summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2024-04-02ssh: T6192: allow binding to multiple VRF instancesChristian Breunig
Currently VyOS only supports binding a service to one individual VRF. It might become handy to have the services (initially it will be VRF, NTP and SNMP) be bound to multiple VRFs. Changed VRF from leafNode to multi leafNode with defaultValue: default - which is the name of the default VRF. (cherry picked from commit e5af1f0905991103b12302892e6f0070bbb7b770)
2024-04-02utils: T5738: always use vyos.utils.network.interface_exists over os.path.existsChristian Breunig
(cherry picked from commit 5bb27f0c6220fd940b63cdd37a60c312c0ac3efd)
2024-04-01Merge pull request #3227 from vyos/mergify/bp/sagitta/pr-3223Daniil Baturin
system: T6193: invalid warning "is not a DHCP interface but uses DHCP name-server option" (backport #3223)
2024-04-01system: T6193: invalid warning "is not a DHCP interface but uses DHCP ↵Christian Breunig
name-server option" This fixes an invalid warning when using a DHCP VLAN interface to retrieve the system nameserver to be used. VLAN CLI config is not properly expanded leading to a false warning: [ system name-server eth1.10 ] WARNING: "eth1.10" is not a DHCP interface but uses DHCP name-server option! (cherry picked from commit 61e70c5500ad5b0a9d25bdee28d982644bad6461)
2024-04-01dhcpv6-client: T2590: fix vyos-hostsd update for nameserver and search domainsChristian Breunig
After migrating from ISC DHCLIENT for IPv6 to wide-dhcp-client the logic which was present to update /etc/resolv.conf with the DHCP specified nameservers and also the search domain list was no longer present. This commit adds a per interface rendered script to inform vyos-hostsd about the received IPv6 nameservers and search domains. (cherry picked from commit ece425f0191762638b7c967097accd8739e9103d)
2024-04-01T6178: Check that certificate exists during reverse-proxy commitkhramshinr
(cherry picked from commit 320fe827b4842b0c0da1ec5fee3d41a5730334d5)
2024-03-30Merge pull request #3216 from vyos/mergify/bp/sagitta/pr-3213Christian Breunig
bgp: T6106: Valid commit error for route-reflector-client option defined in peer-group (backport #3213)
2024-03-30image-tools: T6186: simplify image annotations fixing regressionJohn Estabrook
(cherry picked from commit 1f0c33c00118c42fc2796d99aff94c428f434d4a)
2024-03-30bgp: T6106: Valid commit error for route-reflector-client option defined in ↵khramshinr
peer-group changed exception condition Improved route_reflector_client test (cherry picked from commit 84f05b1dd41bea5de16d707aa77a467f8d499323)
2024-03-29Merge pull request #3196 from HollyGurza/T4718-sagittaDaniil Baturin
dhcp-server: T4718: Listen-address is not commited if the IP address is on the interface with a VRF
2024-03-28openvpn: T6159: Openvpn Server Op-cmd adds heading "OpenVPN status on vtunx" ↵khramshinr
for every client connection Don't show duplicate info of vtunx show header when clints is not connected but server is configured (cherry picked from commit 66a009f367f8bf274eac9a4d4e1f4f8911c85872)
2024-03-28Merge pull request #3204 from vyos/mergify/bp/sagitta/pr-2965Daniil Baturin
T5872: ipsec remote access VPN: support dhcp-interface. (backport #2965)
2024-03-28ipsec: T5606: T5871: Use multi node for CA certificatessarthurdev
This changes behaviour from fetching CA chain in PKI, to the user manually setting CA certificates. Prevents unwanted parent CAs existing in PKI from being auto-included as may not be desired/intended. (cherry picked from commit 952b1656f5164f6cfc601e040b48384859e7a222)
2024-03-28T5872: re-write exit hook to always regenerate configLucas Christian
(cherry picked from commit 679b78356cbda4de15f96a7f22d4a98037dbeea4)
2024-03-28T5872: further fixes to ipsec dhcp exit hookLucas Christian
(cherry picked from commit 92012a0b3db8e93b10db4137414073f0371ed8cc)
2024-03-28T5872: fix ipsec dhclient exit hookLucas Christian
(cherry picked from commit cd8ef21f280f726955f537132e3fab2bcb3c286f)
2024-03-28T5872: ipsec remote access VPN: support dhcp-interface.Lucas Christian
(cherry picked from commit f7834324d3d9edd7e161e7f2f3868452997c9c81)
2024-03-28op-mode: T6175: "renew dhcp interface <name>" does not check for DHCP interfaceChristian Breunig
The current op-mode script simply calls sudo systemctl restart "dhclient@$4.service" with no additional information about a client interface at all. This results in useless dhclient processes root 47812 4.7 0.0 5848 3584 ? Ss 00:30 0:00 /sbin/dhclient -4 -d root 48121 0.0 0.0 4188 3072 ? S 00:30 0:00 \_ /bin/sh /sbin/dhclient-script root 48148 50.0 0.2 18776 11264 ? R 00:30 0:00 \_ python3 - Which also assign client leases to all local interfaces, if we receive one valid DHCPOFFER vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address MAC VRF MTU S/L Description ----------- ----------------- ----------------- ------- ----- ----- ------------- eth0 - 00:50:56:bf:c5:6d default 1500 u/u eth0.10 172.16.33.102/24 00:50:56:bf:c5:6d default 1500 u/u eth1 172.16.33.131/24 00:50:56:b3:38:c5 default 1500 u/u 172.16.33.102/24 and 172.16.33.131/24 are stray DHCP addresses. This commit moved the renew command to the DHCP op-mode script to properly validate if the interface we request a renew for, has actually a dhcp address configured. In additional this exposes the renew feature to the API. (cherry picked from commit 7dbaa25a199a781aaa9f269741547e576410cb11)
2024-03-28dhcp-server: T4718: Listen-address is not commit if the ip address is on the ↵khramshinr
interface with vrf
2024-03-26bgp: T6106: fix test and verify()khramshinr
(cherry picked from commit 2ba435fa4bc8a5c9b2285fb9215ebc582bfb5fdf)
2024-03-25config-sync: T6145: batch section requests for commit by priorityJohn Estabrook
(cherry picked from commit 50e9364575481335520f50dac834c74ef02ccfab)
2024-03-24ospf: T6066: can not define the same network in different areasChristian Breunig
Users can not (FRR fails) commit the same network belonging to different OSPF areas. Add verify() check to prevent this. (cherry picked from commit c6d8d9c012da1a7566eec2dff70385457f073e64)
2024-03-24grub: T6165: increase service TimeoutSec from 5 -> 60Christian Breunig
The PCEngines APU2 systems with mSATA disks tend to be very slow. This results in a service startup error: $ systemctl status vyos-grub-update × vyos-grub-update.service - Update GRUB loader configuration structure Loaded: loaded (/lib/systemd/system/vyos-grub-update.service; enabled; preset: enabled) Active: failed (Result: timeout) since Sun 2024-03-24 08:48:10 UTC; 14min ago Main PID: 779 (code=killed, signal=TERM) CPU: 869ms Mar 24 08:48:05 LR4.wue3 systemd[1]: Starting vyos-grub-update.service - Update GRUB loader configuration structure... Mar 24 08:48:10 LR4.wue3 systemd[1]: vyos-grub-update.service: start operation timed out. Terminating. Mar 24 08:48:10 LR4.wue3 systemd[1]: vyos-grub-update.service: Main process exited, code=killed, status=15/TERM Mar 24 08:48:10 LR4.wue3 systemd[1]: vyos-grub-update.service: Failed with result 'timeout'. Mar 24 08:48:10 LR4.wue3 systemd[1]: Failed to start vyos-grub-update.service - Update GRUB loader configuration structure. Measunring on an APU2 system after boot and memory is "hot", it still needs almost 17 seconds to complete the job cpo@LR4.wue3:~$ time sudo /usr/libexec/vyos/system/grub_update.py real 0m16.803s user 0m0.018s sys 0m0.028s (cherry picked from commit 5a12645cb25fb23f2195db1e2e977a69d0788d01)
2024-03-24Merge pull request #3163 from vyos/mergify/bp/sagitta/pr-3157Viacheslav Hletenko
vti: T6085: bring VTI interfaces up only when the IPsec tunnel is up (backport #3157)
2024-03-23Merge pull request #3162 from HollyGurza/T5164-sagittaChristian Breunig
dhcp: T5164: op cmd: "show dhcp server leases state" with available o…
2024-03-22isis: T6160: NameError: name 'process' is not definedChristian Breunig
This is a leftover after commit 0e050cb35 (isis: T3417: drop artificial "domain" node identifying the IS-IS process name). Drop all references to "process" variable. Specifying: set protocols isis interface eth1 set protocols isis net '49.0001.1921.6825.5255.00' set protocols isis redistribute ipv4 bgp Triggered an exception Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/protocols_isis.py", line 309, in <module> verify(c) File "/usr/libexec/vyos/conf_mode/protocols_isis.py", line 158, in verify f'"protocols isis {process} redistribute {afi} {proto}"!') ^^^^^^^ NameError: name 'process' is not defined (cherry picked from commit 78212414e085d6261a32015553eb3e407f77792f)
2024-03-22policy: T6130: Revert commit 960caceaapostoliuk
This reverts commit 960cace189d7ace2bea0968646b1348b415e0363. All community rules syntax was changed. T5357 is invalid bug report. VyOS cannot use new configuration syntax in the previous versions. (cherry picked from commit 72378c67ef1eee01a06e2f9a194a0870c6a7fdd2)
2024-03-21vti: T6085: interface is always down and only enabled by IPSec daemonChristian Breunig
When a VTI interface is just created, it is in ADMIN UP state by default, even if an IPSec peer is not connected. After the peer is disconnected the interface goes to DOWN state as expected. This breaks routing logic - for example, static routes through VTI interfaces will be active even if a peer is not connected. This changes to logic so ADMIN UP/DOWN state can only be changed by the vti-up-down helper script. Error was introduced during the Perl -> Python migration and move to the generic vyos.ifconfig abstraction during the 1.4 development cycle. (cherry picked from commit 9eb018c4935235d292d7c693ac15da5761be064a)
2024-03-21dhcp: T5164: op cmd: "show dhcp server leases state" with available options ↵khramshinr
does not show any result
2024-03-21conntrack: T6147: Enable conntrack when firewall state-policy is definedsarthurdev
* Move global state-policy smoketest to it's own test, verify conntrack (cherry picked from commit 62bda3b082a79c2f31483dba5bfeb19464f6dbe2)
2024-03-19Merge pull request #3152 from vyos/mergify/bp/sagitta/pr-3150Daniil Baturin
T6138: Fix op-mode show conntrack table with flowtable offloads (backport #3150)
2024-03-19T6138: Fix op-mode show conntrack table with flowtable offloadsViacheslav Hletenko
The op-mode command `show conntrack table ipv4` fails if gets a conntrack entrie with `flowtable` offload. Those entries do not have key `timeout` ``` File "/usr/libexec/vyos/op_mode/conntrack.py", line 115, in get_formatted_output timeout = meta['timeout'] ~~~~^^^^^^^^^^^ ``` Use the timeout `n/a` for those offload conntrack entries (cherry picked from commit a75be3b6814dd39711c157c29405ee6bd83993f5)
2024-03-18T6136: add error checks when using dynamic firewall groupsNicolas Fort
(cherry picked from commit e2df1f4929774792c1d4bfb78c2dfa5bdf7f0825)
2024-03-18T6121: Extend service config-sync to new sectionsViacheslav Hletenko
Extend `service config-sync` with new sections: - LeafNodes: pki, policy, vpn, vrf (syncs the whole sections) - Nodes: interfaces, protocols, service (syncs subsections) In this cae the Node allows to uses the next level section i.e subsection For example any of the subsection of the node `interfaces`: - set service config-sync section interfaces pseudo-ethernet - set service config-sync section interfaces virtual-ethernet Example of the config: ``` set service config-sync mode 'load' set service config-sync secondary address '192.0.2.1' set service config-sync secondary key 'xxx' set service config-sync section firewall set service config-sync section interfaces pseudo-ethernet set service config-sync section interfaces virtual-ethernet set service config-sync section nat set service config-sync section nat66 set service config-sync section protocols static set service config-sync section pki set service config-sync section vrf ``` (cherry picked from commit 25b611f504521181f85cb4460bfdfd702c377b5e)
2024-03-16T6090: fix policy route migration script. Ensure that tcp flags migration ↵Nicolas Fort
occurs also if only <policy route> is defined. (cherry picked from commit 1048f49e403d7ce3df379bbf48e7fcc60a74e67b)
2024-03-13Merge pull request #3129 from vyos/mergify/bp/sagitta/pr-3125Daniil Baturin
radvd: T6118: add nat64prefix support RFC8781 (backport #3125)
2024-03-13Merge pull request #3128 from vyos/mergify/bp/sagitta/pr-3093Christian Breunig
T2447: add configurable kernel boot option 'disable-power-saving' (backport #3093)
2024-03-13radvd: T6118: add nat64prefix support RFC8781Christian Breunig
Add support for pref64 option, as defined in RFC8781. The prefix valid lifetime must not be smaller than the "interface interval max" definition which defaults to 600. set service router-advert interface eth1 nat64prefix 64:ff9b::/96 (cherry picked from commit f1ead5c6a16aba00699b8a5b9c18ef6cffe8cc4d)
2024-03-13T2447: add configurable kernel boot option 'disable-power-saving'Christian Breunig
Lower available CPU C states to a minimum if this option set. This will set Kernel commandline options "intel_idle.max_cstate=0 processor.max_cstate=1". (cherry picked from commit 3a3e0dff4ff1f80835eca6b2362d792e3ecacc8e)
2024-03-13grub: T4548: Fixed configuration files orderzsdc
To iterate files on ext* file systems GRUB reads their inodes one by one, ignoring names. This breaks our configuration logic that relies on proper loading order. This commit adds a helper `sort_inodes()` that needs to be used whenever GRUB configuration files are created. It recreates files, changing their inodes in a way where inodes order matches alphabetical order. (cherry picked from commit f74923202311e853b677e52cd83bae2be9605c26)
2024-03-12conntrack: T5080: Fix rule order for applied conntrack modulessarthurdev
(cherry picked from commit 1fbda31623054ee944d063f738e4d1d4170341ef)
2024-03-12vrrp: T6020: vrrp health-check script not applied correctly in keepalived.confkhramshinr
Added health-check to sync-group in CLI Don't use instance health-check when instance in sync group member Disallow wrong healtch-check configurations New smoke test
2024-03-10firewall: T6071: truncate rule description field to 255 charactersChristian Breunig
(cherry picked from commit 259ef4740413b39da9b122db19c549eeec88114c)
2024-03-06T6075: firewall and NAT: check if interface-group exists when using them in ↵Nicolas Fort
firewall|nat rules. (cherry picked from commit 3c0634e572ffdecaf24a9dac16678427f22761ab)
2024-03-06T6096: Config commits are not synced properly because 00vyos-sync is deleted ↵Apachez
by vyos-router (cherry picked from commit 433faaa9fe7d7dfc02db78ff039e772f5037037a)
2024-03-06Merge pull request #3086 from vyos/mergify/bp/sagitta/pr-3079Christian Breunig
T6084: Add NHRP dependency for IPsec and fix NHRP empty config bug (backport #3079)
2024-03-05http-api: T6069: fix allocation outside of thread lockJohn Estabrook
(cherry picked from commit 7503e419d0dbc9ba81f7299d9df173c0a82f20da)
2024-03-05T6084: Add NHRP dependency for IPsec and fix NHRP empty config bugViacheslav Hletenko
If we have any `vpn ipsec` and `protocol nhrp` configuration we get the empty configuration file `/run/opennhrp/opennhrp.conf` after rebooting the system. Use config dependency instead of the old `resync_nhrp` function fixes this issue (cherry picked from commit 689fea253d9019df20d5c6ac7fa22d5e8454afab)
2024-03-04ospfv3: T6087: add support to redistribute IS-IS routesChristian Breunig
(cherry picked from commit 6a97fdfa1ba9b4135a51498ea5acabb804256b2c)
2024-03-02Merge pull request #3062 from sarthurdev/T6079_sagittaDaniil Baturin
dhcp-server: T6079: Disable duplicate static-mappings on migration