summaryrefslogtreecommitdiff
path: root/src/conf_mode
AgeCommit message (Collapse)Author
2024-04-06container: T6208: rename "cap-add" CLI node to "capability"Christian Breunig
Containers have the ability to add Linux system capabilities to them, this is done using the "set container name <name> cap-add" command. The CLI node sounds off and rather should be "set container name <name> capability" instead as we use and pass a capability to a container and not add/invent new ones.
2024-04-06ipoe: T6205: error in migration script logic while renaming mac-address to ↵Christian Breunig
mac node The problem was introduced in [1] but the config migrator part unfortunately was added to the wrong version [2]. As IPoE config version 0 was only active during the 1.3 development cycle and VyOS 1.3.0 was already released with config version 1 we can safely drop the migrator 0-to-1 and move the code to 1-to-2 to properly support upgrades from VyOS 1.3 -> 1.4 or newer. 1: https://github.com/vyos/vyos-1x/commit/05df2a5f021f0c7aab7c06db645d210858b6e98d#diff-08291bf77870abe3af8bbe3e8ce4bbf344fd0498b2c5c75a75aa7235d381c88eL168 2: https://github.com/vyos/vyos-1x/commit/05df2a5f021f0c7aab7c06db645d210858b6e98d#diff-b8bb58b75607d3653e74d82eff02442f9f3ab82698f160ba37858f7cdf6c79ccR44-R46
2024-04-04Merge pull request #3238 from HollyGurza/T5943Daniil Baturin
bgp: T5943: BGP Peer-group members must be all internal or all external
2024-04-04Merge pull request #3214 from nicolas-fort/T6068-keaDaniil Baturin
T6068: dhcp-server: add command <set service dhcp-server high-availability mode>
2024-04-04bgp: T5943: BGP Peer-group members must be all internal or all externalkhramshinr
2024-04-03T6068: dhcp-server: add command <set service dhcp-server high-availability ↵Nicolas Fort
mode> so user can define what type of ha use: active-active or active-passive
2024-04-03T6199: drop unused Python importsChristian Breunig
found using "git ls-files *.py | xargs pylint | grep W0611"
2024-04-03T6199: replace netifaces.interfaces() with common custom helpersChristian Breunig
* Use interface_exists() outside of verify() * Use verify_interface_exists() in verify() to drop common error message
2024-04-02Merge pull request #3236 from c-po/pki-verifyChristian Breunig
configverify: T6198: add common helper for PKI certificate validation
2024-04-02configverify: T6198: add common helper for PKI certificate validationChristian Breunig
The next evolutional step after adding get_config_dict(..., with_pki=True) is to add a common verification function for the recurring task of validating SSL certificate existance in e.g. EAPoL, OpenConnect, SSTP or HTTPS.
2024-04-02Merge pull request #3229 from c-po/multi-vrfChristian Breunig
T6192: allow binding SSH to multiple VRF instances
2024-04-01conntrack: T4309: T4903: always use full nft command name (e.g. --file over -f)Christian Breunig
2024-04-01nhrp: T2199: always use full nft command name (e.g. --file over -f)Christian Breunig
2024-04-01policy: T2199: always use full nft command name (e.g. --file over -f)Christian Breunig
2024-04-01nat: T2199: always use full nft command name (e.g. --file over -f)Christian Breunig
2024-04-01vrf: T3655: always use full nft command name (e.g. --check over -c)Christian Breunig
2024-04-01firewall: T2199: always use full nft command name (e.g. --file over -f)Christian Breunig
2024-04-01ssh: T6192: allow binding to multiple VRF instancesChristian Breunig
Currently VyOS only supports binding a service to one individual VRF. It might become handy to have the services (initially it will be VRF, NTP and SNMP) be bound to multiple VRFs. Changed VRF from leafNode to multi leafNode with defaultValue: default - which is the name of the default VRF.
2024-04-01utils: T5738: always use vyos.utils.network.interface_exists over os.path.existsChristian Breunig
2024-04-01Merge pull request #3223 from c-po/T6193-dhcp-clientDaniil Baturin
system: T6193: invalid warning "is not a DHCP interface but uses DHCP name-server option"
2024-04-01Merge pull request #3222 from HollyGurza/T6178Christian Breunig
T6178: Check that certificate exists during reverse-proxy commit
2024-04-01system: T6193: invalid warning "is not a DHCP interface but uses DHCP ↵Christian Breunig
name-server option" This fixes an invalid warning when using a DHCP VLAN interface to retrieve the system nameserver to be used. VLAN CLI config is not properly expanded leading to a false warning: [ system name-server eth1.10 ] WARNING: "eth1.10" is not a DHCP interface but uses DHCP name-server option!
2024-04-01T6178: Check that certificate exists during reverse-proxy commitkhramshinr
2024-03-30Merge pull request #3195 from HollyGurza/T4718-currentChristian Breunig
dhcp-server: T4718: Listen-address is not commit if the ip address is on the interface with vrf
2024-03-29bgp: T6106: Valid commit error for route-reflector-client option defined in ↵khramshinr
peer-group changed exception condition Improved route_reflector_client test
2024-03-28Merge pull request #3202 from sarthurdev/T5606_1Daniil Baturin
ipsec: T5606: T5871: Use multi node for CA certificates
2024-03-28Merge pull request #2965 from lucasec/t5872Daniil Baturin
T5872: ipsec remote access VPN: support dhcp-interface.
2024-03-28ipsec: T5606: T5871: Use multi node for CA certificatessarthurdev
This changes behaviour from fetching CA chain in PKI, to the user manually setting CA certificates. Prevents unwanted parent CAs existing in PKI from being auto-included as may not be desired/intended.
2024-03-28dhcp-server: T4718: Listen-address is not commit if the ip address is on the ↵khramshinr
interface with vrf
2024-03-26bgp: T6106: fix test and verify()khramshinr
2024-03-25T6171: migrate <set service dhcp-server failover> to <set service ↵Nicolas Fort
dhcp-server high-availability>.
2024-03-24ospf: T6066: can not define the same network in different areasChristian Breunig
Users can not (FRR fails) commit the same network belonging to different OSPF areas. Add verify() check to prevent this.
2024-03-22isis: T6160: NameError: name 'process' is not definedChristian Breunig
This is a leftover after commit 0e050cb35 (isis: T3417: drop artificial "domain" node identifying the IS-IS process name). Drop all references to "process" variable. Specifying: set protocols isis interface eth1 set protocols isis net '49.0001.1921.6825.5255.00' set protocols isis redistribute ipv4 bgp Triggered an exception Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/protocols_isis.py", line 309, in <module> verify(c) File "/usr/libexec/vyos/conf_mode/protocols_isis.py", line 158, in verify f'"protocols isis {process} redistribute {afi} {proto}"!') ^^^^^^^ NameError: name 'process' is not defined
2024-03-20conntrack: T6147: Enable conntrack when firewall state-policy is definedsarthurdev
* Move global state-policy smoketest to it's own test, verify conntrack
2024-03-18T6136: add error checks when using dynamic firewall groupsNicolas Fort
2024-03-16Merge pull request #3112 from Ingramz/add-rtsp-2Christian Breunig
conntrack: T4022: add RTSP conntrack helper
2024-03-13Merge pull request #3125 from c-po/radvd-T6118Daniil Baturin
radvd: T6118: add nat64prefix support RFC8781
2024-03-12radvd: T6118: add nat64prefix support RFC8781Christian Breunig
Add support for pref64 option, as defined in RFC8781. The prefix valid lifetime must not be smaller than the "interface interval max" definition which defaults to 600. set service router-advert interface eth1 nat64prefix 64:ff9b::/96
2024-03-12conntrack: T4022: add RTSP conntrack helperIndrek Ardel
2024-03-12conntrack: T5080: Fix rule order for applied conntrack modulessarthurdev
2024-03-11T5872: re-write exit hook to always regenerate configLucas Christian
2024-03-10T5872: ipsec remote access VPN: support dhcp-interface.Lucas Christian
2024-03-07Merge pull request #2966 from HollyGurza/T6020Daniil Baturin
vrrp: T6020: vrrp health-check script not applied correctly
2024-03-06Merge pull request #3088 from nicolas-fort/T6075Daniil Baturin
T6075: firewall and NAT: check if interface-group exists when using them in firewall|nat rules.
2024-03-05T2447: add configurable kernel boot option 'disable-power-saving'Christian Breunig
Lower available CPU C states to a minimum if this option set. This will set Kernel commandline options "intel_idle.max_cstate=0 processor.max_cstate=1".
2024-03-05T6075: firewall and NAT: check if interface-group exists when using them in ↵Nicolas Fort
firewall|nat rules.
2024-03-04Merge pull request #3079 from sever-sever/T6084Daniil Baturin
T6084: Add NHRP dependency for IPsec and fix NHRP empty config bug
2024-03-04T6084: Add NHRP dependency for IPsec and fix NHRP empty config bugViacheslav Hletenko
If we have any `vpn ipsec` and `protocol nhrp` configuration we get the empty configuration file `/run/opennhrp/opennhrp.conf` after rebooting the system. Use config dependency instead of the old `resync_nhrp` function fixes this issue
2024-03-03ospfv3: T6087: add support to redistribute IS-IS routesChristian Breunig
2024-03-02ospf: T5717: sync code with ospfv3 implementationChristian Breunig