summaryrefslogtreecommitdiff
path: root/src/conf_mode
AgeCommit message (Collapse)Author
2021-08-24container: T3769: disable bridge "hairpinMode" modeChristian Poessinger
After commit 209ce3d9 ("container: T3769: when container networks are used, always bridge the networks") IP masquerading (NAT) was disabled. No need to keep the haipin flag.
2021-08-23container: T3769: when container networks are used, always bridge the networksChristian Poessinger
As VyOS is a network operation system with bridging and NATing available from the VyOS CLI, it makes no sense to let podman do it's own sort of "NAT". If one really want's to NAT into a container, use the VyOS CLI to do so. If you wan't to bridge your networks, use the VyOS CLI to do so.
2021-08-23container: T2216: add option to "disable" a containerChristian Poessinger
2021-08-23container: T2216: verify() volume pathsChristian Poessinger
Volumes must have both a source and destination path specified. Also the source path must exist on the current system.
2021-08-23container: T2216: bugfix ValueError when assembling volumesChristian Poessinger
A call to .items() was missing that triggered the following error: ValueError: too many values to unpack (expected 2)
2021-08-23container: T2216: no need to query container statusChristian Poessinger
As VyOS CLI is the only truth for dealing with containers we do not need to query if a container is running, exists or what so ever. We simply always restart it if something changes and do not rely on the underlaying Linux status. If a users does container stuff under the hood - it will be overridden.
2021-08-23containers: T2216: restructure container_base_cmd to have image name at the endChristian Poessinger
2021-08-23containers: T2216: add CLI commands to specify restart behavior and memory usageChristian Poessinger
A container is limited to 256MB memory by default and will always restart on failure.
2021-08-23containers: T2216: xml: impove help string for address commandChristian Poessinger
2021-08-23containers: T2216: add missing verify() step on environment variablesChristian Poessinger
A environment variable MUST always have a value specified. Non existing values will cause the following error: Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/containers.py", line 269, in <module> apply(c) File "/usr/libexec/vyos/conf_mode/containers.py", line 224, in apply env_opt += " -e ".join(f"{k}={v['value']}" for k, v in container_config['environment'].items()) File "/usr/libexec/vyos/conf_mode/containers.py", line 224, in <genexpr> env_opt += " -e ".join(f"{k}={v['value']}" for k, v in container_config['environment'].items()) KeyError: 'value'
2021-08-21pppoe: T3090: migrate to vyos.ifconfig library to use the full potentialChristian Poessinger
Now that MSS clamping is done on the "per-interface" level the entire PPPoE stuff would have needed to get a full copy in GNU BASH for this or, participate in the common library. Add a new PPP ip-up script named 99-vyos-pppoe-callback which will call the vyos.ifconfig.PPPoEIf.update() function to configure everything as done with all other interfaces. This removes duplicated code for VRF assignment and route installation when a PPPoE interface is brought up or down.
2021-08-21wwan: T3620: remove superfluous import statementChristian Poessinger
WWAN does no londer need to render any configuration files.
2021-08-21interfaces: T3090: migrate adjust-mss from "firewall options" to "interface" ↵Christian Poessinger
level Getting rid of "set firewall options" and move it from: set firewall options interface ethX adjust-mss 1400 set firewall options interface ethX adjust-mss6 1400 to: set interfaces ethernet ethX ip adjust-mss 1400 set interfaces ethernet ethX ipv6 adjust-mss 1400 In addition add an extra option called clamp-mss-to-pmtu instead of a value.
2021-08-20bgp: T3759: add IPv4/IPv6 unicast AFI route-map for VPN import/exportChristian Poessinger
This adds the following new commands: set protocols bgp address-family ipv4-unicast route-map vpn export foo-map-out set protocols bgp address-family ipv4-unicast route-map vpn import foo-map-in set protocols bgp address-family ipv6-unicast route-map vpn export foo-map-out set protocols bgp address-family ipv6-unicast route-map vpn import foo-map-in
2021-08-18bgp: evpn: T1513: VNI rt and rd are only supported under EVPN VRFChristian Poessinger
2021-08-18nat: T2198: remove superfluous else clause on missing outbound-interfaceChristian Poessinger
2021-08-18nptv6: T2518: remove superfluous else clause on missing outbound-interfaceChristian Poessinger
2021-08-18nptv6: T2518: add missing verify() stage for mandatory translation addressChristian Poessinger
2021-08-18nat66: ndppd: T2518: rename Jinja2 template folder to match common naming ↵Christian Poessinger
convention
2021-08-17bgp: T3759: add l3vpn "import vrf" commandsChristian Poessinger
2021-08-17bgp: T2771: adjust verify() logic to common coding style for validationChristian Poessinger
2021-08-16conntrack: T3579: bugfix when deleting non existent iptable rulesChristian Poessinger
We only delete iptables rules if they really exist - if we try to delete a non- existing rule a PermissionError exception is thrown. We could either ignore the error code (that is what the old Vyatta code did), or we check what we are doing beforehand.
2021-08-16conntrack: T3579: remove debug print()Christian Poessinger
2021-08-16ospf: T3757: verify() bugfix for interface areaChristian Poessinger
Commit 6f87d8c9 ("ospf: T3757: support to configure area at an interface level") did not allow the old way an area and netwokr was set-up as the if expression was missing a check if 'area' was set in both the interface and the ospf process.
2021-08-15pbr: T3702: Fix incorrect splits for fwmarkViacheslav
2021-08-15ospf: T3757: support to configure area at an interface levelChristian Poessinger
FRR supports configuring either network prefixes per area, or assign an interface to an area to participate in the routing process. This is already well known from other venders and supported by FRR. A valid VyOS OSPF configuration would then look like: vyos@vyos# show protocols ospf { interface dum0 { area 0 } interface eth0.201 { area 0 authentication { md5 { key-id 10 { md5-key vyos } } } dead-interval 40 hello-interval 10 priority 1 retransmit-interval 5 transmit-delay 1 } log-adjacency-changes { detail } parameters { abr-type cisco router-id 172.18.254.201 } passive-interface default passive-interface-exclude eth0.201 }
2021-08-15Merge pull request #944 from sever-sever/T3702Christian Poessinger
pbr: T3702: Add rules match fwmark
2021-08-15conntrack: T3275: migrate 'disable' syntax to 'enable' syntax for the new ↵Lulu Cathrinus Grimalkin
default behavior
2021-08-14ospf: T3236: use proper daemon named template fileChristian Poessinger
2021-08-13vrf: T3734: T3728: vni must be configured with a higher priority then bgpdChristian Poessinger
When removing bgp (vrf) instances the assigned VRF vni must be deleted from FRR prior the removal of the bgp settings (T3734). This is now done by moving the CLI command "set vrf name red vni 1000" to a dedicated Python script with a priority higher then bgp.
2021-08-13openvpn: T3738: Disable authentication option for server modeViacheslav
2021-08-13Merge pull request #967 from sever-sever/T3708-currChristian Poessinger
isis: T3708: Fix errors in MTU calculation
2021-08-13isis: T3708: Fix errors in MTU calculationViacheslav
2021-08-12T3749: Moving some counters into the proper loopKroy
2021-08-10snmp: T3709: Allow enable oid ipCidrRouteTableViacheslav
2021-08-09ipsec: T3720: assigning vti secondary address caused interface in A/D stateChristian Poessinger
2021-08-08ipsec: l2tp: T2816: remove duplicate 3des-sha1-modp1024 proposalChristian Poessinger
2021-08-06frr: T3694: temporary disable VRF VNI assignmentChristian Poessinger
Somehow we hit a priority inversion here as we need to remove the VRF assigned VNI before we can remove a BGP bound VRF instance. Maybe move this to an individual helper script that set's up the VNI for the given VRF after any routing protocol (in our case this was triggered by running "make testc" when building an ISO image by the bgp-rpki config).
2021-08-06frr: T2175: remove no longer required loop when removing VRF VNIChristian Poessinger
This is a completing commit to a55585a833 ("frr: T2175: remove no longer required loop when removing routing protocols") that was missed out previously.
2021-08-04ipsec: T3718: fix default processing of ike dh-group proposalsChristian Poessinger
IKE dh-group defaults to 2 (modp1024).
2021-08-03isis: T1316: rename Jinja2 template to match other FRR daemonsChristian Poessinger
2021-08-02pbr: T3702: Add rules match fwmarkViacheslav
2021-08-01Merge pull request #943 from Cheeze-It/currentChristian Poessinger
isis: T3693: Adding IPv6 redistribution to ISIS
2021-07-31isis: T3693: Adding IPv6 redistribution to ISISCheeze_It
In this commit we add the ability to redistribute into ISIS for IPv6 address family.
2021-07-31bgp: vrf: T3694: cannot delete default BGP instance when VRF BGP instance existsChristian Poessinger
2021-07-30vyos.util: drop custom implementations in favor of is_systemd_service_running()Christian Poessinger
Commit f520182b ("vyos.util: add is_systemd_service_running() helper function") added a new helper function that can be used to check if a systemd service is running. Drop all custom implementations in favor of this library call.
2021-07-26ipsec: T1210: remote-access connections only work with IKEv2Christian Poessinger
2021-07-25ifconfig: T2653: obey conding styleChristian Poessinger
2021-07-25ipsec: T1210: add RADIUS authentication for remote-access IKEv2 VPNChristian Poessinger
set vpn ipsec remote-access connection rw authentication client-mode 'eap-radius' set vpn ipsec remote-access connection rw authentication id '192.0.2.1' set vpn ipsec remote-access connection rw authentication server-mode 'x509' set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'CAcert_Class_3_Root' set vpn ipsec remote-access connection rw authentication x509 certificate 'vyos' set vpn ipsec remote-access connection rw esp-group 'ESP-RW' set vpn ipsec remote-access connection rw ike-group 'IKE-RW' set vpn ipsec remote-access connection rw local-address '192.0.2.1' set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4' set vpn ipsec remote-access connection rw unique 'never' set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.2' set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.168.22.0/24' set vpn ipsec remote-access radius nas-identifier 'fooo' set vpn ipsec remote-access radius server 172.16.100.10 key 'secret'
2021-07-25ipsec: T1210: move DHCP server configuration unter remote-access nodeChristian Poessinger
As this is only related to remote-access, keeping it under "options" simply feels wrong.