summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2020-07-19Merge pull request #507 from jjakob/nft-translation-address-T2709Christian Poessinger
nat: T2709: remove 'translation address' mandatory check
2020-07-19nat: T2709: remove 'translation address' mandatory checkJernej Jakob
Rules without a translation address are also valid, they'll modify just the port and leave the address intact. This also used to be a valid syntax and it caused an error on upgrade.
2020-07-19Merge pull request #500 from dmbaturin/currentDaniil Baturin
Improve readability of the port validation. Also fixes T2708.
2020-07-19broadcast-relay: T2712: migrate to get_config_dict()Christian Poessinger
Add additional verify() stage to check that the relaying interface actually exists on the system.
2020-07-16pseudo-ethernet: T2626: Fix for changing interface modesrividya0208
Since it is not impossible to change MACVLAN interface mode on the fly, this fix adds a new one trigger to recreate it from scratch if the mode changed in system config
2020-07-16Improve the readability of the port validation. Also fixes T2708.Daniil Baturin
2020-07-15flow-accounting: T2695: Fixed crash on viewing flows with incomplete datazsdc
If flow records contain entries with skipped details, this does not allow preparing it for the output table. This fix use safe .get() function to return empty values instead crashing. Also, added several small formatting fixes.
2020-07-15http-client: T2651: support specifying source-interface/address for curlChristian Poessinger
Please note that either interface or address can be configured. system { options { http-client { source-interface eth0 source-address 1.1.1.1 } } }
2020-07-12snmp: T2687: replace 3rd party hash library with custom codeChristian Poessinger
The 3rd party library used for calculating the SNMP hashes in advance only worked for SHA and nod for MD5 as SHA was hardcoded [1]. The code has been replaced by a class-less implementation providing only the required functionality. [1]: https://github.com/TheMysteriousX/SNMPv3-Hash-Generator/issues/2
2020-07-12nat: T2699: fix exclusion rules for noNAT destinationsChristian Poessinger
2020-07-11snmp: T2687: precalculate snmpv3 encrypted keysChristian Poessinger
As of now when adding new credentials for any SNMPv3 user we submit the credential either plaintext or encrypted. A plaintext credential will be hashed by SNMPd in the background and then passed back into the CLI so it's not stored in cleartext. This feels like the wrong way in changing the CLI content with data produced by a 3rd party daemon which implements the service. It feels like the tail wiggles the entire dog. This should be changed in the following way: - After retrieving the plaintext password from CLI, use Python to hash the key in advance - Re-populate the encrypted key into the CLI and drop the plaintext one - Generate service configuration and continue startup of SNMPd This also fixes a race condition when SNMPd started up but not properly provided the hasehd keys in the configuration resulting in a ConfigurationError. Now as we also support binding SNMPd to a VRF this fixes a deadlock situation on bootup as we can only bind late to the VRF and require up to 5 restarts of the service - but the service will never start.
2020-07-07ssh: T2691: bugfix loglevel config migrationChristian Poessinger
When migrating the conf from VyOS 1.2 to 1.3 a configuration error could appear if the user specified "info" as loglevel instead of "INFO". There was no input validation done in 1.2 but this is now enforced in 1.3. In VyOS 1.3 loglevel will be always lowercase on the CLI and when migrating the config this is transformed. Also VyOS 1.2 accpeted any arbitrary loglevel. If an invalid loglevel is found it will be set to info.
2020-07-04snmp: vrf: T2682: support restart on failure indefinitely.Christian Poessinger
Linux tries to bind sshd to the VRF but it is yet not ready - for any arbitrary reason. After restarting SSH to often (rate-limiting) it is blocked by systemd. Using Restart/RestartSec is not enough - systemd services use start rate limiting (enabled by default). If service is started more than StartLimitBurst times in StartLimitIntervalSec seconds is it not permitted to start any more. Parameters are inherited from DefaultStartLimitIntervalSec (default 10s) and DefaultStartLimitBurst (default 5).
2020-07-04cleanup: no need to call sudo for configuration mode scriptsChristian Poessinger
2020-07-04ids: T2659: Add get_first_key to get_config_dictDmitriyEshenko
2020-07-04Merge pull request #487 from DmitriyEshenko/1x-impl-fnmDaniil Baturin
ids: T2659: Implement fastnetmon support
2020-07-03ids: T2659: Implement fastnetmon supportDmitriyEshenko
2020-07-03ntp: T2676: mive to get_config_dict()Christian Poessinger
2020-07-01config: T2667: add missing flagJohn Estabrook
2020-07-01Merge pull request #486 from jestabro/sub_dictChristian Poessinger
2020-07-01config: T2667: adapt for refinements to get_config_dictJohn Estabrook
2020-07-01ifconfig: T2653: use better names for vyos.configverify functionsChristian Poessinger
2020-07-01ifconfig: T2653: move pppoe interface to get_config_dict()Christian Poessinger
2020-06-29tunnel: T2649: ConfigurationState, do not inherit from ConfigThomas Mangin
2020-06-28wwan: T2660: remove workaround - use XML backed default dictChristian Poessinger
2020-06-27ifconfig: T2653: move wirelessmodem (WWAN) interface to get_config_dict()Christian Poessinger
2020-06-27xml: T2656: do not flatten dict by defaultChristian Poessinger
2020-06-27ifconfig: T2653: macsec switch to default dictionaryChristian Poessinger
2020-06-27Merge pull request #480 from c-po/t2653Christian Poessinger
ifconfig: T2653: move macsec interface to get_config_dict()
2020-06-27ifconfig: T2653: dummy: loopback: use same get_config() structure as MACsecChristian Poessinger
2020-06-27ifconfig: T2653: move macsec interface to get_config_dict()Christian Poessinger
2020-06-26T2654: Remove overzealous error checkingkroy
2020-06-26ifconfig: T2653: add common vyos.configverify helpersChristian Poessinger
While moving towards a general interface abstraction based on get_config_dict() and the use of vyos.ifconfig.Interfaces().update() it also makes sense, to split out common verification code to a common util file - instead of duplicating the code, which is infact one of the main forces drivind this transition. vyos.configverify will hold common functions called via verify() from our src/conf_mode scripts so we do not need to copy/paste general verifications methods.
2020-06-26migration: interfaces: T2622: fix pseudo-ethernet migrationChristian Poessinger
By implementation misstake we exited the migrationscript if no VXLAN interface was found but this was wrong as the same loop is used on pseudo-ethernet interfaces. The Migrator previously only worked on pseudo-ethernet when also a VXLAN interface was present. This has been corrected.
2020-06-26ifconfig: T2653: move loopback interface to get_config_dict()Christian Poessinger
2020-06-26ifconfig: T2653: move dummy interface to get_config_dict()Christian Poessinger
This changes the dummy interface implementation to make use of get_config_dict() and also implement a new vyos.ifconfig.Interface().update() function to gather all the scattered calls to update common interface configuration options. Derived classes of Interface() should extend update() to their needs for their special interface type - e.g. bond or bridge.
2020-06-25T2487: add an exception for the case when VRRP stats aren't available.Daniil Baturin
2020-06-24dictconfig: T2637: identify sub-interfaces (vif) to deleteThomas Mangin
2020-06-23ssh: T2635: migrate to get_config_dict()Christian Poessinger
Jinja template contains some workarounds like {% if port is string %}, this depends of the resolution of https://phabricator.vyos.net/T2636
2020-06-23Merge pull request #472 from thomas-mangin/T2633Christian Poessinger
tunnel: T2633: add support for ip (arp) commands
2020-06-23wireguard: T2632: support PSK on multiple peersChristian Poessinger
It was not possible to configure two WG peers with both utilized a pre-shared key. This has been corrected. WG psk can only be read from a file when starting the interface. The code for creating this temporary file has been moved into the ifconfig.WireGuardIf() class. Tested with: ============ set interfaces wireguard wg0 address '192.0.2.0/31' set interfaces wireguard wg0 peer one allowed-ips '0.0.0.0/0' set interfaces wireguard wg0 peer one preshared-key 'e+SIIUcrnrSDHhbTtpjwKhSlSdUALA5ZvoCjfQXcvmA=' set interfaces wireguard wg0 peer one pubkey '/qQGAQ2HfLSZBSCpdgps04r9wRlK7bSFraCH9+MScmw=' set interfaces wireguard wg0 peer two allowed-ips '0.0.0.0/0' set interfaces wireguard wg0 peer two pubkey '/qQGAQ2HfLSZBSCpdgfooor9wRlK7bSFraCH9+MScmw='
2020-06-23tunnel: T2633: add support for ip (arp) commandsThomas Mangin
2020-06-22vpn: sstp: T2008: fix improper use of fail-time dictionary keyChristian Poessinger
2020-06-22vpn: pptp: T2351: fix improper use of fail-time dictionary keyChristian Poessinger
2020-06-22vpn: l2tp: T2264: fix improper use of fail-time dictionary keyChristian Poessinger
2020-06-22pppoe-server: T2314: fix improper use of fail-time dictionary keyChristian Poessinger
2020-06-22Merge branch 'default-dict' of github.com:c-po/vyos-1x into currentChristian Poessinger
* 'default-dict' of github.com:c-po/vyos-1x: console-server: T2588: migrate to defaults from XML interface definitions xml: T2588: add gitignore for generated defaults xml: T2588: code to extract defaults values from xml Debian: remove duplicate build dependency xml: ssh: fix typo in service description
2020-06-22console-server: T2588: migrate to defaults from XML interface definitionsChristian Poessinger
2020-06-22rip: T2547: rewriten implementation in Python and XMLViacheslav Hletenko
2020-06-22Merge pull request #452 from jjakob/T2486-dns-hostsd-fixesDaniil Baturin
T2486: DNS, vyos-hostsd fixes