device. A VRF table can be used by the VyOS CLI only once (ensured by verify()), this simply adds an additional Kernel safety net, but a requirement for IPv6 segment routing headers. (cherry picked from commit 10701108fecb36f7be7eb7ef5f1e54e63da5fb4e)