summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2024-02-07init: T2044: only start rpki if cache is configuredChristian Breunig
This extends commit 9199c87cf ("init: T2044: always start/stop rpki during system boot") to check the bootup configuration if an RPKI cache is defined. Only start RPKI if this is the case. (cherry picked from commit 9b8e11e078c42e3ae86ebfa45fec57336f25a0af)
2024-02-07vpn: T3843: l2tp configuration not cleared after deletekhramshinr
vpn: T5926: IPSEC does not apply after l2tp configuration was changed added dependency between l2tp and ipsec conf added test for apply config to swanctl (cherry picked from commit e697ed1e7fd5c33f8082b2f4f96c42fc822ec9a5)
2024-02-06Merge pull request #2948 from vyos/mergify/bp/sagitta/pr-2941Christian Breunig
image-tools: T6016: wait for umount in cleanup function (backport #2941)
2024-02-06image-tools: T6016: wait for umount in cleanup functionJohn Estabrook
(cherry picked from commit d80530c48a78dfeb55293494a257f6234b0ef76d)
2024-02-06T5921: Fix OpenConnect verify for local usersViacheslav Hletenko
Fix verify error for the VPN OpenConnect configuration with local authentication and without any user File "/usr/libexec/vyos/conf_mode/vpn_openconnect.py", line 94, in verify if not ocserv["authentication"]["local_users"]: KeyError: 'local_users' (cherry picked from commit 71644dfed63f6248525db3c3bc9493c059707a2a)
2024-02-06Merge pull request #2942 from srividya0208/debug-ipsecViacheslav Hletenko
op-mode:T6015:Fix for charon file generated by ipsec debug script
2024-02-06op-mode:T6015:Fix the charon file generated by ipsec debug scriptsrividya0208
2024-02-06rpki: T6011: known-hosts-file is no longer supported by FRRChristian Breunig
(cherry picked from commit 586863bf3a9cb1dd1c0d74b628d00096b905740f)
2024-02-02container: T5955: allow setting uid/gidPiotr Maksymiuk
(cherry picked from commit 52e9707a43290f5f826766e2c42c5f0db3c9adec)
2024-02-02Merge pull request #2928 from vyos/mergify/bp/sagitta/pr-2891Viacheslav Hletenko
T5971: Rewritten ppp options in accel-ppp services (backport #2891)
2024-02-02T5971: Rewritten ppp options in accel-ppp servicesaapostoliuk
Rewritten 'ppp-options' to the same view in all accel-ppp services. Adding IPv6 support to PPTP. (cherry picked from commit d9e57fe65dd538c6ea80637f4f6f23cf11dc583d)
2024-02-01ddclient: T5966: Streamline dynamic dns op-mode configurationIndrajit Raychaudhuri
Update op-mode for dynamic dns to standardize on `vyos.opmode`. All methods of `op_mode/dns_dynamic.py` are now available in standardized `op_mode/dns.py`. Move op-mode command `update dns dynamic` to `reset dns dynamic` to reflect that it is not an update but a reset of the dynamic dns service. Also, make the help texts more consistent for all op-mode commands for `dns dynamic` and `dns forwarding`.
2024-02-01ddclient: T5966: Migration script for dynamic dns config subpath changeIndrajit Raychaudhuri
2024-02-01ddclient: T5966: Adjust dynamic dns config address subpathIndrajit Raychaudhuri
Modify the dynamic dns configuration 'address' subpath for better clarity on how the address is obtained. Additionally, remove `web-options` and fold those options under the path `address web`.
2024-02-01Merge pull request #2924 from vyos/mergify/bp/sagitta/pr-2756Christian Breunig
T4839: firewall: Add dynamic address group in firewall configuration (backport #2756)
2024-02-01Merge pull request #2922 from vyos/mergify/bp/sagitta/pr-2854Christian Breunig
dns: T5959: Streamline dns forwarding service (backport #2854)
2024-02-01T4839: firewall: Add dynamic address group in firewall configuration, and ↵Nicolas Fort
appropiate commands to populate such groups using source and destination address of the packet. (cherry picked from commit 6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122)
2024-02-01Merge pull request #2916 from vyos/mergify/bp/sagitta/pr-2832Christian Breunig
T5865: Moved ipv6 pools to named ipv6 pools in accel-ppp (backport #2832)
2024-02-01dns: T5959: Streamline dns forwarding serviceIndrajit Raychaudhuri
Streamline configuration and operation of dns forwarding service in following ways: - Remove `dns_forwarding_reset.py` as its functionality is now covered by `dns.py` - Adjust function names in `dns.py` to disambiguate between DNS forwarding and dynamic DNS - Remove `dns_forwarding_restart.sh` as its functionality is inlined in `dns-forwarding.xml` - Templatize systemd override for `pdns-recursor.service` and move the generated override files in /run. This ensures that the override files are always generated afresh after boot - Simplify the systemd override file by removing the redundant overrides - Relocate configuration path for pdns-recursor to `/run/pdns-recursor` and utilize the `RuntimeDirectory` default that pdns-recursor expects - We do not need to use custom `--socket-dir` path anymore, the default path (viz., `/run/pdns-recursor` is fine) (cherry picked from commit 1c1fb5fb4bd7c0d205b28caf90357ad56423464f)
2024-02-01dns: T4578: Remove unnecessary dns forwarding statistics scriptIndrajit Raychaudhuri
(cherry picked from commit 119efb6d8d353482d598287f49e22aa68a22e960)
2024-02-01Merge pull request #2915 from vyos/mergify/bp/sagitta/pr-2914Christian Breunig
bgp: T5930: Denied using rt vpn 'export/import' with 'both' together (backport #2914)
2024-02-01Merge pull request #2917 from vyos/mergify/bp/sagitta/pr-2890Christian Breunig
T5941: Migration policy delete orphaned interface policy (backport #2890)
2024-02-01T5941: Migration QoS delete orphaned interface traffic-policyViacheslav Hletenko
We can get an orphaned interface traffic-policy when the traffic-policy name is removed from the interface, but the node `trffic-policy` is still attached to the interface For exmaple we have orphaned node traffic-policy on an interface: ``` set interfaces bonding bond0 vif 995 traffic-policy ``` This causes of incorrect migration and we do not see VLANs on the bonding interface after update. Delete traffic-policy from all interfaces if traffic-policy does not exist (cherry picked from commit ca43e517408168ad1f12a3e5bc6f2d97f510faee)
2024-02-01T5941: Migration policy delete orphaned interface policyViacheslav Hletenko
We can get orphaned interface policy when the policy name was removed from the interface but the node `policy` still attached to the interface For exmaple we have orphaned node policy on interface: ``` set interfaces bonding bond0 vif 995 policy ``` This causes of incorrect migration and we do not see VLANs on the bonding interface after update. Delete policy from all interfaces if policy does not exist (cherry picked from commit 53670e1fb201cf1d27b01b4bc796ff097f82552d)
2024-02-01T5865: Moved ipv6 pools to named ipv6 pools in accel-pppaapostoliuk
Moved ipv6 pools to named ipv6 pools in accel-ppp services (cherry picked from commit d187803c31175e471397dd4f77040ab56d2e1073)
2024-02-01bgp: T5930: Denied using rt vpn 'export/import' with 'both' togetheraapostoliuk
Denied using command 'route-target vpn export/import' with 'both' together in bgp configuration. (cherry picked from commit 32a13411f47beffcbe4b49a869c99cb42374d729)
2024-01-30Merge pull request #2888 from vyos/mergify/bp/sagitta/pr-2886John Estabrook
system-option: T5979: Add configurable kernel boot options (backport #2886)
2024-01-30vrf: T5973: fix has_rule() to check for l3mdev ruleChristian Breunig
A code path was missing to check if only priority is available in the result of "ip --json -4 rule show", in the case of l3mdev it's a dedicated key! (cherry picked from commit a009143a62caca207fdffffcf0b490c747a87025)
2024-01-30vrf: T5973: move initial conntrack firewall table to startupChristian Breunig
There is no need to add and remove this table during runtime - it can lurk in the standard firewall init code. (cherry picked from commit 89f0d347bfe5e468355817a617dc71823a58c284)
2024-01-30vrf: T5973: ensure Kernel module is loadedChristian Breunig
This prevents the following error when configuring the first VRF: sysctl: cannot stat /proc/sys/net/vrf/strict_mode: No such file or directory (cherry picked from commit a821b8c603999665ce8a77acb0e44a743811992a)
2024-01-30https: T6000: fix error in migration of path https certbotJohn Estabrook
(cherry picked from commit f057075409b024a18ea8a39b5e128fcde988c00e)
2024-01-29image-tools: T5988: validate image name in add_imageJohn Estabrook
Add missing name validation in add_image, and fix typo in error msg string. (cherry picked from commit 0a66ba35d12f0451a88ed7cc3e3ae2ae90e38d6e)
2024-01-25T5817: Fix for show openvpn serverViacheslav Hletenko
In some cases we can get error: ``` Traceback (most recent call last): File "/usr/libexec/vyos/op_mode/show_openvpn.py", line 173, in <module> data = get_status(args.mode, intf) File "/usr/libexec/vyos/op_mode/show_openvpn.py", line 130, in get_status client["tunnel"] = get_vpn_tunnel_address(client['remote'], interface) File "/usr/libexec/vyos/op_mode/show_openvpn.py", line 66, in get_vpn_tunnel_address tunnel_ip = lst[0].split(',')[0] IndexError: list index out of range ``` (cherry picked from commit 58683a2444877bb989929625ad40a7d76259075d)
2024-01-23T5979: add configurable kernel boot option 'disable-mitigations'Christian Breunig
(cherry picked from commit 256346a66cc3bb20e93c68245ebca2f68f42e7b5)
2024-01-23bfd: T5967: add minimum-ttl optionChristian Breunig
* set protocols bfd peer <x.x.x.x> minimum-ttl <1-254> * set protocols bfd profile <name> minimum-ttl <1-254> (cherry picked from commit 1f07dcbddfcfdbb9079936ec479c5633934dd547)
2024-01-22Merge pull request #2880 from sarthurdev/T5787_disabledbpChristian Breunig
dhcp: T5787: Allow disabled duplicates on static-mapping (backport)
2024-01-22dhcp: T5787: Allow disabled duplicates on static-mapping (backport)sarthurdev
2024-01-22op-mode: T5975: add missing 2FA OTP commandsChristian Breunig
2024-01-22op-mode: T5658: fix mtr.py permissionsChristian Breunig
2024-01-22op-mode: T5137: fix show_techsupport_report.py permissionsChristian Breunig
2024-01-22op-mode: T4864: fix zone.py permissionsChristian Breunig
2024-01-22op-mode: T5969: list multicast group membershipChristian Breunig
cpo@LR1.wue3:~$ show ip multicast group interface eth0.201 Interface Family Address ----------- -------- --------- eth0.201 inet 224.0.0.6 eth0.201 inet 224.0.0.5 eth0.201 inet 224.0.0.1 cpo@LR1.wue3:~$ show ipv6 multicast group interface eth0 Interface Family Address ----------- -------- ----------------- eth0 inet6 ff02::1:ff00:0 eth0 inet6 ff02::1:ffbf:c56d eth0 inet6 ff05::2 eth0 inet6 ff01::2 eth0 inet6 ff02::2 eth0 inet6 ff02::1 eth0 inet6 ff01::1 (cherry picked from commit 3eea8dbed1bd201373eb8a452239d9565d468b33)
2024-01-22T5958: QoS add basic implementation of policy shaper-hfscViacheslav Hletenko
QoS policy shaper-hfsc was not implemented after rewriting the traffic-policy to qos policy. We had CLI but it does not use the correct class. Add a basic implementation of policy shaper-hfsc. Write the class `TrafficShaperHFS` (cherry picked from commit f6b6ee636e34f98d336ee53599666afd1f395d78)
2024-01-22sflow: T5968: add VRF supportChristian Breunig
Add support to run hsflowd in a dedicated (e.g. management) VRF. Command will be "set system sflow vrf <name>" like with any other service (cherry picked from commit 64473fa6f320375fb3d3de4de9e729f456ee5ae2)
2024-01-22Merge pull request #2856 from c-po/firewall-backportsChristian Breunig
firewall: T5729: T5681: T5217: backport subsystem from current branch
2024-01-22firewall: T5729: T5681: T5217: backport subsystem from current branchChristian Breunig
This is a combined backport for all accumulated changes done to the firewall subsystem on the current branch.
2024-01-21ntp: T5692: add support to configure leap second behaviorChristian Breunig
* set service ntp leap-second [ignore|smear|system|timezone] Where timezone is the new and old default resulting in adding "leapsectz right/UTC" to chrony.conf. The most prominent new option is "smear" which will add leapsecmode slew maxslewrate 1000 smoothtime 400 0.001 leaponly to chrony. See https://chrony-project.org/doc/4.3/chrony.conf.html leapsecmode for additional information (cherry picked from commit 7ae064bab0010dff8827a0ed5e1239d2778dc7c1)
2024-01-21dhcp: T3316: add deprecation warning on RAW ISC DHCPD optionsChristian Breunig
The following CLI nodes are deprecated and will be remove in VyOS 1.5 while moving to KEA as DHCP server. * set service dhcp-server global-parameters * set service dhcp-server shared-network-name <name> shared-network-parameters * set service dhcp-server shared-network-name <name> subnet <x.x.x.x/y> subnet-parameters Please open feature requests if any DHCP option is missing and should be added as a proper CLI node to make your life easier.
2024-01-19Merge pull request #2853 from c-po/sagittaChristian Breunig
dhcp: T5952: validate duplicate MAC and IP address in static-mappings incl. smoketests
2024-01-18conntrack: T5376: T5779: backport from currentChristian Breunig
Backport of the conntrack system from current branch. (cherry picked from commit fd0bcaf12) (cherry picked from commit 5acf5aced) (cherry picked from commit 42ff4d8a7) (cherry picked from commit 24a1a7059)