summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2021-09-03login: T971 allow quoting in public-keys optionsPaul Lettington
This patch allows the use of `"` in ssh public-key options which unlocks the ability to set the `from` option in a way that sshd will accept to limit what hosts a user can connect from.
2021-09-03bgp: T3798: add support for neighbor local-as <n> replace-asChristian Poessinger
2021-09-02tunnel: T3788: Add check keys for ipip and sitViacheslav
Keys are not allowed with ipip and sit tunnels
2021-09-02login: T3792: bugfix for usernames containing a hyphenChristian Poessinger
While migrating to get_config_dict() in commit e8a1c291b1 ("login: radius: T3192: migrate to get_config_dict()") the user-name was not excluded from mangling (no_tag_node_value_mangle=True). This resulted in a username "vyos-user" from CLI to be actually created as "vyos_user" on the system. This commit also adds respective Smoketests to prevent this in the future.
2021-09-02login: radius: T3192: drop workaround required by get_config_dict()Christian Poessinger
The workaround is no longer required, as the issue was resolved in get_config_dict() so if it is a <multi/> node, a list is always returned.
2021-09-02op-mode: T1376: speed up tab-completion for DHCP pool listingChristian Poessinger
Commit 9f20bee81c ("T1376: improve show_dhcp and show_dhcpv6") added the tab completion helper to list the availbale IP pools to query. This was done by calling a python script which then called cli-shell-api which resulted in a penalty by the Python interpreter startup. This can be solved by directly using the cli-shell-api wrapper available as <path> in op-mode - as also seen for DHCPv6.
2021-09-01Merge pull request #986 from sever-sever/T2920Christian Poessinger
tunnel: T2920: Add checks tun with same source addr and keys
2021-09-01tunnel: T2920: Add checks tun with same source addr and keysViacheslav
2 tunnels with the same local-address should has different keys Check existing tunnels (source-address key) with new tunnel.
2021-08-31vyos.ethtool: T3163: purify code to read and change flow-control settingsChristian Poessinger
It makes no sense to have a parser for the ethtool values in ethtool.py and ethernet.py - one instance ios more then enough!
2021-08-31ethernet: T3163: only change ring-buffer settings if requiredChristian Poessinger
Only update the RX/TX ring-buffer settings if they are different from the ones currently programmed to the hardware. There is no need to write the same value to the hardware again - this could cause traffic disruption on some NICs.
2021-08-31ethernet: T2241: check if interface supports changing speed/duplex settingsChristian Poessinger
Not all interface drivers have the ability to change the speed and duplex settings. Known drivers with this limitation are vmxnet3, virtio_net and xen_netfront. If this driver is detected, an error will be presented to the user.
2021-08-31ssh: T3789: add custom validator for base64 encoded CLI dataChristian Poessinger
SSH keys used for remote login are supplied as base64 encoded data on the CLI. The key is not validated, thus an invalid copy/pasted key will render the login useless. This commit adds a custom and re-usable validator which check if the data is properly base64 encoded.
2021-08-31ethernet: T3514: bail out early on invalid adapter speed/duplex settingChristian Poessinger
Ethernet adapters have a discrete set of available speed and duplex settings. Instead of passing every value down to ethtool and let it decide, we can do this early in the VyOS verify() function for ethernet interfaces.
2021-08-30Merge pull request #984 from sever-sever/T3786Christian Poessinger
tunnel: T3786: Add checks for source any and not key
2021-08-30ethernet: T3787: remove deprecated UDP fragmentation offloading optionChristian Poessinger
Deprecated in the Linux Kernel by commit 08a00fea6de277df12ccfadc21 ("net: Remove references to NETIF_F_UFO from ethtool."). (cherry picked from commit f5e46ee6cc2b6c1c1869e26beca4ccd5bf52b62f)
2021-08-30ethernet: T3619: fix VyOS 1.2 -> 1.3 performance degradationChristian Poessinger
An analysis of the code base from VyOS 1.2 -> 1.3 -> 1.4 revealed the following "root-cause" VyOS 1.2 uses the "old" node.def file format for: * Generic Segmentation Offloading * Generic Receive Offloading So if any of the above settings is available on the configuration CLI, the node.def file will be executed - this is how it works. By default, this CLI option is not enabled in VyOS 1.2 - but the Linux Kernel enables offloading "under the hood" by default for GRO, GSO... which will boost the performance for users magically. With the rewrite in VyOS 1.3 of all the interface related code T1579, and especially T1637 this was moved to a new approach. There is now only one handler script which is called whenever a user changes something under the interfaces ethernet tree. The Full CLI configuration is assembled by get_interface_dict() - a wrapper for get_config_dict() which abstracts and works for all of our interface types - single source design. The problem now comes into play when the gathered configuration is actually written to the hardware, as there is no GSO, GRO or foo-offloading setting defined - we behave as instructed and disable the offloading. So the real bug originates from VyOS 1.2 and the old Vyatta codebase, but the recent XML Python rewrites brought that one up to light. Solution: A configuration migration script will be provided starting with VyOS 1.3 which will read in the CLI configuration of the ethernet interfaces and if not enabled, will query the adapter if offloading is supported at all, and if so, will enable the CLI nodes. One might say that this will "blow" the CLI configuration but it only represents the truth - which was masked in VyOS 1.2. (cherry picked from commit a515212f4efb08846df04405f31a828edcd63552)
2021-08-30ethernet: T3619: rename interfaces migration scriptsChristian Poessinger
VyOS 1.4 already had a migrator for interfaces 20 -> 21, but this is a different one compared to the one in VyOS 1.3 - thus we bump every migration scripts version by one to have the same 20-to-21 converter in both VyOS 1.3 and 1.4. This is possible as VyOS 1.4 (sagitta) is still a highly experimental version and expected to break from time to time :(.
2021-08-30tunnel: T3786: Add checks for source any and not keyViacheslav
2021-08-29wireguard: T3763: The port availability check fixzsdc
Check a port availability only if it was changed in current commit. This should protect from fail-positive errors when other parameters change for an interface.
2021-08-29wireguard: T3763: Fixed uninitialized port issuezsdc
The commit fixes the problem, when port availability check is triggered even if a port for WireGuard interface is not defined (randomized port, default behavior).
2021-08-29ospf: T3236: remove debug print() statementChristian Poessinger
2021-08-29ospf: T3236: add possibility to redistribute "table"Christian Poessinger
Add new CLI command: * "set protocols ospf redistribute table <n>"
2021-08-29isis: T3783: bugfix configuring spf-delay-ietfChristian Poessinger
Mandatory FRR options for spf-delay-ietf did not get rendered in the Jinja2 template.
2021-08-28Merge pull request #980 from zdc/T3763-sagittaChristian Poessinger
wireguard: T3763: Added check for listening port availability
2021-08-26vyos.util: T3763: Optimized the check_port_availability functionzsdc
`print` was removed or replaced to `ValueError`, where possible.
2021-08-26ipsec: T1210: support road-warrior IP assignment via RADIUS Framed-IP-AddressChristian Poessinger
Extended CLI command: "set vpn ipsec remote-access connection rw pool" with a "radius" option.
2021-08-26op-mode: frr: T1514: add possibility to restart isis daemonChristian Poessinger
(cherry picked from commit b4b2c91127289c7b62afb24304054d57357a48c5)
2021-08-26wireguard: T3763: Added check for listening port availabilityzsdc
Each wireguard interface requires a unique port for in and out connections. This commit adds the new `vyos.util` function - `check_port_availability`, and uses it to be sure that a port that is planned to be used for wireguard interface is truly available and not used by any other services (not only other wireguard interfaces).
2021-08-26ipsec: T3780: shutting down vti when tunnel is downkrox2
2021-08-25Merge pull request #977 from dmbaturin/no-system-integrityChristian Poessinger
T3773: delete the original "show system integrity" command
2021-08-24op-mode: T2223: drop dead code "get_vrrp_intf()"Christian Poessinger
2021-08-24T3773: delete the original "show system integrity" commandDaniil Baturin
2021-08-24bgp: T3759: "l2vpn evpn" and ipv4/ipv6 safi route-targets differChristian Poessinger
The "l2vpn evpn" address-family route-target command only accepts a single route-target value consisting of (A.B.C.D:MN|EF:OPQR|GHJK:MN). The "ipv4-unicast or ipv6-unicast" address-family route-target command for VPNs support multiple, whitespace separated route-target values. This commit adds a new custom validator named "bgp-route-target" with a --single and a --multi option to pass one or more route-target values.
2021-08-24container: T3769: remove container when marked as "disable"Christian Poessinger
2021-08-24policy: T2425: rename validator large-community-list -> bgp-large-community-listChristian Poessinger
... as we will get another bgp route-target validator soon.
2021-08-24container: T3769: disable bridge "hairpinMode" modeChristian Poessinger
After commit 209ce3d9 ("container: T3769: when container networks are used, always bridge the networks") IP masquerading (NAT) was disabled. No need to keep the haipin flag.
2021-08-23container: T3769: when container networks are used, always bridge the networksChristian Poessinger
As VyOS is a network operation system with bridging and NATing available from the VyOS CLI, it makes no sense to let podman do it's own sort of "NAT". If one really want's to NAT into a container, use the VyOS CLI to do so. If you wan't to bridge your networks, use the VyOS CLI to do so.
2021-08-23container: T2216: add option to "disable" a containerChristian Poessinger
2021-08-23container: T2216: verify() volume pathsChristian Poessinger
Volumes must have both a source and destination path specified. Also the source path must exist on the current system.
2021-08-23container: T2216: bugfix ValueError when assembling volumesChristian Poessinger
A call to .items() was missing that triggered the following error: ValueError: too many values to unpack (expected 2)
2021-08-23container: T2216: no need to query container statusChristian Poessinger
As VyOS CLI is the only truth for dealing with containers we do not need to query if a container is running, exists or what so ever. We simply always restart it if something changes and do not rely on the underlaying Linux status. If a users does container stuff under the hood - it will be overridden.
2021-08-23ipsec: T1210: use ConfigTreeQuery() instead of Config() from op-modeChristian Poessinger
2021-08-23pki: T3642: use ConfigTreeQuery() instead of Config() from op-modeChristian Poessinger
2021-08-23container: T2216: op-mode now supports updating the image for a given containerChristian Poessinger
2021-08-23container: T2216: increase sysctl inotify watchersChristian Poessinger
2021-08-23containers: T2216: restructure container_base_cmd to have image name at the endChristian Poessinger
2021-08-23containers: T2216: add CLI commands to specify restart behavior and memory usageChristian Poessinger
A container is limited to 256MB memory by default and will always restart on failure.
2021-08-23containers: T2216: xml: impove help string for address commandChristian Poessinger
2021-08-23containers: T2216: add missing verify() step on environment variablesChristian Poessinger
A environment variable MUST always have a value specified. Non existing values will cause the following error: Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/containers.py", line 269, in <module> apply(c) File "/usr/libexec/vyos/conf_mode/containers.py", line 224, in apply env_opt += " -e ".join(f"{k}={v['value']}" for k, v in container_config['environment'].items()) File "/usr/libexec/vyos/conf_mode/containers.py", line 224, in <genexpr> env_opt += " -e ".join(f"{k}={v['value']}" for k, v in container_config['environment'].items()) KeyError: 'value'
2021-08-21pppoe: T3090: migrate to vyos.ifconfig library to use the full potentialChristian Poessinger
Now that MSS clamping is done on the "per-interface" level the entire PPPoE stuff would have needed to get a full copy in GNU BASH for this or, participate in the common library. Add a new PPP ip-up script named 99-vyos-pppoe-callback which will call the vyos.ifconfig.PPPoEIf.update() function to configure everything as done with all other interfaces. This removes duplicated code for VRF assignment and route installation when a PPPoE interface is brought up or down.