summaryrefslogtreecommitdiff
path: root/src/helpers
AgeCommit message (Collapse)Author
2024-03-25config-sync: T6145: batch section requests for commit by priorityJohn Estabrook
(cherry picked from commit 50e9364575481335520f50dac834c74ef02ccfab)
2024-03-18T6121: Extend service config-sync to new sectionsViacheslav Hletenko
Extend `service config-sync` with new sections: - LeafNodes: pki, policy, vpn, vrf (syncs the whole sections) - Nodes: interfaces, protocols, service (syncs subsections) In this cae the Node allows to uses the next level section i.e subsection For example any of the subsection of the node `interfaces`: - set service config-sync section interfaces pseudo-ethernet - set service config-sync section interfaces virtual-ethernet Example of the config: ``` set service config-sync mode 'load' set service config-sync secondary address '192.0.2.1' set service config-sync secondary key 'xxx' set service config-sync section firewall set service config-sync section interfaces pseudo-ethernet set service config-sync section interfaces virtual-ethernet set service config-sync section nat set service config-sync section nat66 set service config-sync section protocols static set service config-sync section pki set service config-sync section vrf ``` (cherry picked from commit 25b611f504521181f85cb4460bfdfd702c377b5e)
2024-01-10boot-config-loader: T1622: add missing groups to failsafe userChristian Breunig
This extends commit 86d1291ec5 ("[boot-config-loader] T1622: Add failsafe and back trace") and adds missing groups to the vyos user. Without this change the vyos user will only have operator (vyos@vyos>) privileges, even if this level is discontinued. One could hack himself up as the user has sudo rights, but rather place the user in the right groups from the beginning. NOTE: This user is only added if booted with "vyos-config-debug" and an error when the configuration can not be loaded at all. (cherry picked from commit 07e802a2d3f98cdf29928bf321cc8b89cb41766c)
2024-01-08pki: T5886: add support for ACME protocol (LetsEncrypt)Christian Breunig
The "idea" of this PR is to add new CLI nodes under the pki subsystem to activate ACME for any given certificate. vyos@vyos# set pki certificate NAME acme Possible completions: + domain-name Domain Name email Email address to associate with certificate listen-address Local IPv4 addresses to listen on rsa-key-size Size of the RSA key (default: 2048) url Remote URL (default: https://acme-v02.api.letsencrypt.org/directory) Users choose if the CLI based custom certificates are used set pki certificate EXAMPLE acme certificate <base64> or if it should be generated via ACME. The ACME server URL defaults to LetsEncrypt but can be changed to their staging API for testing to not get blacklisted. set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory Certificate retrieval has a certbot --dry-run stage in verify() to see if it can be generated. After successful generation, the certificate is stored in under /config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set interfaces ethernet eth0 eapol certificate EXAMPLE) we call vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the base64 encoded certificate into the JSON data structure normally used when using a certificate set by the CLI. Using this "design" does not need any change to any other code referencing the PKI system, as the base64 encoded certificate is already there. certbot renewal will call the PKI python script to trigger dependency updates. (cherry picked from commit b8db1a9d7baf91b70c1b735e58710f1e2bc9fc7a) # Conflicts: # debian/control
2023-12-16image-tools: T5821: restore vrf-aware add system imageJohn Estabrook
(cherry picked from commit 90f2d9865051b00290dd5b7328a046e823b658dc)
2023-11-20T5763: fix imprecise check for remote file nameJohn Estabrook
(cherry picked from commit fe9b08665367b8e7d9b906a0760d44efc9b5cafb)
2023-11-07T5713: only strip "secret" CLI node and nothing elseChristian Breunig
Commit 30eb308149 ("T5713: Strip string after "secret" in IPSEC config") had good intention but this will happen: use-secret foo CLI node will become " secret xxxxxx" so the output of strip-private invalidates the configuration. This has been changed to an exact match of "secret" only (cherry picked from commit 863af115df853987dd8ad25ecef3f0ea58485e83)
2023-11-07T5713: Strip string after "secret" in IPSEC configRageLtMan
Make "strip-private" strip the string after "secret" (cherry picked from commit 30eb308149f24b7f15aa3e40ced6918a8a3a04b8)
2023-10-05config: T5631: save copy of config in JSON format on commitJohn Estabrook
(cherry picked from commit 27605426a4ad613f45d36e7db5b1664dc3192981)
2023-09-27conf-mode: T5412: add script for add-on package check of dependenciesJohn Estabrook
(cherry picked from commit 0869b91c0b15ddedd72b4d0e1475c52eb45994f0)
2023-09-19utils: T5239: add low-level read from config.bootJohn Estabrook
(cherry picked from commit 56d3f75de487c1dcfd075cf7b65cb16b6501d0ca)
2023-09-05save-config: T5551: check if None before write, as is the case at bootJohn Estabrook
(cherry picked from commit 3fe5482a29042c92298d3e69d90c0c38404d2fcc)
2023-08-23save-config: T4292: rewrite vyatta-save-config.pl to PythonJohn Estabrook
2023-08-10T5319: remove defaults workarounds in vyos-domain-resolver.pyJohn Estabrook
2023-07-15T5195: vyos.util -> vyos.utils package refactoring part #2Christian Breunig
2023-07-14T5195: vyos.util -> vyos.utils package refactoring (#2093)Christian Breunig
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process * T5195: use read_file and write_file implementation from vyos.utils.file Changed code automatically using: find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} + find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} + * T5195: move chmod* helpers to vyos.utils.permission * T5195: use colon_separated_to_dict from vyos.utils.dict * T5195: move is_systemd_service_* to vyos.utils.process * T5195: fix boot issues with missing imports * T5195: move dict_search_* helpers to vyos.utils.dict * T5195: move network helpers to vyos.utils.network * T5195: move commit_* helpers to vyos.utils.commit * T5195: move user I/O helpers to vyos.utils.io
2023-07-12T5195: move boot_* helpers to vyos.utils.bootChristian Breunig
2023-07-09T775: Config-sync bracketize IPv6 secondary addressViacheslav Hletenko
bracketize IPv6 remote address to avoid Failed to parse: https://2001:db8::2/configure-section
2023-06-30T775: Add service config-sync between 2 routersViacheslav Hletenko
Service config-sync allows synchronizing a section of the configuration. As PoC allow only nat, nat66 and firewall sections Rertreive the configuration for a section from self node and send this configuration to the section of the 'secondary' node. This feature adds a symlink from helper 'vyos_config_sync.py' to '/config/scripts/commit/post-hooks.d' and config that is located in '/run/config_sync_conf.conf' It will synchronyze the config only if the setcion was changed. set service config-sync secondary address 192.0.2.11 set service config-sync secondary key xxx set service config-sync section nat set service config-sync section nat66 set service config-sync section firewall set service config-sync mode load
2023-06-09T3472: Print warning when commit-confirm is run as regular usererkin
2023-04-21T1237: Failover route add policy for targets checkingViacheslav Hletenko
Add policy (any-available|all-available) for target checking for failover route set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check policy 'any-available' set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '192.168.122.1' set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '192.168.122.11' It depends if we need that all targets must be alive on just one target.
2023-04-07T1237: Failover route add checks for multiple targetsViacheslav Hletenko
There is only one target for checking ICMP/ARP Extend it for checking multiple targets set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '203.0.113.1' set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '203.0.113.11' The route will be installed only if all targets are 'alive'
2023-01-04T1237: Fix failover route install route with diff metricsViacheslav Hletenko
If there is no route in the routing table (requires install route) it checks routing table and returns best route None But if we have 2 routes to the same dest ip but with different metrics it doesn't get None (not first route install) It cause that bast metric route cannot be installed (wrong logic) Add func "is_route_exists" and check route/gateway/metric for the required route
2022-12-17Merge pull request #1358 from sever-sever/T1237Christian Poessinger
routing: T1237: Add new feature failover route
2022-12-14routing: T1237: Add new feature failover routeViacheslav Hletenko
Failover route allows to install static routes to the kernel routing table only if required target or gateway is alive When target or gateway doesn't respond for ICMP/ARP checks this route deleted from the routing table Routes are marked as protocol 'failover' (rt_protos) cat /etc/iproute2/rt_protos.d/failover.conf 111 failover ip route add 203.0.113.1 metric 2 via 192.0.2.1 dev eth0 proto failover $ sudo ip route show proto failover 203.0.113.1 via 192.0.2.1 dev eth0 metric 1 So we can safely flush such routes
2022-11-11policy: T2199: T4605: Migrate policy route interface to `policy route|route6 ↵sarthurdev
<name> interface <ifname>` * Include refactor to policy route to allow for deletion of mangle table instead of complex cleanup * T4605: Rename mangle table to vyos_mangle
2022-11-03nat: T1877: T970: Add firewall groups to NATsarthurdev
2022-11-03firewall: T970: Refactor domain resolver, add firewall source/destination ↵sarthurdev
`fqdn` node
2022-10-28T4291: consolidate component version string read/write functionsJohn Estabrook
2022-06-14firewall: T970: Use set prefix to domain groupssarthurdev
2022-06-11firewall: T4299: Add support for GeoIP filteringsarthurdev
2022-06-05firewall: T970: Maintain a domain state to fallback if resolution failssarthurdev
2022-05-28firewall: T970: Add firewall group domain-groupViacheslav Hletenko
Domain group allows to filter addresses by domain main Resolved addresses as elements are stored to named "nft set" that used in the nftables rules Also added a dynamic "resolver" systemd daemon vyos-domain-group-resolve.service which starts python script for the domain-group addresses resolving by timeout 300 sec set firewall group domain-group DOMAINS address 'example.com' set firewall group domain-group DOMAINS address 'example.org' set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 source group domain-group 'DOMAINS' set interfaces ethernet eth0 firewall local name 'FOO' nft list table ip filter table ip filter { set DOMAINS { type ipv4_addr flags interval elements = { 192.0.2.1, 192.0.2.85, 203.0.113.55, 203.0.113.58 } } chain NAME_FOO { ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10" counter packets 0 bytes 0 return comment "FOO default-action accept" } }
2022-03-10Revert "component_version: T4291: consolidate read/write functions"John Estabrook
This reverts commit 534f677d36285863decb2cdff179687b4fd690cb. Revert while investigating failure in vyos-configtest.
2022-03-10Revert "save-config: T4292: rewrite vyatta-save-config.pl to Python"John Estabrook
This reverts commit c4d389488970c8510200cac96a67182e9333b891. Revert while investigating failure in vyos-configtest.
2022-03-10Revert "load-config: T4295: use config_tree instead of legacy loadFile"John Estabrook
This reverts commit 2a4b45ba7fa4dabf7e592f499cfb06a7ae38cdea. Revert while investigating failure in vyos-configtest.
2022-03-09load-config: T4295: use config_tree instead of legacy loadFileJohn Estabrook
2022-03-08save-config: T4292: rewrite vyatta-save-config.pl to PythonJohn Estabrook
2022-03-08component_version: T4291: consolidate read/write functionsJohn Estabrook
2022-03-05conntrackd: T4259: fix daemon configuration pathChristian Poessinger
2022-02-16xml: T3474: get component version dictionary from xml cache, not legacyJohn Estabrook
2022-01-20interface-names: T3871: use tempfile during virtual migrationJohn Estabrook
Use tempfile to avoid race conditions during virtual migration.
2022-01-13strip-private: T4177: Fix for hiding private data token/url/bucketViacheslav
Add URL, token and bucket hidind data when is used function "strip-private"
2021-12-08vyos.util: T4061: add function to check for completion of boot configJohn Estabrook
2021-12-04wwan: T3795: move implementation to VbashOpRun()Christian Poessinger
After commit ae16a51506c ("configquery: T3402: use vyatta-op-cmd-wrapper to provide environment") we can now call VyOS op-mode commands from arbitrary Python scripts.
2021-11-18wwan: T3795: periodically check if WWAN connection needs a reconnectChristian Poessinger
(cherry picked from commit eb6247e4b464c36fa7441627b221d0db39429251)
2021-11-18interface-names: T3871: 'migrate' component string syntax as neededJohn Estabrook
With the rewrite of vyatta_net_name to Python using ConfigTree, one runs into the change in the syntax of the component version string when updating 1.2 --> 1.3/1.4, since the udev rule is run before the migration of the config file; add an explicit 'virtual' migration on configtree error.
2021-11-12interface-names: T3871: shift index to accommodate KVM behaviourJohn Estabrook
(on behalf of Dmitriy Eshenko)
2021-11-09interface-names: T3871: Add temporary interface names to properly renamingDmitriyEshenko
2021-10-21strip-private: T3926: strip cisco-authentication keyChristian Poessinger