summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2023-11-24wireguard: T5413: Blocked adding the peer with the router's public keyaapostoliuk
Disabled adding the peer with the same public key as the router has. Backport from current https://github.com/vyos/vyos-1x/pull/2122
2023-11-23https api: T5772: check if keys are configuredDaniil Baturin
unless PAM auth is enabled for GraphQL (cherry picked from commit 8c450ea7f538beb0b2cd21d35c05d18db49a1802)
2023-11-20PAM: T5577: Optimized RADIUS PAM configzsdc
- Added system `radius` group - Added `mandatory` and `optional` modes for RADIUS - Improved PAM config for RADIUS New modes: - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be stopped and access denied immediately. - `optional` (default) - if RADIUS answers with `Access-Reject`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-11-16T4940: new interfaces debugging command equuleusmkorobeinikov
2023-10-31Merge pull request #2310 from sever-sever/T5586-eqDaniil Baturin
T5586: Disable by default SNMP for Keeplived VRRP service
2023-10-19vxlan: T5669: unable to change port numberChristian Breunig
set interfaces vxlan vxlan23 address '100.64.10.2/24' set interfaces vxlan vxlan23 remote '192.0.2.1' set interfaces vxlan vxlan23 source-address '192.0.2.5' set interfaces vxlan vxlan23 vni '23' commit set interfaces vxlan vxlan23 port '4789' commit vyos@r1# ip -d link show dev vxlan23 12: vxlan23: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/ether 22:6e:6d:33:c5:6b brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535 vxlan id 23 remote 192.0.2.1 local 192.0.2.5 srcport 0 0 dstport 8472 Port remains at the default value of 8472 This has been fixed
2023-10-08pppoe: T5630: verify MRU is less or equal then MTUChristian Breunig
(cherry picked from commit e357258e645cf85de0035d4ecfbf99db4dd90f7e)
2023-09-26T5586: Disable by default SNMP for Keeplived VRRP serviceViacheslav Hletenko
AgentX does not work stable. From time to time we see the system service crashing/degrading if something is wrong with SNMP from util net-snmp. We should disable it by default and enable it only if configured. set high-availability vrrp snmp
2023-09-07system: T5555: Fix time-zone migrator changing valid time-zones to UTCsarthurdev
2023-09-04T5533: Fix VRRP IPv6 FAULT state due to IPv6 tentative stateViacheslav Hletenko
Checks if an IPv6 address on a specific network interface is in the tentative state. IPv6 tentative addresses are not fully configured and are undergoing Duplicate Address Detection (DAD) to ensure they are unique on the network. inet6 2001:db8::3/125 scope global tentative It tentative state the group enters in FAULT state. Fix it.
2023-08-28T5428: fix DHCP address renewal/release when running in VRFChristian Breunig
2023-09-01vrf: T5428: stop DHCP processes on VRF removalChristian Breunig
This is a workaround for the priority inversion from T5492 ("CLI node priority is not inversed on node deletion"). As this is a corner case bug that's only triggered if an interface is removed from a VRF and also the VRF is removed in one commit, priorities are not honored. Thus we implement this workaround which stop the DHCP(v6) client processes on the VRF associated interfaces to get out the DHCP RELEASE message before interfaces are shut down. (cherry picked from commit 005151f77be5cf999689cfd03620bbc39df59018)
2023-08-31Merge pull request #2166 from sever-sever/T5506-eqChristian Breunig
T5506: Add link-local IPv6 address for container interfaces
2023-08-25T4825: Add interface type vethViacheslav Hletenko
Add interface type veth (Virtual ethernet) One of the usecases it's interconnect different vrf's and default vrf via bridge set interfaces virtual-ethernet veth0 peer-name 'veth1010' set interfaces virtual-ethernet veth1010 address '10.0.0.10/24' set interfaces virtual-ethernet veth1010 peer-name 'veth0' set interfaces virtual-ethernet veth1010 vrf 'foo' set interfaces bridge br0 address '10.0.0.1/24' set interfaces bridge br0 member interface veth0 vyos@r1:~$ ping 10.0.0.10 count 1 PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data. 64 bytes from 10.0.0.10: icmp_seq=1 ttl=64 time=0.082 ms
2023-08-24http-api: T5006: add explicit async to retrieve operationJohn Estabrook
2023-08-24T5506: Add link-local IPv6 address for container interfacesViacheslav Hletenko
Fix for adding IPv6 link-local address for container interfaces set container network NET01 prefix '10.0.0.0/24' set container network NET01 prefix '2001:db8:2222::/64' % ip -6 addr show scope link dev pod-NET01 17: pod-NET01: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 inet6 fe80::d89c:dfff:fe1a:8689/64 scope link
2023-08-19wifi: T5470: improve error messageChristian Breunig
(cherry picked from commit ffb798b4678f3b1bd0a40cc42b1f0477470346dc)
2023-08-17T5223: Fix removing key id for GRE tunnelViacheslav Hletenko
Fix for removing key id from GRE tunnel Before fix: del interfaces tunnel tun10 parameters ip key commit sudo ip tunnel show tun10 tun10: gre/ip remote 203.0.113.254 local 192.168.122.11 ttl 64 tos inherit key 1234 After the fix: sudo ip tunnel show tun10 tun10: gre/ip remote 203.0.113.254 local 192.168.122.11 ttl 64 tos inherit
2023-07-31Merge pull request #2097 from aapostoliuk/T4790-equuleusChristian Breunig
login: T4790: Added check of the sum of radius timeouts
2023-07-25login: T4790: Added check of the sum of radius timeoutsaapostoliuk
Added check of the sum of login radius timeouts. It has to be less or eq 50 sec. Added check of a number of login radius servers. It has to be less or eq 8 Otherwise, log in to the device can be discarded. Backported from 1.4
2023-07-19sshguard: T5354: Add service ssh dynamic-protectionViacheslav Hletenko
Sshguard protects hosts from brute-force attacks It can inspect logs and block "bad" addresses by threshold Auto-generates own tables and rules for nftables, so they are not intercept with VyOS firewall rules. When service stops, all generated tables are deleted. set service ssh dynamic-protection set service ssh dynamic-protection allow-from '192.0.2.1' set service ssh dynamic-protection block-time '120' set service ssh dynamic-protection detect-time '1800' set service ssh dynamic-protection threshold '30'
2023-06-30bcast-relay: T5313: capitalize UDP protocol nameChristian Breunig
(cherry picked from commit a409b255acc3dc0a67058593e31b3614e20714f0)
2023-06-25bcast-relay: T5313: verify() relay interfaces have IPv4 address configuredChristian Breunig
(cherry picked from commit ca7c063666c038d104082542f04ead6062e79246)
2023-05-28router-advert: T5240: verify() that no more then 3 IPv6 name-servers configuredChristian Breunig
This is a radvd limitation. (cherry picked from commit 8ef017a3496467433c311af63116af7657c58037)
2023-05-11syslog: T2769: add VRF supportChristian Breunig
Allow syslog messages to be sent through a VRF (e.g. management). (cherry picked from commit 46d2bcdb0b500b4d1b9d973ab5b9ca3c6cf44e51)
2023-05-10Merge pull request #1979 from zdc/T5190-equuleusChristian Breunig
cloud-init: T5190: Added Cloud-init pre-configurator
2023-05-05container: T5082: future proof bridge network nameChristian Breunig
Users might add the podman network interface to a zone based firewall. This could cuase breaking configs on upgrades to 1.4. As container support is not yet released for 1.3 LTS version (will be 1.3.3), we once rename the network interface to match the schema in VyOS 1.4.
2023-05-04cloud-init: T5190: Added Cloud-init pre-configuratorzsdc
Added a new service that starts before Cloud-init, waits for all network interfaces initialization, and if requested by config, checks which interfaces can get configuration via DHCP server and creates a corresponding Cloud-init network configuration. This protects from two situations: * when Cloud-init tries to get meta-data via eth0 (default and fallback variant for any data source which depends on network), but the real network is connected to another interface * when Cloud-init starts simultaneously with udev and initializes the first interface to get meta-data before it is renamed to eth0 by udev
2023-04-23http-api: T5175: check value of attribute for FastAPI>=0.91.0John Estabrook
FastAPI v0.92.0 (starlette v0.24.0) sets default attribute Request._form; check for value == None instead of existence when overriding Request class. (cherry picked from commit cac55a066e1f7d7d4c0eec5ada76570a326b5ac9)
2023-04-13Merge pull request #1952 from sever-sever/T4727Christian Breunig
T4727: Add RADIUS rate-limit attribute for vpn pptp
2023-04-12T5152: Get default hostname for telegraf from FQDN or hostnameViacheslav Hletenko
Fix for Telegraf agent hostname isn't qualified Try to get the hostname from FQDN and then from the hostname Used for metrics You may have more than one machine with different domain names r1 domain-name foo.local, hostname myhost r2 domain-name bar.local, hostname myhost It helps to detect from which exactly host we get metrics for InfluxDB2
2023-04-11T4727: Add RADIUS rate-limit attribute for vpn pptpViacheslav Hletenko
Add rate-limit attribute, multiplier, vendor specific attribute for the [shaper] section
2023-04-01container: T4959: add registry authentication optionChristian Breunig
Container registry CLI node changed from leafNode to tagNode with the same defaults. In addition we can now configure an authentication option per registry. (cherry picked from commit fe82d86d3e87cb8d92ebc9d0652c08e3dd79a12c)
2023-04-01Merge pull request #1919 from c-po/equuleusChristian Breunig
container: T5047: restart only containers that changed (backport)
2023-04-01container: T5047: bugfix TypeError: argument of type 'NoneType' is not iterableChristian Breunig
Commit 52e51ffb ("container: T5047: restart only containers that changed") started to iterate over a NoneType which is invalid. This happened when a network description was changed but no container was due for restart. (cherry picked from commit 86d7b8d1d2b53b9fa93bd456abb4ea1b4f2949b6)
2023-03-29container: T5047: restart only containers that changedChristian Breunig
By default VyOS used to restart all containers it managed. This makes no sense as it will be service disrupting. Instead only restart the containers that had changes on the CLI beeing made. (cherry picked from commit 52e51ffbb84996aee9d5b94eebf64589ead31225)
2023-03-23op-mode: T5097: show interfaces should reflect cleared countersJohn Estabrook
'show interfaces counters' correctly displays counter stats after a call to 'clear interfaces counters', however, 'show interfaces detail' does not. Add missing update to counter stats.
2023-03-23T5105: Fix error message from dhcp-serverNicolas Fort
(cherry picked from commit 05e00b986a563681b038b226c86c83a29d6da820)
2023-03-15T3083: Add service event-handlerViacheslav Hletenko
Event-handler allows executing a custom script when detects some configured "pattern regex" set service event-handler event first filter pattern '.*ssh2.*' set service event-handler event first script arguments '192.0.2.5' set service event-handler event first script environment interface value 'eth0' set service event-handler event first script path '/config/scripts/hello.sh' It is the backport from 1.4
2023-03-10Merge pull request #1859 from sever-sever/T5033-eqViacheslav Hletenko
T5033: Ability to generate muliple keys from a file or link
2023-03-09T5066: Fix GRE tunnel variable name for verify check keysViacheslav Hletenko
2023-03-07openvpn: T4872: fix parsing of tunnel IP in 'show openvpn server'John Estabrook
(cherry picked from commit 779f4001a4828f1af39a5b0b861d62635fcb3726)
2023-03-07openvpn: T4381: Add tunnel ip column for status commandsrividya0208
Added the tunnel ip column to see the assigned ip address in server mode (cherry picked from commit 500c182c4fa4e0fa030b7c68139fbe948266c49b)
2023-03-01T4967: Allow setting container hostnameViacheslav Hletenko
Ability setting container hostname This host name is used as /etc/hostname set container name <tag> host-name 'mybox' (cherry picked from commit c68d73e6720a7df2b48df17ac7b9b4c906e0294c)
2023-03-01container: T4014: Add `command`, `arg` and `entrypoint` configuration ↵Zen3515
options for containers (cherry picked from commit 53aebddb4ca54b0cc4a296d6cc4c4d960c5f1d73)
2023-02-28T5033: Ability to generate muliple keys from a file or linkViacheslav Hletenko
We generate only one public key (string) from a file xxx.pub op-mode with 'generate public-key-command user vyos lik_to_key_file' Add ability to generate configuration (from op-mode) for multiple keys As github keys don't use identifiers, generate uuid4 id for them
2023-02-24Merge pull request #1794 from aapostoliuk/T4955-equuleusChristian Breunig
openconnect: T4955: Removed wrong authserver in radiusclient.conf
2023-02-21T4978: Default values of port rewrite default container valuesViacheslav Hletenko
As we have the same variable name 'default_values' for container name, port and volume, it rewrites default container parameters with default port parameters Fix it (cherry picked from commit 679efe8ac7998ba1b8f3c7c4bfc7508d8869907d)
2023-02-20openconnect: T4955: Removed wrong authserver in radiusclient.confaapostoliuk
After merging config dictionary with default values, radius port the default value was merged not in a proper way. It is added as a server. After creating radiusclient.conf added and the illegal authserver equal 'port'. Backported from 1.4
2023-02-14T5009: relay: correct service name for restarting dhcp relay serviceNicolas Fort