summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2024-04-16pppoe-server: T6141: T5364: PPPoE-server add pado-delay without sessions failsNataliia Solomko
2024-04-04dhcpv6-client: T2590: fix vyos-hostsd update for nameserver and search domainsChristian Breunig
After migrating from ISC DHCLIENT for IPv6 to wide-dhcp-client the logic which was present to update /etc/resolv.conf with the DHCP specified nameservers and also the search domain list was no longer present. This commit adds a per interface rendered script to inform vyos-hostsd about the received IPv6 nameservers and search domains. (cherry picked from commit ece425f0191762638b7c967097accd8739e9103d)
2024-04-01Merge pull request #3167 from aapostoliuk/T6150-equuleusDaniil Baturin
T6150: Fixed setting a static IP address by Radius in IPoE
2024-04-01system: T6193: invalid warning "is not a DHCP interface but uses DHCP ↵Christian Breunig
name-server option" This fixes an invalid warning when using a DHCP VLAN interface to retrieve the system nameserver to be used. VLAN CLI config is not properly expanded leading to a false warning: [ system name-server eth1.10 ] WARNING: "eth1.10" is not a DHCP interface but uses DHCP name-server option! (cherry picked from commit 61e70c5500ad5b0a9d25bdee28d982644bad6461)
2024-03-26T6150: Fixed setting a static IP address by Radius in IPoEaapostoliuk
Fixed setting a static IP address by Radius in IPoE Allowing using named pools by default Allowed adding 'gateway-address' without named pool.
2024-03-14Merge pull request #3121 from natali-rs1985/T2998-equuleusDaniil Baturin
snmp: T2998: SNMP v3 oid "exclude" option fix
2024-03-14Merge pull request #3111 from nicolas-fort/T6110Daniil Baturin
T6110: dhcp: add error check when fail-over is enabled on a subnet, but range is not defined.
2024-03-14snmp: T2998: updated snmp.pyNataliia Solomko
2024-03-13vrrp: T5504: Keepalived VRRP ability to set more than one peer-addressNataliia Solomko
2024-03-12T6110: dhcp: add error check when fail-over is enabled on a subnet, but ↵Nicolas Fort
range is not defined.
2024-03-11snmp: T2998: SNMP v3 oid "exclude" option fixNataliia Solomko
2024-02-13utils: T5239: add low-level read from config.bootChristian Breunig
2024-02-07T5586: delete old systemd unit keepalived serviceViacheslav Hletenko
The custom systemd unit is not required as we generate 10-override which was implemented in https://github.com/vyos/vyos-1x/pull/2310/commits/5a6938a2e14373dfaa72211fe18deeb257d3ba12
2024-02-01bfd: T5967: add minimum-ttl optionChristian Breunig
* set protocols bfd peer <x.x.x.x> minimum-ttl <1-254> (partially cherry-picked from 1f07dcbddfcfdbb9079936ec479c5633934dd547)
2024-01-12wireguard: T5924: harden migration script logic 22-to-23Christian Breunig
The original commit 2c1c36135 ("wireguard: T5413: Blocked adding the peer with the router's public key") did not honor the fact that there might be no private-key CLI node defined for a WireGuard interface. If this is the case, private-key defaults to "default". This fact needs to be handled in the migration script.
2024-01-09console: T4646: Fixed USB console issueszsdc
* fixed the `systemctl restart` command that used a value from config instead converted to `ttyUSBX` * moved systemd units from `/etc/` to `/run/` (cherry picked from commit ad1236e8d72ff29e0e2215df175b6f032fba75eb)
2024-01-09T1297: vrrp: backport VRRP GARP options to EquuleusNicolas Fort
2023-12-12T5817: Fix for show openvpn serverViacheslav Hletenko
In some cases we can get error: ``` Traceback (most recent call last): File "/usr/libexec/vyos/op_mode/show_openvpn.py", line 173, in <module> data = get_status(args.mode, intf) File "/usr/libexec/vyos/op_mode/show_openvpn.py", line 130, in get_status client["tunnel"] = get_vpn_tunnel_address(client['remote'], interface) File "/usr/libexec/vyos/op_mode/show_openvpn.py", line 66, in get_vpn_tunnel_address tunnel_ip = lst[0].split(',')[0] IndexError: list index out of range ```
2023-12-09Merge pull request #2540 from aapostoliuk/T5413-equuleusDaniil Baturin
wireguard: T5413: Blocked adding the peer with the router's public key
2023-12-04https: T5772: return from verify if NoneJohn Estabrook
​ Signed-off-by: Daniil Baturin <daniil@baturin.org>
2023-12-04https: T5772: require that at least one valid API key is presentDaniil Baturin
2023-12-04Revert "https api: T5772: check if keys are configured"Daniil Baturin
This reverts commit 57ba2fa91573ad2ecd03f0c2eb89507dfc397f1e.
2023-11-30https: T5772: remove the default API keyDaniil Baturin
The new verification code prevents it from being used, but it's not a reason to keep it
2023-11-28Merge pull request #2536 from c-po/backport-pr-2527Christian Breunig
pppoe: T5630: make MRU default to MTU if unspecified (backport #2527)
2023-11-27T5763: fix imprecise check for remote file nameJohn Estabrook
(cherry picked from commit fe9b08665367b8e7d9b906a0760d44efc9b5cafb)
2023-11-24wireguard: T5413: Blocked adding the peer with the router's public keyaapostoliuk
Disabled adding the peer with the same public key as the router has. Backport from current https://github.com/vyos/vyos-1x/pull/2122
2023-11-23pppoe: T5630: make MRU default to MTU if unspecifiedChristian Breunig
This fixes the implementation in e062a8c11 ("pppoe: T5630: allow to specify MRU in addition to already configurable MTU") and restores the bahavior that MRU defaults to MTU if MRU is not explicitly set. This was the behavior in VyOS 1.3.3 and below before we added ability to define the MRU value. (cherry picked from commit ffd7339e2ea3eafdd97ac0763ca4a3913fe71bf3)
2023-11-23https api: T5772: check if keys are configuredDaniil Baturin
unless PAM auth is enabled for GraphQL (cherry picked from commit 8c450ea7f538beb0b2cd21d35c05d18db49a1802)
2023-11-20PAM: T5577: Optimized RADIUS PAM configzsdc
- Added system `radius` group - Added `mandatory` and `optional` modes for RADIUS - Improved PAM config for RADIUS New modes: - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be stopped and access denied immediately. - `optional` (default) - if RADIUS answers with `Access-Reject`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-11-16T4940: new interfaces debugging command equuleusmkorobeinikov
2023-10-31Merge pull request #2310 from sever-sever/T5586-eqDaniil Baturin
T5586: Disable by default SNMP for Keeplived VRRP service
2023-10-19vxlan: T5669: unable to change port numberChristian Breunig
set interfaces vxlan vxlan23 address '100.64.10.2/24' set interfaces vxlan vxlan23 remote '192.0.2.1' set interfaces vxlan vxlan23 source-address '192.0.2.5' set interfaces vxlan vxlan23 vni '23' commit set interfaces vxlan vxlan23 port '4789' commit vyos@r1# ip -d link show dev vxlan23 12: vxlan23: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/ether 22:6e:6d:33:c5:6b brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535 vxlan id 23 remote 192.0.2.1 local 192.0.2.5 srcport 0 0 dstport 8472 Port remains at the default value of 8472 This has been fixed
2023-10-08pppoe: T5630: verify MRU is less or equal then MTUChristian Breunig
(cherry picked from commit e357258e645cf85de0035d4ecfbf99db4dd90f7e)
2023-09-26T5586: Disable by default SNMP for Keeplived VRRP serviceViacheslav Hletenko
AgentX does not work stable. From time to time we see the system service crashing/degrading if something is wrong with SNMP from util net-snmp. We should disable it by default and enable it only if configured. set high-availability vrrp snmp
2023-09-07system: T5555: Fix time-zone migrator changing valid time-zones to UTCsarthurdev
2023-09-04T5533: Fix VRRP IPv6 FAULT state due to IPv6 tentative stateViacheslav Hletenko
Checks if an IPv6 address on a specific network interface is in the tentative state. IPv6 tentative addresses are not fully configured and are undergoing Duplicate Address Detection (DAD) to ensure they are unique on the network. inet6 2001:db8::3/125 scope global tentative It tentative state the group enters in FAULT state. Fix it.
2023-08-28T5428: fix DHCP address renewal/release when running in VRFChristian Breunig
2023-09-01vrf: T5428: stop DHCP processes on VRF removalChristian Breunig
This is a workaround for the priority inversion from T5492 ("CLI node priority is not inversed on node deletion"). As this is a corner case bug that's only triggered if an interface is removed from a VRF and also the VRF is removed in one commit, priorities are not honored. Thus we implement this workaround which stop the DHCP(v6) client processes on the VRF associated interfaces to get out the DHCP RELEASE message before interfaces are shut down. (cherry picked from commit 005151f77be5cf999689cfd03620bbc39df59018)
2023-08-31Merge pull request #2166 from sever-sever/T5506-eqChristian Breunig
T5506: Add link-local IPv6 address for container interfaces
2023-08-25T4825: Add interface type vethViacheslav Hletenko
Add interface type veth (Virtual ethernet) One of the usecases it's interconnect different vrf's and default vrf via bridge set interfaces virtual-ethernet veth0 peer-name 'veth1010' set interfaces virtual-ethernet veth1010 address '10.0.0.10/24' set interfaces virtual-ethernet veth1010 peer-name 'veth0' set interfaces virtual-ethernet veth1010 vrf 'foo' set interfaces bridge br0 address '10.0.0.1/24' set interfaces bridge br0 member interface veth0 vyos@r1:~$ ping 10.0.0.10 count 1 PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data. 64 bytes from 10.0.0.10: icmp_seq=1 ttl=64 time=0.082 ms
2023-08-24http-api: T5006: add explicit async to retrieve operationJohn Estabrook
2023-08-24T5506: Add link-local IPv6 address for container interfacesViacheslav Hletenko
Fix for adding IPv6 link-local address for container interfaces set container network NET01 prefix '10.0.0.0/24' set container network NET01 prefix '2001:db8:2222::/64' % ip -6 addr show scope link dev pod-NET01 17: pod-NET01: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 inet6 fe80::d89c:dfff:fe1a:8689/64 scope link
2023-08-19wifi: T5470: improve error messageChristian Breunig
(cherry picked from commit ffb798b4678f3b1bd0a40cc42b1f0477470346dc)
2023-08-17T5223: Fix removing key id for GRE tunnelViacheslav Hletenko
Fix for removing key id from GRE tunnel Before fix: del interfaces tunnel tun10 parameters ip key commit sudo ip tunnel show tun10 tun10: gre/ip remote 203.0.113.254 local 192.168.122.11 ttl 64 tos inherit key 1234 After the fix: sudo ip tunnel show tun10 tun10: gre/ip remote 203.0.113.254 local 192.168.122.11 ttl 64 tos inherit
2023-07-31Merge pull request #2097 from aapostoliuk/T4790-equuleusChristian Breunig
login: T4790: Added check of the sum of radius timeouts
2023-07-25login: T4790: Added check of the sum of radius timeoutsaapostoliuk
Added check of the sum of login radius timeouts. It has to be less or eq 50 sec. Added check of a number of login radius servers. It has to be less or eq 8 Otherwise, log in to the device can be discarded. Backported from 1.4
2023-07-19sshguard: T5354: Add service ssh dynamic-protectionViacheslav Hletenko
Sshguard protects hosts from brute-force attacks It can inspect logs and block "bad" addresses by threshold Auto-generates own tables and rules for nftables, so they are not intercept with VyOS firewall rules. When service stops, all generated tables are deleted. set service ssh dynamic-protection set service ssh dynamic-protection allow-from '192.0.2.1' set service ssh dynamic-protection block-time '120' set service ssh dynamic-protection detect-time '1800' set service ssh dynamic-protection threshold '30'
2023-06-30bcast-relay: T5313: capitalize UDP protocol nameChristian Breunig
(cherry picked from commit a409b255acc3dc0a67058593e31b3614e20714f0)
2023-06-25bcast-relay: T5313: verify() relay interfaces have IPv4 address configuredChristian Breunig
(cherry picked from commit ca7c063666c038d104082542f04ead6062e79246)
2023-05-28router-advert: T5240: verify() that no more then 3 IPv6 name-servers configuredChristian Breunig
This is a radvd limitation. (cherry picked from commit 8ef017a3496467433c311af63116af7657c58037)