summaryrefslogtreecommitdiff
path: root/src/conf_mode
AgeCommit message (Collapse)Author
2024-10-07pki: T6481: auto import ACME certificate chain into CLIChristian Breunig
When using an ACME based certificate with VyOS we provide the necessary PEM files opaque in the background when using the internal tools. This however will not properly work with the CA chain portion, as the system is based on the "pki certificate <name> acme" CLI node of a certificate but CA chains reside under "pki ca". This adds support for importing the PEM data of a CA chain issued via ACME into the "pki ca AUTOCHAIN_<name> certificate" subsystem so it can be queried by other daemons. Importing the chain only happens, when the chain was not already added manually by the user. ACME certificate chains that are automatically added to the CLI are all prefixed using AUTOCHAIN_certname so they can be consumed by any daemon. This also adds a safeguard when the intermediate CA changes, the referenced name on the CLI stays consitent for any pending daemon updates. (cherry picked from commit 875764b07f937fc599e2e62c667e7b811ddc2ed3)
2024-09-30Merge pull request #4113 from vyos/mergify/bp/circinus/pr-4024Christian Breunig
T6687: add fqdn support to nat rules. (backport #4024)
2024-09-30T6687: add fqdn support to nat rules.Nicolas Fort
(cherry picked from commit 4c3d037f036e84c77333a400b35bb1a628a1a118)
2024-09-30syslog: T5367: add format option to include timezone in messageChristian Breunig
Add CLI option to include the systems timezone in the syslog message sent to a collector. This can be enabled using: set system syslog host <hostname> format include-timezone (cherry picked from commit 042be39ccabb43a766e04a447207610ff017bd7d)
2024-09-26Merge pull request #4095 from vyos/mergify/bp/circinus/pr-4086Daniil Baturin
bridge: T6675: VXLAN Interface configuration lost due to improper bridge detachment (backport #4086)
2024-09-24syslog: T6719: fix the behavior of "syslog global preserve-fqdn"Nicolas Vollmar
(cherry picked from commit c196c6d9207ef112e478f44923b2d0bc8a15b3c9)
2024-09-24bridge: T6675: VXLAN Interface configuration lost due to improper bridge ↵Nataliia Solomko
detachment (cherry picked from commit 7dbd07657c914d5a46eed101ae44d73ba3b4c6f0)
2024-09-19wireless: T6496: support for EAP-MSCHAPv2 client over wifiChristopher
fix: attempt to fix indentation on `wpa_supplicant.conf.j2` fix: attempt to fix indentation on `wpa_supplicant.conf.j2` fix: incorrect bssid mapping fix: use the correct jinja templating (I think) fix: “remote blank space fix: attempt to fix the formatting in j2 fix: attempt to fix the formatting in j2 feat: rename enterprise username and password + add checks in conf mode. fix: move around `bssid` config option on `wpa_supplicant.conf.j2` and fix the security config part fix: fix indentation on `wpa_supplicant.conf.j2` (cherry picked from commit fc4263021acb72d2d8afb165922d9cb7e11b2bf1)
2024-09-18OpenVPN CLI-option: T6571: rename ncp-ciphers with data-cipherssrividya0208
(cherry picked from commit b62b2f5f8a9c4f0a7dc26bce1f15843651119256)
2024-09-17bond: T6709: add EAPoL support (backport #4069) (#4076)mergify[bot]
* ethernet: T6709: move EAPoL support to common framework Instead of having EAPoL (Extensible Authentication Protocol over Local Area Network) support only available for ethernet interfaces, move this to common ground at vyos.ifconfig.interface making it available for all sorts of interfaces by simply including the XML portion #include <include/interface/eapol.xml.i> (cherry picked from commit 0ee8d5e35044e7480dac6a23e92d43744b8c5d36) * bond: T6709: add EAPoL support (cherry picked from commit 8eeb1bdcdfc104ffa77531f270a38cda2aee7f82) --------- Co-authored-by: Christian Breunig <christian@breunig.cc>
2024-09-15Merge pull request #4058 from vyos/mergify/bp/circinus/pr-4046Christian Breunig
T6703: Adds option to configure AMD pstate driver (backport #4046)
2024-09-12policy: T6676: Invalid route-map caused bgpd to crashNataliia Solomko
(cherry picked from commit 595f35bbdda732883ce0b8b0721061bb3a40a715)
2024-09-12T6703: fix unrelated lint issuesNicolas Vollmar
(cherry picked from commit f00d43381516326061db5287d841ad52e79d6271)
2024-09-12T6703: Adds option to configure AMD pstate driverNicolas Vollmar
(cherry picked from commit 333672bee041f0f2b8e1b698a8eb2108694ad812)
2024-09-12container: T6701: add support to disable container network DNS supportDave Vogel
Add ability to set the container network with a disable-dns setting to disable the DNS plugin that is on be default. set container network <network> no-name-server (cherry picked from commit 1d5625d572cc25a9d53247b7c41177f17845b052)
2024-08-24sysctl: T3204: restore sysctl setttings overwritten by tunedChristian Breunig
(cherry picked from commit 8500e8658ff10f52739143fd7814cf60c9195f16)
2024-08-24Merge pull request #4005 from vyos/mergify/bp/circinus/pr-4000Daniil Baturin
T6672: Fix system option ssh-client source-interface (backport #4000)
2024-08-23wireless: T6318: move country-code to a system wide configurationChristian Breunig
Wireless devices are subject to regulations issued by authorities. For any given AP or router, there will most likely be no case where one wireless NIC is located in one country and another wireless NIC in the same device is located in another country, resulting in different regulatory domains to apply to the same box. Currently, wireless regulatory domains in VyOS need to be configured per-NIC: set interfaces wireless wlan0 country-code us This leads to several side-effects: * When operating multiple WiFi NICs, they all can have different regulatory domains configured which might offend legislation. * Some NICs need additional entries to /etc/modprobe.d/cfg80211.conf to apply regulatory domain settings, such as: "options cfg80211 ieee80211_regdom=US" This is true for the Compex WLE600VX. This setting cannot be done per-interface. Migrate the first found wireless module country-code from the wireless interface CLI to: "system wireless country-code" (cherry picked from commit 9e22ab6b2aee48029d3455f65880e45c558cf1da)
2024-08-22T6672: Fix system option ssh-client source-interfaceViacheslav Hletenko
Fix for system option ssh-client source-interface For the `verify_source_interface` the key `ifname` if required (cherry picked from commit f453b33a6056de8fc5145ca9e680361fbce68348) # Conflicts: # smoketest/scripts/cli/test_system_option.py
2024-08-16T6649: Accel-ppp separate vlan-mon from listen interfacesNataliia Solomko
(cherry picked from commit 663e468de2b431f771534b4e3a2d00a5924b98fe)
2024-08-12configverify: T6642: verify_interface_exists requires config_dict argJohn Estabrook
The function verify_interface_exists requires a reference to the ambient config_dict rather than creating an instance. As access is required to the 'interfaces' path, provide as attribute of class ConfigDict, so as not to confuse path searches of script-specific config_dict instances. (cherry picked from commit 5f23b7275564cfaa7c178d320868b5f5e86ae606)
2024-08-09qos: T6638: require interface state existence in verify conditionalJohn Estabrook
(cherry picked from commit ed63c9d1896a218715e13e1799fc059f4561f75e)
2024-08-06multicast: T6619: remove unused imports (#3941)Christian Breunig
(cherry picked from commit 9979afa15650bd609399030da1751488baaac70b)
2024-08-05OPENVPN: T6555: fix name to bridgefett0
(cherry picked from commit 0162a27952d2166583a9e6aee2cd77b9c693062b)
2024-08-05OPENVPN: T6555: fix name to bridgefett0
(cherry picked from commit d5ae708581d453e2205ad4cf8576503f42e262b6)
2024-08-05OPENVPN: T6555: add server-bridge options in mode serverfett0
(cherry picked from commit 4acad3eb8d9be173b76fecafc32b0c70eae9b192)
2024-08-04Merge pull request #3934 from vyos/mergify/bp/circinus/pr-3916Christian Breunig
T6619: Remove the remaining uses of per-protocol FRR configs (backport #3916)
2024-08-03nat64: T6627: call check_kmod within standard config function (#3931)mergify[bot]
Functions called from config scripts outside of the standard functions get_config/verify/generate/apply will not be called when run under configd. Move as appropriate for the general config script structure and the specific script requirements. (cherry picked from commit aeb51976ea23d68d35685bdaa535042a05016185) Co-authored-by: John Estabrook <jestabro@vyos.io>
2024-08-03T6632: add missing standard functions to config scripts (#3936)mergify[bot]
(cherry picked from commit 31de01242a26dff8ff993061ea2f86102a8a7493) Co-authored-by: John Estabrook <jestabro@vyos.io>
2024-08-02T6629: call check_kmod within a standard config functionJohn Estabrook
Move the remaining calls to check_kmod within a standard function, with placement determined by the needs of the config script. (cherry picked from commit 95eef73f1b002c8b9e8e769135ffed50c8ca6890)
2024-08-02T6619: Remove the remaining uses of per-protocol FRR configs (#3916)Roman Khramshin
(cherry picked from commit f2256ad338fc3fbaa9a5de2c0615603cd23e0f94)
2024-08-01console: T3334: remove unused directories imported from vyos.defaultsChristian Breunig
(cherry picked from commit 4055090a8d4fd64288eab7ae41aa9440f5de4ece)
2024-07-30system: op-mode: T3334: allow delayed getty restart when configuring serial ↵Andrew Topp
ports * Created op-mode command "restart serial console" * Relocated service control to vyos.utils.serial helpers, used by conf- and op-mode serial console handling * Checking for logged-in serial sessions that may be affected by getty reconfig * Warning the user when changes are committed and serial sessions are active, otherwise restart services as normal. No prompts issued during commit, all config gen/commit steps still occur except for the service restarts (everything remains consistent) * To apply committed changes, user will need to run "restart serial console" to complete the process or reboot the whole router * Added additional flags and target filtering for generic use of helpers. (cherry picked from commit bc9049ebd76576d727fa87b10b96d1616950237c)
2024-07-30vrf: T6603: improve code runtime when retrieving info from nftables vrf zoneChristian Breunig
(cherry picked from commit 31acb42ecdf4ecf0f636f831f42a845b8a00d367)
2024-07-30vrf: T6603: conntrack ct_iface_map must only contain one entry for ↵Christian Breunig
iifname/oifname When any of the following features NAT, NAT66 or Firewall is enabled, for every VRF on the CLI we install one rule into nftables for conntrack: chain vrf_zones_ct_in { type filter hook prerouting priority raw; policy accept; counter packets 3113 bytes 32227 ct original zone set iifname map @ct_iface_map counter packets 8550 bytes 80739 ct original zone set iifname map @ct_iface_map counter packets 5644 bytes 67697 ct original zone set iifname map @ct_iface_map } This is superfluous. (cherry picked from commit d6e9824f1612bd8c876437c071f31a1a0f44af5d)
2024-07-26vxlan: T6505: Support VXLAN VLAN-VNI range mapping in CLI (#3756)Nataliia S
(cherry picked from commit 115e99630a317cab62c6f99e0461f6ce2c1edaf3)
2024-07-25system_option: T5552: Apply IPv4 and IPv6 options after reapplying sysctls ↵mergify[bot]
by TuneD (#3863) (cherry picked from commit 7b82e4005724683c6311fab22358746f2cca4c1b) Co-authored-by: Nataliia Solomko <natalirs1985@gmail.com>
2024-07-25vrf: T6602: verify supplied VRF name on all interface types (#3870)mergify[bot]
Only some (e.g. ethernet or wireguard) interfaces validate if the supplied VRF actually exists. If this is not validated, one can pass an invalid VRF to the system which generates an OSError exception. To reproduce set interfaces vxlan vxlan1 vni 1000 set interfaces vxlan vxlan1 remote 1.2.3.4 set interfaces vxlan vxlan1 vrf smoketest results in OSError: [Errno 255] failed to run command: ip link set dev vxlan1 master smoketest_mgmt This commit adds the missing verify_vrf() call to the missing interface types and an appropriate smoketest for all interfaces supporting VRF assignment. (cherry picked from commit dd0ebffa33728e452ac6e11737c2283f0e390359) Co-authored-by: Christian Breunig <christian@breunig.cc>
2024-07-22wireless: T6597: improve hostapd startup and corresponding smoketestsChristian Breunig
This was found during smoketesting as thoase started to repeadingly fail in the last weeks File "/usr/libexec/vyos/tests/smoke/cli/test_interfaces_wireless.py", line 534, in test_wireless_security_station_address self.assertTrue(process_named_running('hostapd')) AssertionError: None is not true Digging into this revealed that this is NOT related to the smoketest coding but to hostapd/systemd instead. With a configured WIFI interface and calling: "sudo systemctl reload-or-restart hostapd@wlan1" multiple times in a short period caused systemd to report: "Jul 18 16:15:32 systemd[1]: hostapd@wlan1.service: Deactivated successfully." According to the internal systemd logic used in our version this is explained by: /* If there's a stop job queued before we enter the DEAD state, we shouldn't act on Restart=, in order to not * undo what has already been enqueued. */ if (unit_stop_pending(UNIT(s))) allow_restart = false; if (s->result == SERVICE_SUCCESS) s->result = f; if (s->result == SERVICE_SUCCESS) { unit_log_success(UNIT(s)); end_state = SERVICE_DEAD;` Where unit_log_success() generates the log message in question. Improve the restart login in the wireless interface script and an upgrade to hostapd solved the issue. (cherry picked from commit a67f49d99eda00998c425f9a663e138dbd0f7755)
2024-07-22wireless: T6320: add 802.11ax at 6GHzAlain Lamar
Authored-By: Alain Lamar <alain_lamar@yahoo.de> (cherry picked from commit d5e988ba2d0fa0189feff22374c9b46eb49e2e79)
2024-07-22openvpn: T3834: verify() is not allowed to change anything on the systemChristian Breunig
Commit e3c71af1466 ("remove secrets file if the tunnel is deleted and fix opmode commands") added a code path into verify() which removed files on the system if TOTP was not defined. This commit moves the code path to the appropriate generate() function. (cherry picked from commit 40c835992db9217f48e54dbbf15a7fbf1dcba482)
2024-07-22T6599: ipsec: fix incorect default behavior for dead-peer-detectionLucas Christian
(cherry picked from commit 23a3419d512139650cfe3dc76759b370b0c0c3d6)
2024-07-21vrf: T6592: remove unused import get_interface_configChristian Breunig
Remove unused import (left over) from commit 36f3791e0 ("utils: migrate to new get_vrf_tableid() helper") (cherry picked from commit b551f542c5c906c901e3be37ad3fd68c8248473d)
2024-07-20utils: migrate to new get_vrf_tableid() helperChristian Breunig
Commit 452068ce7 ("interfaces: T6592: moving an interface between VRF instances failed") introduced a new helper to retrieve the VRF table ID from the Kernel. This commit migrates the old code path where the individual fields got queried to the new helper vyos.utils.network.get_vrf_tableid(). (cherry picked from commit 36f3791e0c15267483d59a3bb74465811d08df88)
2024-07-18openvpn: T6591: deprecate OpenVPN server net30 topology (#3825)Daniil Baturin
(cherry picked from commit e2b05343b30d2f989968532106e792cbaf75ecf6)
2024-07-02T6497: CGNAT refactoring delete conntrack entries (#3699) (#3732)mergify[bot]
(cherry picked from commit 804efa2ef6bfee84d13f633d863f6f22f9eec273) Co-authored-by: Viacheslav Hletenko <v.gletenko@vyos.io>
2024-07-02T6523: Telegraf use nft scripts only if the firewall configuredViacheslav Hletenko
If a firewall is not configured there is no reason to get and execute telegraf firewall custom scripts as there are no nft chain in the firewall nftables configuration (cherry picked from commit ebff0c481907ac0c2c0be9981c3c3d87caf3003b)
2024-06-28T6477: Add telegraf loki output pluginViacheslav Hletenko
Add Loki plugin to telegraf set service monitoring telegraf loki url xxx (cherry picked from commit 3365eb7ab99fa9a259fe440eb51e82fc0a0a4dc6)
2024-06-26Merge pull request #3723 from sever-sever/T751Daniil Baturin
T751: Remove ids suricata
2024-06-25Merge pull request #3707 from vyos/mergify/bp/circinus/pr-3679Christian Breunig
T3202: Enable wireguard debug messages (backport #3679)