summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2024-03-28Merge pull request #3202 from sarthurdev/T5606_1Daniil Baturin
ipsec: T5606: T5871: Use multi node for CA certificates
2024-03-28Merge pull request #2965 from lucasec/t5872Daniil Baturin
T5872: ipsec remote access VPN: support dhcp-interface.
2024-03-28ipsec: T5606: T5871: Use multi node for CA certificatessarthurdev
This changes behaviour from fetching CA chain in PKI, to the user manually setting CA certificates. Prevents unwanted parent CAs existing in PKI from being auto-included as may not be desired/intended.
2024-03-28op-mode: T6175: "renew dhcp interface <name>" does not check for DHCP interfaceChristian Breunig
The current op-mode script simply calls sudo systemctl restart "dhclient@$4.service" with no additional information about a client interface at all. This results in useless dhclient processes root 47812 4.7 0.0 5848 3584 ? Ss 00:30 0:00 /sbin/dhclient -4 -d root 48121 0.0 0.0 4188 3072 ? S 00:30 0:00 \_ /bin/sh /sbin/dhclient-script root 48148 50.0 0.2 18776 11264 ? R 00:30 0:00 \_ python3 - Which also assign client leases to all local interfaces, if we receive one valid DHCPOFFER vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address MAC VRF MTU S/L Description ----------- ----------------- ----------------- ------- ----- ----- ------------- eth0 - 00:50:56:bf:c5:6d default 1500 u/u eth0.10 172.16.33.102/24 00:50:56:bf:c5:6d default 1500 u/u eth1 172.16.33.131/24 00:50:56:b3:38:c5 default 1500 u/u 172.16.33.102/24 and 172.16.33.131/24 are stray DHCP addresses. This commit moved the renew command to the DHCP op-mode script to properly validate if the interface we request a renew for, has actually a dhcp address configured. In additional this exposes the renew feature to the API.
2024-03-26bgp: T6106: fix test and verify()khramshinr
2024-03-25T6171: migrate <set service dhcp-server failover> to <set service ↵Nicolas Fort
dhcp-server high-availability>.
2024-03-24ospf: T6066: can not define the same network in different areasChristian Breunig
Users can not (FRR fails) commit the same network belonging to different OSPF areas. Add verify() check to prevent this.
2024-03-24Merge pull request #3179 from c-po/grub-T6165John Estabrook
grub: T6165: increase service TimeoutSec from 5 -> 60
2024-03-24grub: T6165: increase service TimeoutSec from 5 -> 60Christian Breunig
The PCEngines APU2 systems with mSATA disks tend to be very slow. This results in a service startup error: $ systemctl status vyos-grub-update × vyos-grub-update.service - Update GRUB loader configuration structure Loaded: loaded (/lib/systemd/system/vyos-grub-update.service; enabled; preset: enabled) Active: failed (Result: timeout) since Sun 2024-03-24 08:48:10 UTC; 14min ago Main PID: 779 (code=killed, signal=TERM) CPU: 869ms Mar 24 08:48:05 LR4.wue3 systemd[1]: Starting vyos-grub-update.service - Update GRUB loader configuration structure... Mar 24 08:48:10 LR4.wue3 systemd[1]: vyos-grub-update.service: start operation timed out. Terminating. Mar 24 08:48:10 LR4.wue3 systemd[1]: vyos-grub-update.service: Main process exited, code=killed, status=15/TERM Mar 24 08:48:10 LR4.wue3 systemd[1]: vyos-grub-update.service: Failed with result 'timeout'. Mar 24 08:48:10 LR4.wue3 systemd[1]: Failed to start vyos-grub-update.service - Update GRUB loader configuration structure. Measunring on an APU2 system after boot and memory is "hot", it still needs almost 17 seconds to complete the job cpo@LR4.wue3:~$ time sudo /usr/libexec/vyos/system/grub_update.py real 0m16.803s user 0m0.018s sys 0m0.028s
2024-03-22config-sync: T6145: batch section requests for commit by priorityJohn Estabrook
2024-03-22isis: T6160: NameError: name 'process' is not definedChristian Breunig
This is a leftover after commit 0e050cb35 (isis: T3417: drop artificial "domain" node identifying the IS-IS process name). Drop all references to "process" variable. Specifying: set protocols isis interface eth1 set protocols isis net '49.0001.1921.6825.5255.00' set protocols isis redistribute ipv4 bgp Triggered an exception Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/protocols_isis.py", line 309, in <module> verify(c) File "/usr/libexec/vyos/conf_mode/protocols_isis.py", line 158, in verify f'"protocols isis {process} redistribute {afi} {proto}"!') ^^^^^^^ NameError: name 'process' is not defined
2024-03-21xml: T6146: add utils and helper to provide priority dataJohn Estabrook
2024-03-21Merge pull request #3157 from c-po/vti-T6085Daniil Baturin
vti: T6085: interface is always down and only enabled by IPSec daemon
2024-03-21Merge pull request #3153 from aapostoliuk/T6130-circinusChristian Breunig
policy: T6130: Revert commit 960cace
2024-03-20conntrack: T6147: Enable conntrack when firewall state-policy is definedsarthurdev
* Move global state-policy smoketest to it's own test, verify conntrack
2024-03-20vti: T6085: interface is always down and only enabled by IPSec daemonChristian Breunig
When a VTI interface is just created, it is in ADMIN UP state by default, even if an IPSec peer is not connected. After the peer is disconnected the interface goes to DOWN state as expected. This breaks routing logic - for example, static routes through VTI interfaces will be active even if a peer is not connected. This changes to logic so ADMIN UP/DOWN state can only be changed by the vti-up-down helper script. Error was introduced during the Perl -> Python migration and move to the generic vyos.ifconfig abstraction during the 1.4 development cycle.
2024-03-19policy: T6130: Revert commit 960caceaapostoliuk
This reverts commit 960cace189d7ace2bea0968646b1348b415e0363. All community rules syntax was changed. T5357 is invalid bug report. VyOS cannot use new configuration syntax in the previous versions.
2024-03-19T6138: Fix op-mode show conntrack table with flowtable offloadsViacheslav Hletenko
The op-mode command `show conntrack table ipv4` fails if gets a conntrack entrie with `flowtable` offload. Those entries do not have key `timeout` ``` File "/usr/libexec/vyos/op_mode/conntrack.py", line 115, in get_formatted_output timeout = meta['timeout'] ~~~~^^^^^^^^^^^ ``` Use the timeout `n/a` for those offload conntrack entries
2024-03-18T6136: add error checks when using dynamic firewall groupsNicolas Fort
2024-03-16Merge pull request #3112 from Ingramz/add-rtsp-2Christian Breunig
conntrack: T4022: add RTSP conntrack helper
2024-03-16Merge pull request #3132 from sever-sever/T6121Christian Breunig
T6121: Extend service config-sync to new sections
2024-03-15T6090: fix policy route migration script. Ensure that tcp flags migration ↵Nicolas Fort
occurs also if only <policy route> is defined.
2024-03-15T6121: Extend service config-sync to new sectionsViacheslav Hletenko
Extend `service config-sync` with new sections: - LeafNodes: pki, policy, vpn, vrf (syncs the whole sections) - Nodes: interfaces, protocols, service (syncs subsections) In this cae the Node allows to uses the next level section i.e subsection For example any of the subsection of the node `interfaces`: - set service config-sync section interfaces pseudo-ethernet - set service config-sync section interfaces virtual-ethernet Example of the config: ``` set service config-sync mode 'load' set service config-sync secondary address '192.0.2.1' set service config-sync secondary key 'xxx' set service config-sync section firewall set service config-sync section interfaces pseudo-ethernet set service config-sync section interfaces virtual-ethernet set service config-sync section nat set service config-sync section nat66 set service config-sync section protocols static set service config-sync section pki set service config-sync section vrf ```
2024-03-13Merge pull request #3125 from c-po/radvd-T6118Daniil Baturin
radvd: T6118: add nat64prefix support RFC8781
2024-03-13Merge pull request #3126 from zdc/T4548-circinusChristian Breunig
grub: T4548: Fixed GRUB configuration files order
2024-03-13grub: T4548: Fixed configuration files orderzsdc
To iterate files on ext* file systems GRUB reads their inodes one by one, ignoring names. This breaks our configuration logic that relies on proper loading order. This commit adds a helper `sort_inodes()` that needs to be used whenever GRUB configuration files are created. It recreates files, changing their inodes in a way where inodes order matches alphabetical order.
2024-03-12radvd: T6118: add nat64prefix support RFC8781Christian Breunig
Add support for pref64 option, as defined in RFC8781. The prefix valid lifetime must not be smaller than the "interface interval max" definition which defaults to 600. set service router-advert interface eth1 nat64prefix 64:ff9b::/96
2024-03-12conntrack: T4022: add RTSP conntrack helperIndrek Ardel
2024-03-12Merge pull request #3123 from sarthurdev/T5080_orderChristian Breunig
conntrack: T5080: Fix rule order for applied conntrack modules
2024-03-12conntrack: T5080: Fix rule order for applied conntrack modulessarthurdev
2024-03-11T5872: re-write exit hook to always regenerate configLucas Christian
2024-03-10T6114: fix broken migration dhcpv6-server 4-to-5Lucas Christian
2024-03-10T5872: further fixes to ipsec dhcp exit hookLucas Christian
2024-03-10T5872: fix ipsec dhclient exit hookLucas Christian
2024-03-10T5872: ipsec remote access VPN: support dhcp-interface.Lucas Christian
2024-03-10Merge pull request #3113 from c-po/firewall-T6071Daniil Baturin
firewall: T6071: truncate rule description field to 255 characters
2024-03-10firewall: T6071: truncate rule description field to 255 charactersChristian Breunig
2024-03-09Merge pull request #3106 from sarthurdev/T6102Daniil Baturin
dhcp: T6102: Fix clear DHCP lease op-mode
2024-03-07Merge pull request #2966 from HollyGurza/T6020Daniil Baturin
vrrp: T6020: vrrp health-check script not applied correctly
2024-03-07Merge pull request #1740 from sarthurdev/tpm_luksDaniil Baturin
config: T4919: Add support for encrypted config with TPM
2024-03-07config: T4919: Support copying encrypted volumes during installsarthurdev
Re-implements https://github.com/vyos/vyatta-cfg-system/pull/194
2024-03-07config: T4919: mount/unmount encrypted config on VyOS start/stopsarthurdev
Re-implements https://github.com/vyos/vyatta-cfg/pull/54
2024-03-07config: T4919: Add support for encrypted config file with TPMsarthurdev
2024-03-06dhcp: T6102: Fix clear DHCP lease op-modesarthurdev
* Add `clear dhcpv6-server lease` * Standardize using vyos.opmode
2024-03-06Merge pull request #3088 from nicolas-fort/T6075Daniil Baturin
T6075: firewall and NAT: check if interface-group exists when using them in firewall|nat rules.
2024-03-06Merge pull request #3085 from Apachez-/T6096Christian Breunig
T6096: Config commits are not synced properly because 00vyos-sync is deleted by vyos-router
2024-03-05Merge pull request #3089 from jestabro/allocate-under-lockJohn Estabrook
http-api: T6069: fix allocation outside of thread lock
2024-03-05T2447: add configurable kernel boot option 'disable-power-saving'Christian Breunig
Lower available CPU C states to a minimum if this option set. This will set Kernel commandline options "intel_idle.max_cstate=0 processor.max_cstate=1".
2024-03-05http-api: T6069: fix allocation outside of thread lockJohn Estabrook
2024-03-05T6075: firewall and NAT: check if interface-group exists when using them in ↵Nicolas Fort
firewall|nat rules.