summaryrefslogtreecommitdiff
path: root/src/conf_mode
AgeCommit message (Collapse)Author
2024-03-06T6075: firewall and NAT: check if interface-group exists when using them in ↵Nicolas Fort
firewall|nat rules. (cherry picked from commit 3c0634e572ffdecaf24a9dac16678427f22761ab)
2024-03-05T6084: Add NHRP dependency for IPsec and fix NHRP empty config bugViacheslav Hletenko
If we have any `vpn ipsec` and `protocol nhrp` configuration we get the empty configuration file `/run/opennhrp/opennhrp.conf` after rebooting the system. Use config dependency instead of the old `resync_nhrp` function fixes this issue (cherry picked from commit 689fea253d9019df20d5c6ac7fa22d5e8454afab)
2024-03-04ospfv3: T6087: add support to redistribute IS-IS routesChristian Breunig
(cherry picked from commit 6a97fdfa1ba9b4135a51498ea5acabb804256b2c)
2024-03-02ospf: T5717: sync code with ospfv3 implementationChristian Breunig
(cherry picked from commit 298bcc5cb90c4c83981ec4baaaa0db785306867d)
2024-03-02ospfv3: T5717: allow metric and metric-type on redistributed routesChristian Breunig
Example: vyos@vyos# set protocols ospfv3 redistribute bgp Possible completions: metric OSPF default metric metric-type OSPF metric type for default routes (default: 2) route-map Specify route-map name to use (cherry picked from commit ed2c288c8a9031f91acf76d20b84e2002696981c)
2024-02-29T5504 Keepalived VRRP ability to set more than one peer-addressNataliia Solomko
(cherry picked from commit 3480d92a8c4d84e8c1f94a9362bac2be0cc77921)
2024-02-29banner: T6077: implement ASCII contest winner default logoChristian Breunig
Implement VyOS ASCII art contest winners logo as the default for our MOTD (cherry picked from commit 0ea3a454cf560171d3eb9d4d1b97b172c06360fe)
2024-02-28vrf: conntrack: T6073: Populate VRF zoning chains only while conntrack is ↵sarthurdev
required (cherry picked from commit 6f7d1e15665655e37e8ca830e28d9650445c1217)
2024-02-24container: T5909: move registry login to op-modeChristian Breunig
It does not make sense to perform the "podman login" command when setting up containers, as images are not automatically pulled in from the registry - due to issues with the default route during startup. The same issue manifests in "podman login" where we can not login to a registry unless there is a default route present. This commit changes the behavior that the container registry is part of the configuration, but it is only referenced during "add container image" and thus never during system boot. (cherry picked from commit baf30d8319ef4d0f0cc4cdf0f7c12f03f8a492b6)
2024-02-18bridge: T6043: do not call vxlan dependency if interface does not exist (yet)Christian Breunig
In order to keep the proper priority list during system startup and on initial setup/commit for this feature the dependent VXLAN code should not be called, if the interface in question does not exist (yet). (cherry picked from commit dbe8c613bb80bc8b714398825054ade5942ea75b)
2024-02-17login: T5972: add possibility to disable individual local user accountsChristian Breunig
* set system login user <name> disable (cherry picked from commit 6e0b146ed3b90da577c3ecba38836883fd435e7a)
2024-02-16T6001: add option to disable next-hop-tracking resolve-via-defaultChristian Breunig
* set system ip nht no-resolve-via-default * set system ipv6 nht no-resolve-via-default (cherry picked from commit ece0e768f36e52f8964823d891264d7c187204ec)
2024-02-15T6029: Rewritten Accel-PPP services to an identical feature setaapostoliuk
Removed dhcp-interface option (l2tp) Added wins-server (sstp) Added description (ipoe, pppoe, sstp, pptp) Added exteded-script (l2tp, sstp, pptp) Added shaper (ipoe, pptp, sstp, l2tp) Added limits (ipoe, pptp, sstp, l2tp) Added snmp ( ipoe, pptp,sstp, l2tp) Refactoring and reformated code. (cherry picked from commit ac6a16f6c5ad7700789759e1ec093236c2e182a2)
2024-02-13rpki: T6034: remove OpenSSH keys from /run/frr when unloadedChristian Breunig
(cherry picked from commit 78820752b936e77d30f995498ff36487c5c6af87)
2024-02-13pki: T6034: add dependencies to trigger rpki re-run on openssh key updateChristian Breunig
(cherry picked from commit 0f8bf6bd0fb29cfd638e9920674e7ad1d1d25350)
2024-02-13rpki: T6034: move SSH authentication keys to PKI subsystemChristian Breunig
(cherry picked from commit ac2d7dfac6073d0f232191ec494f78a8d12889e4)
2024-02-13pki: T6034: add OpenSSH key supportChristian Breunig
set pki openssh rpki private key ... set pki openssh rpki public key ... set pki openssh rpki public type 'ssh-rsa' (cherry picked from commit 8c78ef0879f22ffd4a5f7fdb175e9109b46e9d7b)
2024-02-09T5960: Rewritten authentication node in PPTP to a single viewaapostoliuk
Rewritten authentication node in accel-ppp services to a single view. In particular - PPTP authentication. (cherry picked from commit 018110200c9a82815dd5d0510f0732d7159c0d59)
2024-02-08T6026: QoS hide attempts to delete qdisc from devicesViacheslav Hletenko
Hide unexpected output by attempts of deleting `qdisc` from interfaces [ qos ] Error: Cannot find specified qdisc on specified device. Error: Cannot delete qdisc with handle of zero. (cherry picked from commit 6dcb68ba5553ac94eb3a9da4a915999500b00ab2)
2024-02-07vrf: T5973: module is now statically compiled into the kernelChristian Breunig
Always enable VRF strict_mode (cherry picked from commit 117fbcd6237b59f54f2c1c66986a8ce073808c84)
2024-02-07vpn: T3843: l2tp configuration not cleared after deletekhramshinr
vpn: T5926: IPSEC does not apply after l2tp configuration was changed added dependency between l2tp and ipsec conf added test for apply config to swanctl (cherry picked from commit e697ed1e7fd5c33f8082b2f4f96c42fc822ec9a5)
2024-02-06T5921: Fix OpenConnect verify for local usersViacheslav Hletenko
Fix verify error for the VPN OpenConnect configuration with local authentication and without any user File "/usr/libexec/vyos/conf_mode/vpn_openconnect.py", line 94, in verify if not ocserv["authentication"]["local_users"]: KeyError: 'local_users' (cherry picked from commit 71644dfed63f6248525db3c3bc9493c059707a2a)
2024-02-06rpki: T6011: known-hosts-file is no longer supported by FRRChristian Breunig
(cherry picked from commit 586863bf3a9cb1dd1c0d74b628d00096b905740f)
2024-02-02container: T5955: allow setting uid/gidPiotr Maksymiuk
(cherry picked from commit 52e9707a43290f5f826766e2c42c5f0db3c9adec)
2024-02-02Merge pull request #2928 from vyos/mergify/bp/sagitta/pr-2891Viacheslav Hletenko
T5971: Rewritten ppp options in accel-ppp services (backport #2891)
2024-02-02T5971: Rewritten ppp options in accel-ppp servicesaapostoliuk
Rewritten 'ppp-options' to the same view in all accel-ppp services. Adding IPv6 support to PPTP. (cherry picked from commit d9e57fe65dd538c6ea80637f4f6f23cf11dc583d)
2024-02-01ddclient: T5966: Adjust dynamic dns config address subpathIndrajit Raychaudhuri
Modify the dynamic dns configuration 'address' subpath for better clarity on how the address is obtained. Additionally, remove `web-options` and fold those options under the path `address web`.
2024-02-01Merge pull request #2924 from vyos/mergify/bp/sagitta/pr-2756Christian Breunig
T4839: firewall: Add dynamic address group in firewall configuration (backport #2756)
2024-02-01Merge pull request #2922 from vyos/mergify/bp/sagitta/pr-2854Christian Breunig
dns: T5959: Streamline dns forwarding service (backport #2854)
2024-02-01T4839: firewall: Add dynamic address group in firewall configuration, and ↵Nicolas Fort
appropiate commands to populate such groups using source and destination address of the packet. (cherry picked from commit 6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122)
2024-02-01Merge pull request #2916 from vyos/mergify/bp/sagitta/pr-2832Christian Breunig
T5865: Moved ipv6 pools to named ipv6 pools in accel-ppp (backport #2832)
2024-02-01dns: T5959: Streamline dns forwarding serviceIndrajit Raychaudhuri
Streamline configuration and operation of dns forwarding service in following ways: - Remove `dns_forwarding_reset.py` as its functionality is now covered by `dns.py` - Adjust function names in `dns.py` to disambiguate between DNS forwarding and dynamic DNS - Remove `dns_forwarding_restart.sh` as its functionality is inlined in `dns-forwarding.xml` - Templatize systemd override for `pdns-recursor.service` and move the generated override files in /run. This ensures that the override files are always generated afresh after boot - Simplify the systemd override file by removing the redundant overrides - Relocate configuration path for pdns-recursor to `/run/pdns-recursor` and utilize the `RuntimeDirectory` default that pdns-recursor expects - We do not need to use custom `--socket-dir` path anymore, the default path (viz., `/run/pdns-recursor` is fine) (cherry picked from commit 1c1fb5fb4bd7c0d205b28caf90357ad56423464f)
2024-02-01T5865: Moved ipv6 pools to named ipv6 pools in accel-pppaapostoliuk
Moved ipv6 pools to named ipv6 pools in accel-ppp services (cherry picked from commit d187803c31175e471397dd4f77040ab56d2e1073)
2024-02-01bgp: T5930: Denied using rt vpn 'export/import' with 'both' togetheraapostoliuk
Denied using command 'route-target vpn export/import' with 'both' together in bgp configuration. (cherry picked from commit 32a13411f47beffcbe4b49a869c99cb42374d729)
2024-01-30Merge pull request #2888 from vyos/mergify/bp/sagitta/pr-2886John Estabrook
system-option: T5979: Add configurable kernel boot options (backport #2886)
2024-01-30vrf: T5973: fix has_rule() to check for l3mdev ruleChristian Breunig
A code path was missing to check if only priority is available in the result of "ip --json -4 rule show", in the case of l3mdev it's a dedicated key! (cherry picked from commit a009143a62caca207fdffffcf0b490c747a87025)
2024-01-30vrf: T5973: move initial conntrack firewall table to startupChristian Breunig
There is no need to add and remove this table during runtime - it can lurk in the standard firewall init code. (cherry picked from commit 89f0d347bfe5e468355817a617dc71823a58c284)
2024-01-30vrf: T5973: ensure Kernel module is loadedChristian Breunig
This prevents the following error when configuring the first VRF: sysctl: cannot stat /proc/sys/net/vrf/strict_mode: No such file or directory (cherry picked from commit a821b8c603999665ce8a77acb0e44a743811992a)
2024-01-23T5979: add configurable kernel boot option 'disable-mitigations'Christian Breunig
(cherry picked from commit 256346a66cc3bb20e93c68245ebca2f68f42e7b5)
2024-01-23bfd: T5967: add minimum-ttl optionChristian Breunig
* set protocols bfd peer <x.x.x.x> minimum-ttl <1-254> * set protocols bfd profile <name> minimum-ttl <1-254> (cherry picked from commit 1f07dcbddfcfdbb9079936ec479c5633934dd547)
2024-01-22dhcp: T5787: Allow disabled duplicates on static-mapping (backport)sarthurdev
2024-01-22T5958: QoS add basic implementation of policy shaper-hfscViacheslav Hletenko
QoS policy shaper-hfsc was not implemented after rewriting the traffic-policy to qos policy. We had CLI but it does not use the correct class. Add a basic implementation of policy shaper-hfsc. Write the class `TrafficShaperHFS` (cherry picked from commit f6b6ee636e34f98d336ee53599666afd1f395d78)
2024-01-22sflow: T5968: add VRF supportChristian Breunig
Add support to run hsflowd in a dedicated (e.g. management) VRF. Command will be "set system sflow vrf <name>" like with any other service (cherry picked from commit 64473fa6f320375fb3d3de4de9e729f456ee5ae2)
2024-01-22Merge pull request #2856 from c-po/firewall-backportsChristian Breunig
firewall: T5729: T5681: T5217: backport subsystem from current branch
2024-01-22firewall: T5729: T5681: T5217: backport subsystem from current branchChristian Breunig
This is a combined backport for all accumulated changes done to the firewall subsystem on the current branch.
2024-01-21ntp: T5692: add support to configure leap second behaviorChristian Breunig
* set service ntp leap-second [ignore|smear|system|timezone] Where timezone is the new and old default resulting in adding "leapsectz right/UTC" to chrony.conf. The most prominent new option is "smear" which will add leapsecmode slew maxslewrate 1000 smoothtime 400 0.001 leaponly to chrony. See https://chrony-project.org/doc/4.3/chrony.conf.html leapsecmode for additional information (cherry picked from commit 7ae064bab0010dff8827a0ed5e1239d2778dc7c1)
2024-01-21dhcp: T3316: add deprecation warning on RAW ISC DHCPD optionsChristian Breunig
The following CLI nodes are deprecated and will be remove in VyOS 1.5 while moving to KEA as DHCP server. * set service dhcp-server global-parameters * set service dhcp-server shared-network-name <name> shared-network-parameters * set service dhcp-server shared-network-name <name> subnet <x.x.x.x/y> subnet-parameters Please open feature requests if any DHCP option is missing and should be added as a proper CLI node to make your life easier.
2024-01-19Merge pull request #2853 from c-po/sagittaChristian Breunig
dhcp: T5952: validate duplicate MAC and IP address in static-mappings incl. smoketests
2024-01-18conntrack: T5376: T5779: backport from currentChristian Breunig
Backport of the conntrack system from current branch. (cherry picked from commit fd0bcaf12) (cherry picked from commit 5acf5aced) (cherry picked from commit 42ff4d8a7) (cherry picked from commit 24a1a7059)
2024-01-18dhcp: T5952: validate duplicate MAC and IP address in static-mappings incl. ↵Christian Breunig
smoketests (cherry picked from commit 62a8ef29d6238d5b777c3e946c132aca16a813c3) (cherry picked from commit eb4cac98cb3790eb888d4ea7626781b9afbea8f4)