summaryrefslogtreecommitdiff
path: root/src/conf_mode
AgeCommit message (Collapse)Author
2024-07-25Merge pull request #3843 from vyos/mergify/bp/sagitta/pr-3841Christian Breunig
T6599: ipsec: support disabling rekey of CHILD_SA, converge and fix defaults (backport #3841)
2024-07-24vrf: T6602: verify supplied VRF name on all interface typesChristian Breunig
Only some (e.g. ethernet or wireguard) interfaces validate if the supplied VRF actually exists. If this is not validated, one can pass an invalid VRF to the system which generates an OSError exception. To reproduce set interfaces vxlan vxlan1 vni 1000 set interfaces vxlan vxlan1 remote 1.2.3.4 set interfaces vxlan vxlan1 vrf smoketest results in OSError: [Errno 255] failed to run command: ip link set dev vxlan1 master smoketest_mgmt This commit adds the missing verify_vrf() call to the missing interface types and an appropriate smoketest for all interfaces supporting VRF assignment. (cherry picked from commit dd0ebffa33728e452ac6e11737c2283f0e390359)
2024-07-23wireless: T6597: improve hostapd startup and corresponding smoketestsChristian Breunig
This was found during smoketesting as thoase started to repeadingly fail in the last weeks File "/usr/libexec/vyos/tests/smoke/cli/test_interfaces_wireless.py", line 534, in test_wireless_security_station_address self.assertTrue(process_named_running('hostapd')) AssertionError: None is not true Digging into this revealed that this is NOT related to the smoketest coding but to hostapd/systemd instead. With a configured WIFI interface and calling: "sudo systemctl reload-or-restart hostapd@wlan1" multiple times in a short period caused systemd to report: "Jul 18 16:15:32 systemd[1]: hostapd@wlan1.service: Deactivated successfully." According to the internal systemd logic used in our version this is explained by: /* If there's a stop job queued before we enter the DEAD state, we shouldn't act on Restart=, in order to not * undo what has already been enqueued. */ if (unit_stop_pending(UNIT(s))) allow_restart = false; if (s->result == SERVICE_SUCCESS) s->result = f; if (s->result == SERVICE_SUCCESS) { unit_log_success(UNIT(s)); end_state = SERVICE_DEAD;` Where unit_log_success() generates the log message in question. Improve the restart login in the wireless interface script and an upgrade to hostapd solved the issue. (cherry picked from commit a67f49d99eda00998c425f9a663e138dbd0f7755)
2024-07-23wireless: T6320: add 802.11ax at 6GHzAlain Lamar
Authored-By: Alain Lamar <alain_lamar@yahoo.de> (cherry picked from commit d5e988ba2d0fa0189feff22374c9b46eb49e2e79)
2024-07-23openvpn: T3834: verify() is not allowed to change anything on the system (#3851)mergify[bot]
Commit e3c71af1466 ("remove secrets file if the tunnel is deleted and fix opmode commands") added a code path into verify() which removed files on the system if TOTP was not defined. This commit moves the code path to the appropriate generate() function. (cherry picked from commit 40c835992db9217f48e54dbbf15a7fbf1dcba482) Co-authored-by: Christian Breunig <christian@breunig.cc>
2024-07-22T6599: ipsec: fix incorect default behavior for dead-peer-detectionLucas Christian
(cherry picked from commit 23a3419d512139650cfe3dc76759b370b0c0c3d6)
2024-07-21vrf: T6592: remove unused import get_interface_configChristian Breunig
Remove unused import (left over) from commit 36f3791e0 ("utils: migrate to new get_vrf_tableid() helper") (cherry picked from commit b551f542c5c906c901e3be37ad3fd68c8248473d)
2024-07-20utils: migrate to new get_vrf_tableid() helperChristian Breunig
Commit 452068ce7 ("interfaces: T6592: moving an interface between VRF instances failed") introduced a new helper to retrieve the VRF table ID from the Kernel. This commit migrates the old code path where the individual fields got queried to the new helper vyos.utils.network.get_vrf_tableid(). (cherry picked from commit 36f3791e0c15267483d59a3bb74465811d08df88)
2024-07-18T6523: Telegraf use nft scripts only if the firewall configuredViacheslav Hletenko
If a firewall is not configured there is no reason to get and execute telegraf firewall custom scripts as there are no nft chain in the firewall nftables configuration (cherry picked from commit ebff0c481907ac0c2c0be9981c3c3d87caf3003b)
2024-06-28T6477: Add telegraf loki output pluginViacheslav Hletenko
Add Loki plugin to telegraf set service monitoring telegraf loki url xxx (cherry picked from commit 3365eb7ab99fa9a259fe440eb51e82fc0a0a4dc6)
2024-06-24T3202: add single variable for Kernel dynamic debug settingsChristian Breunig
(cherry picked from commit 9495f904fcc157521ca001ee21cf31be28a6b3a0)
2024-06-24T3202: Enable wireguard debug messagesNataliia Solomko
(cherry picked from commit d818788932e3c57d020cca9236df7275da452fce)
2024-06-24Merge pull request #3709 from vyos/mergify/bp/sagitta/pr-3677Christian Breunig
T5949: Add option to disable USB autosuspend (backport #3677)
2024-06-24Merge pull request #3689 from vyos/mergify/bp/sagitta/pr-3682Christian Breunig
openconnect: T6500: add support for multiple ca-certificates (backport #3682)
2024-06-24pki: T6241: remove debug print statement about updated subsystems (#3670)mergify[bot]
Commit 9f9891a2099 ("pki: T6241: Fix dependency updates on PKI changes") added a print() statement which notified the users about the subsystems which got supplied with an updated certificate. Example: > PKI: Updating config: interfaces openvpn vtun0 tls certificate openvpn_vtun0 > PKI: Updating config: interfaces openvpn vtun0 tls ca_certificate openvpn_vtun0_1 This is an informational message which should maybe (if needed) be sent to syslog. But the main issue is that CLI paths are mangled (- to _) which makes the about print output wrong and could potentially confuse users. Statement has been commented to be re-enabled for debugging. (cherry picked from commit a4d49a96918c0f0dac3d17f9cf3a5b8f3a9505c0) Co-authored-by: Christian Breunig <christian@breunig.cc>
2024-06-22T5949: Add option to disable USB autosuspendkhramshinr
(cherry picked from commit c0b2693cebc3429e1974a9cec5946fa88ffc0205)
2024-06-20openconnect: T6500: add support for multiple ca-certificatesChristian Breunig
Add possibility to provide a full CA chain to the openconnect server. * Support multiple CA certificates * For every CA certificate specified, always determine the full certificate chain in the background and add the necessary SSL certificates (cherry picked from commit 973f06c00b902c43dfea34bdf01bdec7c599c452)
2024-06-19macsec: T5447: fix error message syntax - there is no tx and rx key, only keyChristian Breunig
(cherry picked from commit f29caa824c02c833a3978b9236391e4277c1a6ba)
2024-06-11T6219: Add support for container sysctl parameter (backport #3614) (#3629)mergify[bot]
* container: T6219: Add support for container sysctl / kernel parameters (cherry picked from commit 717ea64e4c54a8be619ffc29c16c6203b29319dd) * T6219: align with system sysctl and limit parameters to supported (cherry picked from commit f030464952168b553b5b3e29b461d437c2642a9b) --------- Co-authored-by: Ben Pilgrim <ben@pilgrim.me.uk> Co-authored-by: Nicolas Vollmar <nvollmar@gmail.com>
2024-06-10vyos.utils: T5195: import vyos.cpu to this packageChristian Breunig
The intention of vyos.utils package is to have a common ground for repeating actions/helpers. This is also true for number of CPUs and their respective core count. Move vyos.cpu to vyos.utils.cpu (cherry picked from commit e318eb33446de47835480d4b8f1646b39fb5c388)
2024-06-10pki: T6463: reverse-proxy service not reloaded when updating SSL certificate(s)Christian Breunig
The haproxy reverse proxy was not reloaded/restarted with the new SSL certificate(s) after a change in the PKI subsystem. This was due to missing dependencies. (cherry picked from commit 6ce8efdc8dafef67541bed89fc7dc7cd83335bf4)
2024-06-09reverse-proxy: T6454: Set default value of http for haproxy modeAlex W
(cherry picked from commit 60d7c0ecaff49ec62f4600a460f5fbe7b26a0d9c)
2024-06-03bfd: T6440: BFD peer length typoHannes Tamme
(cherry picked from commit 5490c76f9b9f53751fc527f455090f0a3820e8fe)
2024-06-03reverse-proxy: T6434: Support additional healthcheck options (#3574) (#3577)mergify[bot]
(cherry picked from commit 3e5cc0b7fb8ae4a0f8b7c9270d9db0a0f252c448) Co-authored-by: Alex W <embezzle.dev@proton.me>
2024-05-31T6422: Smoke test for NS record configration in authoritative DNS, typo & ↵Haim Gelfenbeyn
style fixes (cherry picked from commit f2d0701f50061374b5a4f55d33201629b3293248)
2024-05-31dns: T6422: allow multiple redundant NS recordsHaim Gelfenbeyn
NS is unlike CNAME or PTR, multiple NS records are perfectly valid and is a common use case: multiple redundant DNS servers is a common configuration and should be supported. (cherry picked from commit 19d8415512dcf87dc3a87feabf128652ffc74594)
2024-05-30Merge pull request #3555 from vyos/mergify/bp/sagitta/pr-3546Christian Breunig
reverse-proxy: T6419: build full CA chain when verifying backend server (backport #3546)
2024-05-30reverse-proxy: T6419: build full CA chain for frontend SSL certificateChristian Breunig
(cherry picked from commit 4b189a76c0a9a28504aab6715658840b929fc243)
2024-05-30reverse-proxy: T6419: build full CA chain when verifying backend serverChristian Breunig
(cherry picked from commit d83a6e5c5dc7e97e773f08bec7ba377530baafc9)
2024-05-30reverse-proxy: T5231: remove frontend ca-certificate code pathChristian Breunig
The code path to handle the ca certificate used for the frontend service is removed, as there is no way on the XLI to define the CA certificate used for the frontend service. (cherry picked from commit 6000c47f068503522b0ccfe57c51f34ad9892e87)
2024-05-30container: T6406: fix NameError: name 'vyos' is not definedChristian Breunig
Commit 74910564f ("T6406: rename cpus to cpu") did not import the function from the Python module. (cherry picked from commit 8439f8a43e93c0560f1abfc2aa60990f521b4d4d)
2024-05-29openvpn: T6374: only check TLS role for s2s if TLS is configuredDaniil Baturin
(cherry picked from commit f4069582273e1ee9916dea7de1e6ec176db81bc6)
2024-05-28openvpn: T6374: ensure that TLS role is configured for site-to-site with TLSDaniil Baturin
(cherry picked from commit 380e998b10341b6dd42bb94d00a9d7a462ada27a)
2024-05-28T6406: rename cpus to cpuNicolas Vollmar
(cherry picked from commit 74910564f82e2837cd7eb35ea21f07601e5f8f0d)
2024-05-28T6406: add container cpu limit optionNicolas Vollmar
(cherry picked from commit 81dea053e7178b8fea836a85aacde2a38ffb9e09)
2024-05-27reverse-proxy: T6402: Fix invalid checks in validation scriptAlex W
(cherry picked from commit d4d70929a81b2ee1f66a9412a3545911b3874a62)
2024-05-26dhcpv6-server: T3493: add proper validation for prefix-delegation start/stop ↵Christian Breunig
address ISC DHCP server expects a string: "prefix6 2001:db8:290:: 2001:db8:29f:: /64;" where the IPv6 prefix/range must be :: terminaated with a delegated prefix length at the end. This commit changes the validator that the IPv6 address defined on the CLI must always end with ::. In addition a verify() step is added to check that the stop address is greater than start address.
2024-05-26Revert "dhcpv6-server: T3493: adds prefix range validation"Christian Breunig
This reverts the prefix start/stop address must be inside network part from commit 4cde0b8ce778d269d3fe1d4f33ba5b2caf424181.
2024-05-23reverse-proxy: T6370: Set custom HTTP headers in reverse-proxy responsesAlex W
(cherry picked from commit e1450096b4c667a4c33a3fcd8f67ebf6a39d441d)
2024-05-23nat66: T6365: remove warnings for negated interface selections by nameChristian Breunig
(cherry picked from commit 59781ff365a5e1b15ef6c4c2481f3d3815548b9d)
2024-05-22nat: T6365: use interface_exists() over netifaces.interfaces()Christian Breunig
(cherry picked from commit 645c43ba60d29ca676a4323ccc5ca16c6bd8127a)
2024-05-22nat: T6365: use string startswith() over [0] index accessChristian Breunig
(cherry picked from commit 3870247517741ce23e2fcee8aaa1d194f0ad621b)
2024-05-22nat: T6365: remove warnings for negated interface selections by nameRyazanov Alexander Mihailovich
(cherry picked from commit 03eae30b27433055ddc10f09fc134b83e9bd6cec)
2024-05-21dhcpv6-server: T3493: adds prefix range validation and fixes typos in select ↵Giggum
ConfigError messages
2024-05-17T6358: Add config option for host process namespaceNicolas Vollmar
(cherry picked from commit f5051de4fc034bd95677ef142423e59eae47cd2f)
2024-05-17T6358: Remove duplicate host name handlingNicolas Vollmar
(cherry picked from commit 240f199cdfadbc12ce713dae74c8db3af44a398c)
2024-05-14T3420: Remove service upnpViacheslav Hletenko
Remove `service upnp` as it never worked as expected, nft rules do not integrated and custom patches do not seem like a suitable solution for now. Security: UPnP has been historically associated with security risks due to its automatic and potentially unauthenticated nature. UPnP devices might be vulnerable to unauthorized access or exploitation. (cherry picked from commit 7c438caa2c21101cbefc2eec21935ab55af19c46)
2024-05-12ethernet: T6306: add support for EVPN MH uplink/core trackingChristian Breunig
When all the underlay links go down the PE no longer has access to the VxLAN +overlay. To prevent blackholing of traffic the server/ES links are protodowned on the PE. A link can be setup for uplink tracking via the following configuration: set interfaces ethernet eth0 evpn uplink (cherry picked from commit 5565f27d15c5e7378e94aae8db8a894a12e25d7b)
2024-05-10Merge pull request #3440 from vyos/mergify/bp/sagitta/pr-3430Christian Breunig
bridge: T6317: add dependency call for wireless interfaces (backport #3430)
2024-05-10bond: T6303: system-mac is not allowed to be a multicast MAC addressChristian Breunig
(cherry picked from commit d8ddd7191d3004e886fa45a2cf9bd8dd5e7f5e14)