summaryrefslogtreecommitdiff
path: root/src/conf_mode
AgeCommit message (Collapse)Author
2024-03-28Merge pull request #3204 from vyos/mergify/bp/sagitta/pr-2965Daniil Baturin
T5872: ipsec remote access VPN: support dhcp-interface. (backport #2965)
2024-03-28ipsec: T5606: T5871: Use multi node for CA certificatessarthurdev
This changes behaviour from fetching CA chain in PKI, to the user manually setting CA certificates. Prevents unwanted parent CAs existing in PKI from being auto-included as may not be desired/intended. (cherry picked from commit 952b1656f5164f6cfc601e040b48384859e7a222)
2024-03-28T5872: re-write exit hook to always regenerate configLucas Christian
(cherry picked from commit 679b78356cbda4de15f96a7f22d4a98037dbeea4)
2024-03-28T5872: ipsec remote access VPN: support dhcp-interface.Lucas Christian
(cherry picked from commit f7834324d3d9edd7e161e7f2f3868452997c9c81)
2024-03-28dhcp-server: T4718: Listen-address is not commit if the ip address is on the ↵khramshinr
interface with vrf
2024-03-26bgp: T6106: fix test and verify()khramshinr
(cherry picked from commit 2ba435fa4bc8a5c9b2285fb9215ebc582bfb5fdf)
2024-03-24ospf: T6066: can not define the same network in different areasChristian Breunig
Users can not (FRR fails) commit the same network belonging to different OSPF areas. Add verify() check to prevent this. (cherry picked from commit c6d8d9c012da1a7566eec2dff70385457f073e64)
2024-03-22isis: T6160: NameError: name 'process' is not definedChristian Breunig
This is a leftover after commit 0e050cb35 (isis: T3417: drop artificial "domain" node identifying the IS-IS process name). Drop all references to "process" variable. Specifying: set protocols isis interface eth1 set protocols isis net '49.0001.1921.6825.5255.00' set protocols isis redistribute ipv4 bgp Triggered an exception Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/protocols_isis.py", line 309, in <module> verify(c) File "/usr/libexec/vyos/conf_mode/protocols_isis.py", line 158, in verify f'"protocols isis {process} redistribute {afi} {proto}"!') ^^^^^^^ NameError: name 'process' is not defined (cherry picked from commit 78212414e085d6261a32015553eb3e407f77792f)
2024-03-21conntrack: T6147: Enable conntrack when firewall state-policy is definedsarthurdev
* Move global state-policy smoketest to it's own test, verify conntrack (cherry picked from commit 62bda3b082a79c2f31483dba5bfeb19464f6dbe2)
2024-03-18T6136: add error checks when using dynamic firewall groupsNicolas Fort
(cherry picked from commit e2df1f4929774792c1d4bfb78c2dfa5bdf7f0825)
2024-03-13Merge pull request #3129 from vyos/mergify/bp/sagitta/pr-3125Daniil Baturin
radvd: T6118: add nat64prefix support RFC8781 (backport #3125)
2024-03-13radvd: T6118: add nat64prefix support RFC8781Christian Breunig
Add support for pref64 option, as defined in RFC8781. The prefix valid lifetime must not be smaller than the "interface interval max" definition which defaults to 600. set service router-advert interface eth1 nat64prefix 64:ff9b::/96 (cherry picked from commit f1ead5c6a16aba00699b8a5b9c18ef6cffe8cc4d)
2024-03-13T2447: add configurable kernel boot option 'disable-power-saving'Christian Breunig
Lower available CPU C states to a minimum if this option set. This will set Kernel commandline options "intel_idle.max_cstate=0 processor.max_cstate=1". (cherry picked from commit 3a3e0dff4ff1f80835eca6b2362d792e3ecacc8e)
2024-03-12conntrack: T5080: Fix rule order for applied conntrack modulessarthurdev
(cherry picked from commit 1fbda31623054ee944d063f738e4d1d4170341ef)
2024-03-12vrrp: T6020: vrrp health-check script not applied correctly in keepalived.confkhramshinr
Added health-check to sync-group in CLI Don't use instance health-check when instance in sync group member Disallow wrong healtch-check configurations New smoke test
2024-03-06T6075: firewall and NAT: check if interface-group exists when using them in ↵Nicolas Fort
firewall|nat rules. (cherry picked from commit 3c0634e572ffdecaf24a9dac16678427f22761ab)
2024-03-05T6084: Add NHRP dependency for IPsec and fix NHRP empty config bugViacheslav Hletenko
If we have any `vpn ipsec` and `protocol nhrp` configuration we get the empty configuration file `/run/opennhrp/opennhrp.conf` after rebooting the system. Use config dependency instead of the old `resync_nhrp` function fixes this issue (cherry picked from commit 689fea253d9019df20d5c6ac7fa22d5e8454afab)
2024-03-04ospfv3: T6087: add support to redistribute IS-IS routesChristian Breunig
(cherry picked from commit 6a97fdfa1ba9b4135a51498ea5acabb804256b2c)
2024-03-02ospf: T5717: sync code with ospfv3 implementationChristian Breunig
(cherry picked from commit 298bcc5cb90c4c83981ec4baaaa0db785306867d)
2024-03-02ospfv3: T5717: allow metric and metric-type on redistributed routesChristian Breunig
Example: vyos@vyos# set protocols ospfv3 redistribute bgp Possible completions: metric OSPF default metric metric-type OSPF metric type for default routes (default: 2) route-map Specify route-map name to use (cherry picked from commit ed2c288c8a9031f91acf76d20b84e2002696981c)
2024-02-29T5504 Keepalived VRRP ability to set more than one peer-addressNataliia Solomko
(cherry picked from commit 3480d92a8c4d84e8c1f94a9362bac2be0cc77921)
2024-02-29banner: T6077: implement ASCII contest winner default logoChristian Breunig
Implement VyOS ASCII art contest winners logo as the default for our MOTD (cherry picked from commit 0ea3a454cf560171d3eb9d4d1b97b172c06360fe)
2024-02-28vrf: conntrack: T6073: Populate VRF zoning chains only while conntrack is ↵sarthurdev
required (cherry picked from commit 6f7d1e15665655e37e8ca830e28d9650445c1217)
2024-02-24container: T5909: move registry login to op-modeChristian Breunig
It does not make sense to perform the "podman login" command when setting up containers, as images are not automatically pulled in from the registry - due to issues with the default route during startup. The same issue manifests in "podman login" where we can not login to a registry unless there is a default route present. This commit changes the behavior that the container registry is part of the configuration, but it is only referenced during "add container image" and thus never during system boot. (cherry picked from commit baf30d8319ef4d0f0cc4cdf0f7c12f03f8a492b6)
2024-02-18bridge: T6043: do not call vxlan dependency if interface does not exist (yet)Christian Breunig
In order to keep the proper priority list during system startup and on initial setup/commit for this feature the dependent VXLAN code should not be called, if the interface in question does not exist (yet). (cherry picked from commit dbe8c613bb80bc8b714398825054ade5942ea75b)
2024-02-17login: T5972: add possibility to disable individual local user accountsChristian Breunig
* set system login user <name> disable (cherry picked from commit 6e0b146ed3b90da577c3ecba38836883fd435e7a)
2024-02-16T6001: add option to disable next-hop-tracking resolve-via-defaultChristian Breunig
* set system ip nht no-resolve-via-default * set system ipv6 nht no-resolve-via-default (cherry picked from commit ece0e768f36e52f8964823d891264d7c187204ec)
2024-02-15T6029: Rewritten Accel-PPP services to an identical feature setaapostoliuk
Removed dhcp-interface option (l2tp) Added wins-server (sstp) Added description (ipoe, pppoe, sstp, pptp) Added exteded-script (l2tp, sstp, pptp) Added shaper (ipoe, pptp, sstp, l2tp) Added limits (ipoe, pptp, sstp, l2tp) Added snmp ( ipoe, pptp,sstp, l2tp) Refactoring and reformated code. (cherry picked from commit ac6a16f6c5ad7700789759e1ec093236c2e182a2)
2024-02-13rpki: T6034: remove OpenSSH keys from /run/frr when unloadedChristian Breunig
(cherry picked from commit 78820752b936e77d30f995498ff36487c5c6af87)
2024-02-13pki: T6034: add dependencies to trigger rpki re-run on openssh key updateChristian Breunig
(cherry picked from commit 0f8bf6bd0fb29cfd638e9920674e7ad1d1d25350)
2024-02-13rpki: T6034: move SSH authentication keys to PKI subsystemChristian Breunig
(cherry picked from commit ac2d7dfac6073d0f232191ec494f78a8d12889e4)
2024-02-13pki: T6034: add OpenSSH key supportChristian Breunig
set pki openssh rpki private key ... set pki openssh rpki public key ... set pki openssh rpki public type 'ssh-rsa' (cherry picked from commit 8c78ef0879f22ffd4a5f7fdb175e9109b46e9d7b)
2024-02-09T5960: Rewritten authentication node in PPTP to a single viewaapostoliuk
Rewritten authentication node in accel-ppp services to a single view. In particular - PPTP authentication. (cherry picked from commit 018110200c9a82815dd5d0510f0732d7159c0d59)
2024-02-08T6026: QoS hide attempts to delete qdisc from devicesViacheslav Hletenko
Hide unexpected output by attempts of deleting `qdisc` from interfaces [ qos ] Error: Cannot find specified qdisc on specified device. Error: Cannot delete qdisc with handle of zero. (cherry picked from commit 6dcb68ba5553ac94eb3a9da4a915999500b00ab2)
2024-02-07vrf: T5973: module is now statically compiled into the kernelChristian Breunig
Always enable VRF strict_mode (cherry picked from commit 117fbcd6237b59f54f2c1c66986a8ce073808c84)
2024-02-07vpn: T3843: l2tp configuration not cleared after deletekhramshinr
vpn: T5926: IPSEC does not apply after l2tp configuration was changed added dependency between l2tp and ipsec conf added test for apply config to swanctl (cherry picked from commit e697ed1e7fd5c33f8082b2f4f96c42fc822ec9a5)
2024-02-06T5921: Fix OpenConnect verify for local usersViacheslav Hletenko
Fix verify error for the VPN OpenConnect configuration with local authentication and without any user File "/usr/libexec/vyos/conf_mode/vpn_openconnect.py", line 94, in verify if not ocserv["authentication"]["local_users"]: KeyError: 'local_users' (cherry picked from commit 71644dfed63f6248525db3c3bc9493c059707a2a)
2024-02-06rpki: T6011: known-hosts-file is no longer supported by FRRChristian Breunig
(cherry picked from commit 586863bf3a9cb1dd1c0d74b628d00096b905740f)
2024-02-02container: T5955: allow setting uid/gidPiotr Maksymiuk
(cherry picked from commit 52e9707a43290f5f826766e2c42c5f0db3c9adec)
2024-02-02Merge pull request #2928 from vyos/mergify/bp/sagitta/pr-2891Viacheslav Hletenko
T5971: Rewritten ppp options in accel-ppp services (backport #2891)
2024-02-02T5971: Rewritten ppp options in accel-ppp servicesaapostoliuk
Rewritten 'ppp-options' to the same view in all accel-ppp services. Adding IPv6 support to PPTP. (cherry picked from commit d9e57fe65dd538c6ea80637f4f6f23cf11dc583d)
2024-02-01ddclient: T5966: Adjust dynamic dns config address subpathIndrajit Raychaudhuri
Modify the dynamic dns configuration 'address' subpath for better clarity on how the address is obtained. Additionally, remove `web-options` and fold those options under the path `address web`.
2024-02-01Merge pull request #2924 from vyos/mergify/bp/sagitta/pr-2756Christian Breunig
T4839: firewall: Add dynamic address group in firewall configuration (backport #2756)
2024-02-01Merge pull request #2922 from vyos/mergify/bp/sagitta/pr-2854Christian Breunig
dns: T5959: Streamline dns forwarding service (backport #2854)
2024-02-01T4839: firewall: Add dynamic address group in firewall configuration, and ↵Nicolas Fort
appropiate commands to populate such groups using source and destination address of the packet. (cherry picked from commit 6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122)
2024-02-01Merge pull request #2916 from vyos/mergify/bp/sagitta/pr-2832Christian Breunig
T5865: Moved ipv6 pools to named ipv6 pools in accel-ppp (backport #2832)
2024-02-01dns: T5959: Streamline dns forwarding serviceIndrajit Raychaudhuri
Streamline configuration and operation of dns forwarding service in following ways: - Remove `dns_forwarding_reset.py` as its functionality is now covered by `dns.py` - Adjust function names in `dns.py` to disambiguate between DNS forwarding and dynamic DNS - Remove `dns_forwarding_restart.sh` as its functionality is inlined in `dns-forwarding.xml` - Templatize systemd override for `pdns-recursor.service` and move the generated override files in /run. This ensures that the override files are always generated afresh after boot - Simplify the systemd override file by removing the redundant overrides - Relocate configuration path for pdns-recursor to `/run/pdns-recursor` and utilize the `RuntimeDirectory` default that pdns-recursor expects - We do not need to use custom `--socket-dir` path anymore, the default path (viz., `/run/pdns-recursor` is fine) (cherry picked from commit 1c1fb5fb4bd7c0d205b28caf90357ad56423464f)
2024-02-01T5865: Moved ipv6 pools to named ipv6 pools in accel-pppaapostoliuk
Moved ipv6 pools to named ipv6 pools in accel-ppp services (cherry picked from commit d187803c31175e471397dd4f77040ab56d2e1073)
2024-02-01bgp: T5930: Denied using rt vpn 'export/import' with 'both' togetheraapostoliuk
Denied using command 'route-target vpn export/import' with 'both' together in bgp configuration. (cherry picked from commit 32a13411f47beffcbe4b49a869c99cb42374d729)
2024-01-30Merge pull request #2888 from vyos/mergify/bp/sagitta/pr-2886John Estabrook
system-option: T5979: Add configurable kernel boot options (backport #2886)