summaryrefslogtreecommitdiff
path: root/src/conf_mode
AgeCommit message (Collapse)Author
2023-02-04Revert "login: T4975: Fixed broken CLI commands"Christian Breunig
This reverts commit 3a6e77d479da4321b851163490a9b79ef2cef7b8. A general solution is implemented in Commit 29a44a73 ("T4975: always sync() filesystem after commit").
2023-02-04T4817 added support for RFC 9234Kyle McClammy
2023-02-02login: T4975: Fixed broken CLI commandszsdc
User profile files are not saved to disk after configuration is fully applied. Because of this, after a fast system reset, profile files can be empty, and CLI is broken. This fix adds a `sync()` call after the user's configuration, which should protect from data loss and fix the problem with profiles.
2023-01-31container: T4014: Add `command`, `arg` and `entrypoint` configuration ↵Zen3515
options for containers
2023-01-30container: T4959: Add container registry authentication config for containersZen3515
2023-01-30Merge pull request #1761 from sever-sever/T4916-currViacheslav Hletenko
T4916: Rewrite IPsec peer authentication and psk migration
2023-01-28vrrp: T1297: improve gratuitous ARP default value handling and help stringsChristian Breunig
2023-01-28openconnect: T4955: Removed wrong acctserver in radiusclient.confJamie Austin
Removes port key from accounting server merged config dictionary.
2023-01-28T4958: ocserv: openconnect: refactor RADIUS accounting supportJamie Austin
2023-01-28T4958: ocserv: openconnect: adds support for configuring RADIUS accountingJamie Austin
Adds CLI configuration options to configure RADIUS accounting for OpenConnect VPN sessions. This functionality cannot be used outside of the RADIUS OpenConnect VPN authentication mode
2023-01-26openconnect: T4955: Removed wrong authserver in radiusclient.confaapostoliuk
After merging config dictionary with default values, radius port the default value was merged not in a proper way. It is added as a server. After creating radiusclient.conf added and the illegal authserver equal 'port'.
2023-01-26T4916: Rewrite IPsec peer authentication and psk migrationViacheslav Hletenko
Rewrite strongswan IPsec authentication to reflect structure from swanctl.conf The most important change is that more than one local/remote ID in the same auth entry should be allowed replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx' => 'ipsec authentication psk <tag> secret xxx' set vpn ipsec authentication psk <tag> id '192.0.2.1' set vpn ipsec authentication psk <tag> id '192.0.2.2' set vpn ipsec authentication psk <tag> secret 'xxx' set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1' set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2' Add template filter for Jinja2 'generate_uuid4'
2023-01-25T1297: VRRP: add garp options to vrrpNicolas Fort
2023-01-22pppoe: T4948: add CLI option to allow definition of host-uniq flagChristian Breunig
Some ISPs seem to use the host-uniq flag to authenticate client equipment. Add CLI option in VyOS to allow specification of the host-uniq flag. set interfaces pppoe pppoeN host-uniq <value>
2023-01-21container: T4947: support mounting container volumes as ro or rwChristian Breunig
Whenever a container is used and a folder is mounted, this happenes as read-write which is the default in Docker/Podman - so is the default in VyOS. A new option is added "set container name foo volume mode <ro|rw>" to specify explicitly if rw (default) or ro should be used for this mounted folder.
2023-01-20Merge pull request #1767 from jestabro/config-mgmtJohn Estabrook
config-mgmt: T4942: rewrite vyatta-config-mgmt to Python/XML
2023-01-20config-mgmt: T4942: add conf_mode scriptJohn Estabrook
2023-01-19Merge pull request #1697 from nicolas-fort/snmp_reworkChristian Breunig
T4857: SNMP: Implement FRR SNMP Recomendations
2023-01-18T4857: change description in cli, and change word oid to uppercase OIDs in ↵Nicolas Fort
warning message
2023-01-18T4857: Cleaning prNicolas Fort
2023-01-17ifb: T4938: add Python implementation for input function block interfacesChristian Breunig
2023-01-15Merge pull request #1758 from c-po/t3008-chronyChristian Breunig
ntp: T3008: migrate from ntpd to chrony
2023-01-14systemd: T2185: always place generated override files in /runChristian Breunig
This prevents any stale override files when the system is beeing rebooted, but the actual configuration was not saved. /run is a tmpfs and thus always fresh after boot.
2023-01-14ntp: T3008: migrate from ntpd to chronyChristian Breunig
* Move CLI from "system ntp" -> "service ntp" * Drop NTP server option preempt as not supported by chrony
2023-01-13T4935: ospfv3: bugfix KeyError: 'range'Christian Breunig
Commit 1fc7e30f ('T4935: ospfv3: "not-advertise" and "advertise" conflict') added a check for not-advertive and advertise in the same area but lacked a test if the key really exists in the dict which is to be validated.
2023-01-12Merge pull request #1752 from sever-sever/T4118Christian Breunig
T4118: Add default value any for connection remote-id
2023-01-12T4118: Add default value any for connection remote-idViacheslav Hletenko
If IPsec "peer <tag> authentication remote-id" is not set it should be "%any" by default https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_remote Set XML default value in use it in the python vpn_ipsec.py script
2023-01-12T4935: ospfv3: "not-advertise" and "advertise" conflictYuxiang Zhu
They can't be set at the same time.
2023-01-11webproxy: T4927: Changed restart to reload-or-restart in commitaapostoliuk
Changed restart to reload-or-restart in commit. It allows to reload the config and not restart webporxy service during commit.
2023-01-09Revert "strongSwan: upgrade scripts to work with package version 5.9.8"Christian Poessinger
This reverts commit 6857447bf6acba3537d5e5372cd320aef078b81e.
2023-01-07Merge pull request #1728 from aapostoliuk/T4877-sagittaChristian Breunig
T4877: Added more checks if "import vrf" is used in bgp
2023-01-06T4877: Added more checks if "import vrf" is used in bgpaapostoliuk
1. Fixed: If rd and route-target are used in VRF, can not use "import vrf" in the same VRF in the same AFI/SAFI. 2. Fixed: If rd and route-target is used in VRF, this VRF can not be in the list of command "import vrf" in the same AFI/SAFI but in other VRFs. 3. Fixed: Do not allow to delete vrf if it is used in import list of other vrfs. 4. Added smoketests to check "import vrf" issues.
2023-01-06static: T4883: fix KeyError: 'table'Christian Poessinger
Commit dafb0da2 ("static: T4883: add a description field for routing tables") added an iproute2 description table but lacked checking if the key exists. This has been fixed and also converted to Jinja2 to keep the "common" style inside the routing protocols. It might feel overengineered indeed.
2023-01-05qos: T4284: priority-queue and round-robin have no default bandwidthChristian Poessinger
2023-01-05Merge pull request #1710 from dmbaturin/routing-table-descriptionsChristian Breunig
T4883: add a description field for routing tables
2023-01-04ssh: T2651: extend verify() when both source-address and source-interface is ↵Christian Poessinger
used We need to ensure that source-address is assigned on source-interface before applying the configuration, else SSH client will have a hard time talking to someone.
2023-01-04ssh: T2651: add source-interface support ssh-clientChristian Poessinger
2023-01-04ssh: T2651: use Debian style include directve for ssh_config.dChristian Poessinger
Commit 846e306700a ("ssh: T2651: add cli options for source address") added support for a basic SSH client option, but it grabbed the entire /etc/ssh/ssh_config file without the ability to make custom user adjustments via the /etc/ssh/ssh_config.d/ folder. This vommit places the VyOS SSH options under /etc/ssh/ssh_config.d/ leaving the common override system alive.
2023-01-04qos: T4284: replace qdisc/class instead of always adding itChristian Poessinger
This makes transitions/updates faster and less error prone
2023-01-04Merge pull request #1735 from sever-sever/T4904Viacheslav Hletenko
T4904: keepalived virtual-server allow multiple ports with fwmark
2023-01-02xml: qos: T4284: fix DSCP CLI valuesChristian Poessinger
2023-01-02T4904: keepalived virtual-server allow multiple ports with fwmarkViacheslav Hletenko
Allow multiple ports for high-availability virtual-server The current implementation allows balance only one "virtual" address and port between between several "real servers" Allow matching "fwmark" to set traffic which should be balanced Allow to set port 0 (all traffic) if we use "fwmark" Add health-check script set high-availability virtual-server 203.0.113.1 fwmark '111' set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 health-check script '/bin/true' set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 port '0'
2023-01-02Merge pull request #1725 from sever-sever/T4893Christian Poessinger
T4893: Add ppp-options ipv6-interface-id for L2TP
2023-01-01qos: T4284: first implementation introducing a new vyos.qos moduleChristian Poessinger
2022-12-30T4893: Add ppp-options ipv6-interface-id for L2TPViacheslav Hletenko
Add ppp-options IPv6 interface id for vpn L2TP - fixed or random interface identifier for IPv6 - peer interface identifier for IPv6 - whether to accept peer’s interface identifier set vpn l2tp remote-access ppp-options ipv6-accept-peer-intf-id set vpn l2tp remote-access ppp-options ipv6-intf-id 'random' set vpn l2tp remote-access ppp-options ipv6-peer-intf-id 'calling-sid'
2022-12-30T4897: Fix virtual interface rebuild checksYuxiang Zhu
`leaf_node_changed` returns `[]` (empty list) after a leaf node is added. e.g. Setting `source-interface` doesn't work on an existing vxlan interface. Steps to reproduce: - Add a vxlan interface without `source-address` or `source-interface` options set: ``` set interfaces vxlan vxlan999 vni 999 set interfaces vxlan vxlan999 remote 192.168.100.100 commit ``` - Then set `source-address` or `source-interface`: ``` set interfaces vxlan vxlan999 source-interface eth0 commit ``` Actual result: Source address or source-interface are not set: ``` ip -d link show dev vxlan999 76: vxlan999: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/ether 56:08:ba:4d:4e:a8 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535 vxlan id 999 remote 192.168.100.100 srcport 0 0 dstport 8472 tos inherit ttl 16 ageing 300 udpcsum noudp6zerocsumtx noudp6zerocsumrx addrgenmode none numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 ``` Expected result: ``` 77: vxlan999: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/ether 9e:05:d9:58:1a:af brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535 vxlan id 999 remote 192.168.100.100 dev eth0 srcport 0 0 dstport 8472 tos inherit ttl 16 ageing 300 udpcsum noudp6zerocsumtx noudp6zerocsumrx addrgenmode none numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 ``` All invocations of leaf_node_changed() should be migrated to is_node_changes() if you are only interested in if something changed and don‘t care what exactly changed (content).
2022-12-30pseudo-ethernet: T4391: use is_node_changed() over error prone ↵Christian Poessinger
leaf_node_changed() We only need to use leaf_node_changed() if we are interested in the detailed change to a CLI node (what was the previous content). If we are only interested in if a node changed "at all" is_node_changed() should be used.
2022-12-30tunnel: T4391: use is_node_changed() over error prone leaf_node_changed()Christian Poessinger
We only need to use leaf_node_changed() if we are interested in the detailed change to a CLI node (what was the previous content). If we are only interested in if a node changed "at all" is_node_changed() should be used.
2022-12-30geneve: T4366: use is_node_changed() over error prone leaf_node_changed()Christian Poessinger
We only need to use leaf_node_changed() if we are interested in the detailed change to a CLI node (what was the previous content). If we are only interested in if a node changed "at all" is_node_changed() should be used.
2022-12-27strongSwan: upgrade scripts to work with package version 5.9.8Christian Poessinger