summaryrefslogtreecommitdiff
path: root/src/conf_mode
AgeCommit message (Collapse)Author
2024-08-05sysctl: T3204: restore sysctl setttings overwritten by tunedChristian Breunig
2024-08-05Merge branch 'current' into feature/T4694/gre-match-fieldsChristian Breunig
2024-08-05Merge pull request #3920 from fett0/T6555Christian Breunig
OPENVPN: T6555: add server-bridge options in mode server
2024-08-05Merge pull request #3939 from c-po/unused-importsChristian Breunig
T5873: T6619: remove unused imports
2024-08-04firewall: T4694: Adding GRE flags & fields matches to firewall rulesAndrew Topp
* Only matching flags and fields used by modern RFC2890 "extended GRE" - this is backwards-compatible, but does not match all possible flags. * There are no nftables helpers for the GRE key field, which is critical to match individual tunnel sessions (more detail in the forum post) * nft expression syntax is not flexible enough for multiple field matches in a single rule and the key offset changes depending on flags. * Thus, clumsy compromise in requiring an explicit match on the "checksum" flag if a key is present, so we know where key will be. In most cases, nobody uses the checksum, but assuming it to be off or automatically adding a "not checksum" match unless told otherwise would be confusing * The automatic "flags key" check when specifying a key doesn't have similar validation, I added it first and it makes sense. I would still like to find a workaround to the "checksum" offset problem. * If we could add 2 rules from 1 config definition, we could match both cases with appropriate offsets, but this would break existing FW generation logic, logging, etc. * Added a "test_gre_match" smoketest
2024-08-04Merge pull request #3901 from nicolas-fort/T4072-extend-bridge-fwallChristian Breunig
T4072: firewall extend bridge firewall
2024-08-04ipsec: T5873: remove unused importsChristian Breunig
2024-08-04multicast: T6619: remove unused importsChristian Breunig
2024-08-02Merge pull request #3933 from jestabro/add-missing-standard-funcDaniil Baturin
T6632: add missing standard functions to config scripts
2024-08-02Merge pull request #3932 from jestabro/check-kmod-under-configdDaniil Baturin
T6629: call check_kmod within a standard config function
2024-08-02T6619: Remove the remaining uses of per-protocol FRR configs (#3916)Roman Khramshin
2024-08-02OPENVPN: T6555: fix name to bridgefett0
2024-08-02T6632: add missing standard functions to config scriptsJohn Estabrook
2024-08-02OPENVPN: T6555: fix name to bridgefett0
2024-08-02T6629: call check_kmod within a standard config functionJohn Estabrook
Move the remaining calls to check_kmod within a standard function, with placement determined by the needs of the config script.
2024-08-02Merge pull request #3927 from jestabro/nat64-check-kmodDaniil Baturin
nat64: T6627: call check_kmod within standard config function
2024-08-02nat64: T6627: call check_kmod within standard config functionJohn Estabrook
Functions called from config scripts outside of the standard functions get_config/verify/generate/apply will not be called when run under configd. Move as appropriate for the general config script structure and the specific script requirements.
2024-08-02T4072: change same helpers in xml definitions; add notrack action for ↵Nicolas Fort
prerouting chain; re introduce <set vrf> in policy; change global options for passing traffic to IPvX firewall; update smoketest
2024-08-01Merge pull request #3923 from c-po/console-T3334Christian Breunig
console: T3334: remove unused directories imported from vyos.defaults
2024-08-01T4072: firewall: improve error handling when firewall configuration is ↵Nicolas Fort
wrong. Use nft -c option to check temporary file, and use output provided by nftables to parse the error if possible, or print it as it is if it's an unknown error
2024-08-01Merge pull request #3221 from lucasec/t5873Christian Breunig
T5873: ipsec remote access VPN: support VTI interfaces.
2024-08-01console: T3334: remove unused directories imported from vyos.defaultsChristian Breunig
2024-07-31OPENVPN: T6555: add server-bridge options in mode serverfett0
2024-07-30Merge pull request #3698 from talmakion/bugfix/T3334Christian Breunig
system: op-mode: T3334: allow delayed getty restart when configuring serial ports
2024-07-30system: op-mode: T3334: allow delayed getty restart when configuring serial ↵Andrew Topp
ports * Created op-mode command "restart serial console" * Relocated service control to vyos.utils.serial helpers, used by conf- and op-mode serial console handling * Checking for logged-in serial sessions that may be affected by getty reconfig * Warning the user when changes are committed and serial sessions are active, otherwise restart services as normal. No prompts issued during commit, all config gen/commit steps still occur except for the service restarts (everything remains consistent) * To apply committed changes, user will need to run "restart serial console" to complete the process or reboot the whole router * Added additional flags and target filtering for generic use of helpers.
2024-07-30Merge pull request #3883 from c-po/vrf-conntrackChristian Breunig
vrf: T6603: conntrack ct_iface_map must only contain one entry for iifname/oifname
2024-07-30pbr: T6430: refactor to use vyos.utils.network.get_vrf_tableid()Christian Breunig
Commit 452068ce78 ("interfaces: T6592: moving an interface between VRF instances failed") added a similar but more detailed implementation of get_vrf_table_id() that was added in commit adeac78ed of this PR. Move to the common available implementation.
2024-07-30pbr: T6430: Allow forwarding into VRFs by name as well as route table IDsAndrew Topp
* PBR can only target table IDs up to 200 and the previous PR to extend the range was rejected * PBR with this PR can now also target VRFs directly by name, working around targeting problems for VRF table IDs outside the overlapping 100-200 range * Validation ensures rules can't target both a table ID and a VRF name (internally they are handled the same) * Added a simple accessor (get_vrf_table_id) for runtime mapping a VRF name to table ID, based on vyos.ifconfig.interface._set_vrf_ct_zone(). It does not replace that usage, as it deliberately does not handle non-VRF interface lookups (would fail with a KeyError). * Added route table ID lookup dict, global route table and VRF table defs to vyos.defaults. Table ID references have been updated in code touched by this PR. * Added a simple smoketest to validate 'set vrf' usage in PBR rules
2024-07-29Merge pull request #3804 from HollyGurza/T6362Daniil Baturin
T6362: Create conntrack logger daemon
2024-07-29Merge pull request #3823 from srividya0208/T6571Daniil Baturin
OpenVPN CLI-option: T6571: rename ncp-ciphers with data-ciphers
2024-07-28firewall: T4694: Adding rt ipsec exists/missing match to firewall configs ↵talmakion
(#3616) * Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for fw rules * Add ipsec match-ipsec-out and match-none-out * Change all the points where the match-ipsec.xml.i include was used before, making sure the new includes (match-ipsec-in/out.xml.i) are used appropriately. There were a handful of spots where match-ipsec.xml.i had snuck back in for output hooked chains already (the common-rule-* includes) * Add the -out generators to rendered templates * Heavy modification to firewall config validators: * I needed to check for ipsec-in matches no matter how deeply nested under an output-hook chain(via jump-target) - this always generates an error. * Ended up retrofitting the jump-targets validator from root chains and for named custom chains. It checks for recursive loops and improper IPsec matches. * Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation" smoketests
2024-07-26T5873: vpn ipsec: ignore dhcp/vti settings when connection disabledLucas Christian
2024-07-26T5873: vpn ipsec: re-write of ipsec updown hookLucas Christian
2024-07-26vrf: T6603: improve code runtime when retrieving info from nftables vrf zoneChristian Breunig
2024-07-26vrf: T6603: conntrack ct_iface_map must only contain one entry for ↵Christian Breunig
iifname/oifname When any of the following features NAT, NAT66 or Firewall is enabled, for every VRF on the CLI we install one rule into nftables for conntrack: chain vrf_zones_ct_in { type filter hook prerouting priority raw; policy accept; counter packets 3113 bytes 32227 ct original zone set iifname map @ct_iface_map counter packets 8550 bytes 80739 ct original zone set iifname map @ct_iface_map counter packets 5644 bytes 67697 ct original zone set iifname map @ct_iface_map } This is superfluous.
2024-07-25OpenVPN CLI-option: T6571: rename ncp-ciphers with data-cipherssrividya0208
2024-07-24Merge pull request #3856 from c-po/verify-vrfChristian Breunig
vrf: T6602: verify supplied VRF name on all interface types
2024-07-24Merge pull request #3853 from natali-rs1985/T5552-currentChristian Breunig
system_option: T5552: Apply IPv4 and IPv6 options after reapplying sysctls by TuneD
2024-07-23vrf: T6602: verify supplied VRF name on all interface typesChristian Breunig
Only some (e.g. ethernet or wireguard) interfaces validate if the supplied VRF actually exists. If this is not validated, one can pass an invalid VRF to the system which generates an OSError exception. To reproduce set interfaces vxlan vxlan1 vni 1000 set interfaces vxlan vxlan1 remote 1.2.3.4 set interfaces vxlan vxlan1 vrf smoketest results in OSError: [Errno 255] failed to run command: ip link set dev vxlan1 master smoketest_mgmt This commit adds the missing verify_vrf() call to the missing interface types and an appropriate smoketest for all interfaces supporting VRF assignment.
2024-07-23system_option: T5552: Apply IPv4 and IPv6 options after reapplying sysctls ↵Nataliia Solomko
by TuneD
2024-07-22Merge pull request #3827 from HollyGurza/T6525Christian Breunig
T6525: Add default dir for ext-scripts without absolute path
2024-07-22T5873: vpn ipsec remote-access: support VTI interfacesLucas Christian
2024-07-22Merge pull request #3850 from c-po/openvpn-totp-T3834Christian Breunig
openvpn: T3834: verify() is not allowed to change anything on the system
2024-07-22Merge pull request #3839 from c-po/unused-importsChristian Breunig
vrf: T6592: remove unused import get_interface_config
2024-07-22openvpn: T3834: verify() is not allowed to change anything on the systemChristian Breunig
Commit e3c71af1466 ("remove secrets file if the tunnel is deleted and fix opmode commands") added a code path into verify() which removed files on the system if TOTP was not defined. This commit moves the code path to the appropriate generate() function.
2024-07-22Merge pull request #3833 from c-po/wifi-fixChristian Breunig
wireless: T6597: improve hostapd startup and corresponding smoketests
2024-07-22T6599: ipsec: fix incorect default behavior for dead-peer-detectionLucas Christian
2024-07-21vrf: T6592: remove unused import get_interface_configChristian Breunig
Remove unused import (left over) from commit 36f3791e0 ("utils: migrate to new get_vrf_tableid() helper")
2024-07-20utils: migrate to new get_vrf_tableid() helperChristian Breunig
Commit 452068ce7 ("interfaces: T6592: moving an interface between VRF instances failed") introduced a new helper to retrieve the VRF table ID from the Kernel. This commit migrates the old code path where the individual fields got queried to the new helper vyos.utils.network.get_vrf_tableid().
2024-07-20wireless: T6597: improve hostapd startup and corresponding smoketestsChristian Breunig
This was found during smoketesting as thoase started to repeadingly fail in the last weeks File "/usr/libexec/vyos/tests/smoke/cli/test_interfaces_wireless.py", line 534, in test_wireless_security_station_address self.assertTrue(process_named_running('hostapd')) AssertionError: None is not true Digging into this revealed that this is NOT related to the smoketest coding but to hostapd/systemd instead. With a configured WIFI interface and calling: "sudo systemctl reload-or-restart hostapd@wlan1" multiple times in a short period caused systemd to report: "Jul 18 16:15:32 systemd[1]: hostapd@wlan1.service: Deactivated successfully." According to the internal systemd logic used in our version this is explained by: /* If there's a stop job queued before we enter the DEAD state, we shouldn't act on Restart=, in order to not * undo what has already been enqueued. */ if (unit_stop_pending(UNIT(s))) allow_restart = false; if (s->result == SERVICE_SUCCESS) s->result = f; if (s->result == SERVICE_SUCCESS) { unit_log_success(UNIT(s)); end_state = SERVICE_DEAD;` Where unit_log_success() generates the log message in question. Improve the restart login in the wireless interface script and an upgrade to hostapd solved the issue.