summaryrefslogtreecommitdiff
path: root/src/conf_mode
AgeCommit message (Collapse)Author
2024-05-14T3420: Remove service upnpViacheslav Hletenko
Remove `service upnp` as it never worked as expected, nft rules do not integrated and custom patches do not seem like a suitable solution for now. Security: UPnP has been historically associated with security risks due to its automatic and potentially unauthenticated nature. UPnP devices might be vulnerable to unauthorized access or exploitation.
2024-05-12Merge pull request #3447 from c-po/evpn-uplink-t6306Daniil Baturin
ethernet: T6306: add support for EVPN MH uplink/core tracking
2024-05-11ethernet: T6306: add support for EVPN MH uplink/core trackingChristian Breunig
When all the underlay links go down the PE no longer has access to the VxLAN +overlay. To prevent blackholing of traffic the server/ES links are protodowned on the PE. A link can be setup for uplink tracking via the following configuration: set interfaces ethernet eth0 evpn uplink
2024-05-10Merge pull request #3410 from fett0/T6303Christian Breunig
Bond: T6303: add system mac address on interfaces bond
2024-05-10bond: T6303: system-mac is not allowed to be a multicast MAC addressChristian Breunig
2024-05-08bridge: T6317: add dependency call for wireless interfacesChristian Breunig
2024-05-08bridge: T6317: call dependency when deleting bridge memberChristian Breunig
2024-05-07bgp: T6082: Allow the same local-as and remote-as in one peer groupkhramshinr
2024-05-02qos: T6225: Fix qos random-detect policykhramshinr
Fix default values for random-detect Remove dsmakr qdisc from gred cofig because dsmark was deleted from kernel
2024-05-01Merge pull request #3392 from c-po/bgp-evpn-T6189Christian Breunig
bgp: T6189: L3VPN connectivity is broken after re-enabling VRF
2024-05-01bgp: T6189: explicitly call vtysh to remove VRF L3VNI configurationChristian Breunig
After e7bb65894 ("vrf: T6189: render FRR L3VNI configuration when creating VRF instance") we need to ensure that the VRF L3VNI configuration is removed in FRR prior to removing the BGP VRF instance. The reason is [1] where FRR only allows VRF BGP instance to be removed when there is NO VNI configured anymore. 1: https://github.com/FRRouting/frr/blob/064c3494527b9e84260410006768ed38e57e1de7/bgpd/bgp_vty.c#L1646-L1650
2024-05-01vrf: T6189: render FRR L3VNI configuration when creating VRF instanceChristian Breunig
When adding and removing VRF instances on the fly it was noticed that the vni statement under the VRF instance in FRR vanishes. This was caused by a race condition which was previously designed to fix another bug. The wierd design of a Python helper below the VRF tree to only generate the VNI configuration nodes is now gone and all is rendered in the proper place.
2024-05-01Merge pull request #3364 from natali-rs1985/T6234-currentDaniil Baturin
pppoe-server: T6234: PPPoE-server pado-delay refactoring
2024-05-01T6056: Change static-host-mapping shold not restart snmpdViacheslav Hletenko
We have several config XML definitions that use the same python3 script `system_host-name.py` https://github.com/vyos/vyos-1x/blob/current/interface-definitions/system_name-server.xml.in https://github.com/vyos/vyos-1x/blob/current/interface-definitions/system_host-name.xml.in https://github.com/vyos/vyos-1x/blob/current/interface-definitions/system_static-host-mapping.xml.in https://github.com/vyos/vyos-1x/blob/current/interface-definitions/system_domain-name.xml.in https://github.com/vyos/vyos-1x/blob/current/interface-definitions/system_domain-search.xml.in Any change in these scripts calls to restart the `service snmpd` The service `snmpd` should be restarted only if `host-name` or `domain-name` was changed. It is a good idea to rewrite it to `get_config_dict` in the future.
2024-04-30Merge pull request #3368 from sever-sever/T6267Christian Breunig
T6267: Check interface wireless module before apply config
2024-04-30T6267: Check interface wireless module before apply configViacheslav Hletenko
Check if the wireless device/modem exists in the system and the module `ieee802111` was loaded In cases where we do not have wireless devices, it prevents the unexpected traceback ``` set interfaces wireless wlan0 address 192.0.2.5/32 commit Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/interfaces_wireless.py", line 269, in <modu> c = get_config() ^^^^^^^^^^^^ File "/usr/libexec/vyos/conf_mode/interfaces_wireless.py", line 104, in get_cg tmp = find_other_stations(conf, base, wifi['ifname']) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/libexec/vyos/conf_mode/interfaces_wireless.py", line 54, in find_os for phy in os.listdir('/sys/class/ieee80211'): ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ FileNotFoundError: [Errno 2] No such file or directory: '/sys/class/ieee80211' ```
2024-04-29T6272: Changed interface existence verification in pppoe/ipoe to Warningaapostoliuk
Throwing Warning message instead of Error if interface which is used in pppoe/ipoe does not exist.
2024-04-25Merge pull request #3363 from sever-sever/T6263Christian Breunig
T6263: Groups 224.0.0.0/24 are reserved and cannot be joined
2024-04-25Merge pull request #3316 from HollyGurza/T4248Daniil Baturin
qos: T4248: Allow to remove the only rule from the qos class
2024-04-25pppoe-server: T6234: PPPoE-server pado-delay refactoringNataliia Solomko
2024-04-25T6263: Groups 224.0.0.0/24 are reserved and cannot be joinedViacheslav Hletenko
The join addresses within the multicast group 224.0.0.0/24 are reserved and cannot be joined FRR ``` r4(config)# interface eth2 r4(config-if)# ip igmp join 224.0.0.0 224.0.0.10 % Configuration failed. Error type: validation Error description: Groups within 224.0.0.0/24 are reserved and cannot be joined r4(config-if)# ``` Add verify check
2024-04-24T5833: Not all AFIs compatible with VRF add verify checkViacheslav Hletenko
Not all FRR address-families compatibe with VRF ``` r4# conf t r4(config)# router bgp 65001 vrf bgp r4(config-router)# r4(config-router)# address-family ipv4 flowspec Only Unicast/Multicast/EVPN SAFIs supported in non-core instances. r4(config-router)# r4(config-router)# address-family ipv4 labeled-unicast Only Unicast/Multicast/EVPN SAFIs supported in non-core instances. r4(config-router)# r4(config-router)# address-family ipv4 vpn Only Unicast/Multicast/EVPN SAFIs supported in non-core instances. r4(config-router)# ``` Add verify AFI for VRF
2024-04-21T6246: improve haproxy http check configurationNicolas Vollmar
2024-04-18Merge pull request #3326 from sever-sever/T6221Daniil Baturin
T6221: Return default ip rule values after deleting VRF
2024-04-18pki: T6241: do not call dependency before its initializationJohn Estabrook
2024-04-18T6221: Return default ip rule values after deleting VRFViacheslav Hletenko
Fix for restoring default ip rule values after deleting VRF Defult values: ``` $ ip rule 0: from all lookup local 32766: from all lookup main 32767: from all lookup default ``` After adding and deleting a VRF we get unexpected values: ``` $ ip rule 1000: from all lookup [l3mdev-table] 2000: from all lookup [l3mdev-table] unreachable 32765: from all lookup local 32766: from all lookup main 32767: from all lookup default ```
2024-04-16Merge pull request #3315 from Embezzle/T6242Daniil Baturin
T6242: load-balancing reverse-proxy: Ability for ssl backends to not verify server certificates
2024-04-16qos: T4248: Allow to remove the only rule from the qos classkhramshinr
2024-04-15T6242: load-balancing reverse-proxy: Ability for ssl backends to not verify ↵Alex W
server certificates
2024-04-15Merge pull request #3311 from sarthurdev/T6241John Estabrook
pki: T6241: Fix dependency updates on PKI changes
2024-04-15Merge pull request #3309 from nicolas-fort/T5535Daniil Baturin
T5535: firewall: migrate command <set system ip disable-directed-broadcast> to firewall global-optinos
2024-04-15pki: T6241: Fix dependency updates on PKI changessarthurdev
2024-04-15T5535: firewall: migrate command <set system ip disable-directed-broadcast> ↵Nicolas Fort
to firewall global-optinos
2024-04-15T5734: OpenVPN check PKI DH name exists if DH configuredViacheslav Hletenko
Check if DH is configured for OpenVPN but does not exist in the PKI section ``` set pki dh dh-correct parameters 'xxxx' set interfaces openvpn vtun10 tls dh-params 'dh-fake' File "/usr/libexec/vyos/conf_mode/interfaces_openvpn.py", line 208, in verify_pki pki_dh = pki['dh'][tls['dh_params']] ~~~~~~~~~^^^^^^^^^^^^^^^^^^ KeyError: 'dh-fake' ```
2024-04-12pppoe-server: T6141: T5364: PPPoE-server add pado-delay without sessions ↵Nataliia Solomko
fails (#3296)
2024-04-11Merge pull request #3274 from sever-sever/T5169Daniil Baturin
T5169: Add PoC for generating CGNAT rules rfc6888
2024-04-09container: T6218: fix host IPv6 link-local address for VRF networksJonathan Voss
2024-04-09T5169: Add PoC for generating CGNAT rules rfc6888Viacheslav Hletenko
Add PoC for generating CGNAT rules https://datatracker.ietf.org/doc/html/rfc6888 Not all requirements are implemented, but some of them. Implemented: REQ-2 ``` A CGN MUST have a default "IP address pooling" behavior of "Paired" CGN must use the same external IP address mapping for all sessions associated with the same internal IP address, be they TCP, UDP, ICMP, something else, or a mix of different protocols. ``` REQ-3 ``` The CGN function SHOULD NOT have any limitations on the size or the contiguity of the external address pool ``` REQ-4 ``` A CGN MUST support limiting the number of external ports (or, equivalently, "identifiers" for ICMP) that are assigned per subscriber ``` CLI: ``` set nat cgnat pool external ext1 external-port-range '1024-65535' set nat cgnat pool external ext1 per-user-limit port '1000' set nat cgnat pool external ext1 range 192.0.2.222/32 set nat cgnat pool internal int1 range '100.64.0.0/28' set nat cgnat rule 10 source pool 'int1' set nat cgnat rule 10 translation pool 'ext1' ```
2024-04-07kea: T3316: Ensure correct permissions on lease filessarthurdev
2024-04-07Merge pull request #3265 from c-po/ethernet-mtu-T5862Daniil Baturin
ethernet: T5862: default MTU is not acceptable in some environments
2024-04-07Merge pull request #3270 from c-po/login-T5875Daniil Baturin
login: T5875: fix corner case for KeyError: 'getpwuid(): uid not found: XXXX'
2024-04-07dhcp: T6068: drop unused variable "failover_ok"Christian Breunig
2024-04-07container: T6208: fix AttributeError: 'ConfigDict' object has no attribute ↵Christian Breunig
'upper' Commit b30faa43c (container: T6208: rename "cap-add" CLI node to "capability") added an AttributeError referencing an out of scope variable. This has been fixed.
2024-04-06login: T5875: fix corner case for KeyError: 'getpwuid(): uid not found: XXXX'Christian Breunig
Commit 1b364428f ("login: T5875: restore home directory permissions only when needed") added logic to chown the users home directory if it's UID changes. This might happen when a user account is deleted and re-added to the system. Under rar e circumstances it was possible that the implementation triggered Traceback (most recent call last): File "<stdin>", line 1, in <module> KeyError: 'getpwuid(): uid not found: XXXX' This has been fixed by re-arranging the code path with an additional try/except if the PW database information could not be retrieved leading to an implicit chown() of the home directory to the user beeing added.
2024-04-06container: T6208: rename "cap-add" CLI node to "capability"Christian Breunig
Containers have the ability to add Linux system capabilities to them, this is done using the "set container name <name> cap-add" command. The CLI node sounds off and rather should be "set container name <name> capability" instead as we use and pass a capability to a container and not add/invent new ones.
2024-04-06ipoe: T6205: error in migration script logic while renaming mac-address to ↵Christian Breunig
mac node The problem was introduced in [1] but the config migrator part unfortunately was added to the wrong version [2]. As IPoE config version 0 was only active during the 1.3 development cycle and VyOS 1.3.0 was already released with config version 1 we can safely drop the migrator 0-to-1 and move the code to 1-to-2 to properly support upgrades from VyOS 1.3 -> 1.4 or newer. 1: https://github.com/vyos/vyos-1x/commit/05df2a5f021f0c7aab7c06db645d210858b6e98d#diff-08291bf77870abe3af8bbe3e8ce4bbf344fd0498b2c5c75a75aa7235d381c88eL168 2: https://github.com/vyos/vyos-1x/commit/05df2a5f021f0c7aab7c06db645d210858b6e98d#diff-b8bb58b75607d3653e74d82eff02442f9f3ab82698f160ba37858f7cdf6c79ccR44-R46
2024-04-06ethernet: T5862: default MTU is not acceptable in some environmentsChristian Breunig
There are cloud environments available where the maximum supported ethernet MTU is e.g. 1450 bytes, thus we clamp this to the adapters maximum MTU value or 1500 bytes - whatever is lower.
2024-04-04Merge pull request #3238 from HollyGurza/T5943Daniil Baturin
bgp: T5943: BGP Peer-group members must be all internal or all external
2024-04-04Merge pull request #3214 from nicolas-fort/T6068-keaDaniil Baturin
T6068: dhcp-server: add command <set service dhcp-server high-availability mode>
2024-04-04bgp: T5943: BGP Peer-group members must be all internal or all externalkhramshinr