summaryrefslogtreecommitdiff
path: root/src/conf_mode
AgeCommit message (Collapse)Author
2024-05-21reverse-proxy: T6370: Set custom HTTP headers in reverse-proxy responsesAlex W
2024-05-18T5169: Allow to set CGNAT multiple internal poolsViacheslav Hletenko
Allow to set multiple CGNAT internal pools ``` set nat cgnat pool internal int-01 range '100.64.0.0/28' set nat cgnat pool internal int-01 range '100.64.222.11-100.64.222.14' ```
2024-05-18T6364: CGNAT drop hard limit that allows only one translation ruleViacheslav Hletenko
As PoC for CGNAT had a hard limit of using only one translation rule for one internal pool. Drop this limit and extend the usage number of the rules. ``` set nat cgnat rule 100 source pool 'int-01' set nat cgnat rule 100 translation pool 'ext-01' set nat cgnat rule 120 source pool 'vyos-int-02' set nat cgnat rule 120 translation pool 'vyos-ext-02' ```
2024-05-17Merge pull request #3472 from nvollmar/T6358Christian Breunig
T6358: Container config option to enable host pid
2024-05-17T6358: Add config option for host process namespaceNicolas Vollmar
2024-05-17T6358: Remove duplicate host name handlingNicolas Vollmar
2024-05-17Merge pull request #3464 from sever-sever/T6351Daniil Baturin
T6351: CGNAT add verification if the pool exists
2024-05-16T6351: CGNAT add verification if the pool existsViacheslav Hletenko
Add verification if the external/internal pools are exists before we can use them in the source and translation rules
2024-05-16T6347: CGNAT fix error if pool contain dashes in the nameViacheslav Hletenko
2024-05-15T3900: add support for raw table in firewall.Nicolas Fort
2024-05-14T3420: Remove service upnpViacheslav Hletenko
Remove `service upnp` as it never worked as expected, nft rules do not integrated and custom patches do not seem like a suitable solution for now. Security: UPnP has been historically associated with security risks due to its automatic and potentially unauthenticated nature. UPnP devices might be vulnerable to unauthorized access or exploitation.
2024-05-12Merge pull request #3447 from c-po/evpn-uplink-t6306Daniil Baturin
ethernet: T6306: add support for EVPN MH uplink/core tracking
2024-05-12suricata: T751: Initial support for suricataMaxime THIEBAUT
2024-05-11ethernet: T6306: add support for EVPN MH uplink/core trackingChristian Breunig
When all the underlay links go down the PE no longer has access to the VxLAN +overlay. To prevent blackholing of traffic the server/ES links are protodowned on the PE. A link can be setup for uplink tracking via the following configuration: set interfaces ethernet eth0 evpn uplink
2024-05-10Merge pull request #3410 from fett0/T6303Christian Breunig
Bond: T6303: add system mac address on interfaces bond
2024-05-10bond: T6303: system-mac is not allowed to be a multicast MAC addressChristian Breunig
2024-05-08bridge: T6317: add dependency call for wireless interfacesChristian Breunig
2024-05-08bridge: T6317: call dependency when deleting bridge memberChristian Breunig
2024-05-07bgp: T6082: Allow the same local-as and remote-as in one peer groupkhramshinr
2024-05-02qos: T6225: Fix qos random-detect policykhramshinr
Fix default values for random-detect Remove dsmakr qdisc from gred cofig because dsmark was deleted from kernel
2024-05-01Merge pull request #3392 from c-po/bgp-evpn-T6189Christian Breunig
bgp: T6189: L3VPN connectivity is broken after re-enabling VRF
2024-05-01bgp: T6189: explicitly call vtysh to remove VRF L3VNI configurationChristian Breunig
After e7bb65894 ("vrf: T6189: render FRR L3VNI configuration when creating VRF instance") we need to ensure that the VRF L3VNI configuration is removed in FRR prior to removing the BGP VRF instance. The reason is [1] where FRR only allows VRF BGP instance to be removed when there is NO VNI configured anymore. 1: https://github.com/FRRouting/frr/blob/064c3494527b9e84260410006768ed38e57e1de7/bgpd/bgp_vty.c#L1646-L1650
2024-05-01vrf: T6189: render FRR L3VNI configuration when creating VRF instanceChristian Breunig
When adding and removing VRF instances on the fly it was noticed that the vni statement under the VRF instance in FRR vanishes. This was caused by a race condition which was previously designed to fix another bug. The wierd design of a Python helper below the VRF tree to only generate the VNI configuration nodes is now gone and all is rendered in the proper place.
2024-05-01Merge pull request #3364 from natali-rs1985/T6234-currentDaniil Baturin
pppoe-server: T6234: PPPoE-server pado-delay refactoring
2024-05-01T6056: Change static-host-mapping shold not restart snmpdViacheslav Hletenko
We have several config XML definitions that use the same python3 script `system_host-name.py` https://github.com/vyos/vyos-1x/blob/current/interface-definitions/system_name-server.xml.in https://github.com/vyos/vyos-1x/blob/current/interface-definitions/system_host-name.xml.in https://github.com/vyos/vyos-1x/blob/current/interface-definitions/system_static-host-mapping.xml.in https://github.com/vyos/vyos-1x/blob/current/interface-definitions/system_domain-name.xml.in https://github.com/vyos/vyos-1x/blob/current/interface-definitions/system_domain-search.xml.in Any change in these scripts calls to restart the `service snmpd` The service `snmpd` should be restarted only if `host-name` or `domain-name` was changed. It is a good idea to rewrite it to `get_config_dict` in the future.
2024-04-30Merge pull request #3368 from sever-sever/T6267Christian Breunig
T6267: Check interface wireless module before apply config
2024-04-30T6267: Check interface wireless module before apply configViacheslav Hletenko
Check if the wireless device/modem exists in the system and the module `ieee802111` was loaded In cases where we do not have wireless devices, it prevents the unexpected traceback ``` set interfaces wireless wlan0 address 192.0.2.5/32 commit Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/interfaces_wireless.py", line 269, in <modu> c = get_config() ^^^^^^^^^^^^ File "/usr/libexec/vyos/conf_mode/interfaces_wireless.py", line 104, in get_cg tmp = find_other_stations(conf, base, wifi['ifname']) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/libexec/vyos/conf_mode/interfaces_wireless.py", line 54, in find_os for phy in os.listdir('/sys/class/ieee80211'): ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ FileNotFoundError: [Errno 2] No such file or directory: '/sys/class/ieee80211' ```
2024-04-29T6272: Changed interface existence verification in pppoe/ipoe to Warningaapostoliuk
Throwing Warning message instead of Error if interface which is used in pppoe/ipoe does not exist.
2024-04-25Merge pull request #3363 from sever-sever/T6263Christian Breunig
T6263: Groups 224.0.0.0/24 are reserved and cannot be joined
2024-04-25Merge pull request #3316 from HollyGurza/T4248Daniil Baturin
qos: T4248: Allow to remove the only rule from the qos class
2024-04-25pppoe-server: T6234: PPPoE-server pado-delay refactoringNataliia Solomko
2024-04-25T6263: Groups 224.0.0.0/24 are reserved and cannot be joinedViacheslav Hletenko
The join addresses within the multicast group 224.0.0.0/24 are reserved and cannot be joined FRR ``` r4(config)# interface eth2 r4(config-if)# ip igmp join 224.0.0.0 224.0.0.10 % Configuration failed. Error type: validation Error description: Groups within 224.0.0.0/24 are reserved and cannot be joined r4(config-if)# ``` Add verify check
2024-04-24T5833: Not all AFIs compatible with VRF add verify checkViacheslav Hletenko
Not all FRR address-families compatibe with VRF ``` r4# conf t r4(config)# router bgp 65001 vrf bgp r4(config-router)# r4(config-router)# address-family ipv4 flowspec Only Unicast/Multicast/EVPN SAFIs supported in non-core instances. r4(config-router)# r4(config-router)# address-family ipv4 labeled-unicast Only Unicast/Multicast/EVPN SAFIs supported in non-core instances. r4(config-router)# r4(config-router)# address-family ipv4 vpn Only Unicast/Multicast/EVPN SAFIs supported in non-core instances. r4(config-router)# ``` Add verify AFI for VRF
2024-04-21T6246: improve haproxy http check configurationNicolas Vollmar
2024-04-18Merge pull request #3326 from sever-sever/T6221Daniil Baturin
T6221: Return default ip rule values after deleting VRF
2024-04-18pki: T6241: do not call dependency before its initializationJohn Estabrook
2024-04-18T6221: Return default ip rule values after deleting VRFViacheslav Hletenko
Fix for restoring default ip rule values after deleting VRF Defult values: ``` $ ip rule 0: from all lookup local 32766: from all lookup main 32767: from all lookup default ``` After adding and deleting a VRF we get unexpected values: ``` $ ip rule 1000: from all lookup [l3mdev-table] 2000: from all lookup [l3mdev-table] unreachable 32765: from all lookup local 32766: from all lookup main 32767: from all lookup default ```
2024-04-16Merge pull request #3315 from Embezzle/T6242Daniil Baturin
T6242: load-balancing reverse-proxy: Ability for ssl backends to not verify server certificates
2024-04-16qos: T4248: Allow to remove the only rule from the qos classkhramshinr
2024-04-15T6242: load-balancing reverse-proxy: Ability for ssl backends to not verify ↵Alex W
server certificates
2024-04-15Merge pull request #3311 from sarthurdev/T6241John Estabrook
pki: T6241: Fix dependency updates on PKI changes
2024-04-15Merge pull request #3309 from nicolas-fort/T5535Daniil Baturin
T5535: firewall: migrate command <set system ip disable-directed-broadcast> to firewall global-optinos
2024-04-15pki: T6241: Fix dependency updates on PKI changessarthurdev
2024-04-15T5535: firewall: migrate command <set system ip disable-directed-broadcast> ↵Nicolas Fort
to firewall global-optinos
2024-04-15T5734: OpenVPN check PKI DH name exists if DH configuredViacheslav Hletenko
Check if DH is configured for OpenVPN but does not exist in the PKI section ``` set pki dh dh-correct parameters 'xxxx' set interfaces openvpn vtun10 tls dh-params 'dh-fake' File "/usr/libexec/vyos/conf_mode/interfaces_openvpn.py", line 208, in verify_pki pki_dh = pki['dh'][tls['dh_params']] ~~~~~~~~~^^^^^^^^^^^^^^^^^^ KeyError: 'dh-fake' ```
2024-04-12pppoe-server: T6141: T5364: PPPoE-server add pado-delay without sessions ↵Nataliia Solomko
fails (#3296)
2024-04-11Merge pull request #3274 from sever-sever/T5169Daniil Baturin
T5169: Add PoC for generating CGNAT rules rfc6888
2024-04-09container: T6218: fix host IPv6 link-local address for VRF networksJonathan Voss
2024-04-09T5169: Add PoC for generating CGNAT rules rfc6888Viacheslav Hletenko
Add PoC for generating CGNAT rules https://datatracker.ietf.org/doc/html/rfc6888 Not all requirements are implemented, but some of them. Implemented: REQ-2 ``` A CGN MUST have a default "IP address pooling" behavior of "Paired" CGN must use the same external IP address mapping for all sessions associated with the same internal IP address, be they TCP, UDP, ICMP, something else, or a mix of different protocols. ``` REQ-3 ``` The CGN function SHOULD NOT have any limitations on the size or the contiguity of the external address pool ``` REQ-4 ``` A CGN MUST support limiting the number of external ports (or, equivalently, "identifiers" for ICMP) that are assigned per subscriber ``` CLI: ``` set nat cgnat pool external ext1 external-port-range '1024-65535' set nat cgnat pool external ext1 per-user-limit port '1000' set nat cgnat pool external ext1 range 192.0.2.222/32 set nat cgnat pool internal int1 range '100.64.0.0/28' set nat cgnat rule 10 source pool 'int1' set nat cgnat rule 10 translation pool 'ext1' ```
2024-04-07kea: T3316: Ensure correct permissions on lease filessarthurdev