summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2023-02-12T4999: Backport vyos util dict_search_recursiveViacheslav Hletenko
Backport "dict_search_recursive" from vyos.util 1.4 to 1.3 data = { 'interfaces': {'dummy': {'dum0': {'address': ['192.0.2.17/29']}}, 'ethernet': {'eth0': {'address': ['2001:db8::1/64', '192.0.2.1/29'], 'description': 'Test123', 'duplex': 'auto', 'hw_id': '00:00:00:00:00:01', 'speed': 'auto'}, 'eth1': {'address': ['192.0.2.9/29'], 'description': 'Test456', 'duplex': 'auto', 'hw_id': '00:00:00:00:00:02', 'speed': 'auto'}}} } dict_search_recursive(data, 'hw_id') will yield both '00:00:00:00:00:01' and '00:00:00:00:00:02' as generator object.
2023-02-04Revert "login: T4975: Fixed broken CLI commands"Christian Breunig
This reverts commit 7b36c363cd5b0168bd83c399f50a0a360ba3ee58. A general solution is implemented in Commit ae9dde04 ("T4975: always sync() filesystem after commit").
2023-02-04T4975: always sync() filesystem after commitChristian Breunig
(cherry picked from commit 29a44a73c638cb22839aa32986de367231b6efe9)
2023-02-02login: T4975: Fixed broken CLI commandszsdc
User profile files are not saved to disk after configuration is fully applied. Because of this, after a fast system reset, profile files can be empty, and CLI is broken. This fix adds a `sync()` call after the user's configuration, which should protect from data loss and fix the problem with profiles.
2023-01-25container: T4947: backport missing port-range validatorChristian Breunig
2023-01-24Merge pull request #1773 from c-po/equuleusChristian Breunig
container: T4947: support mounting container volumes as ro or rw (equuleus backport)
2023-01-21validators: T4875: use file-path to replace validator 'interface-name'Christian Breunig
(cherry picked from commit f0bc6c62016d285f0645c4b3ba8b1451c40c637f)
2023-01-21container: T4947: support mounting container volumes as ro or rwChristian Breunig
Whenever a container is used and a folder is mounted, this happenes as read-write which is the default in Docker/Podman - so is the default in VyOS. A new option is added "set container name foo volume mode <ro|rw>" to specify explicitly if rw (default) or ro should be used for this mounted folder. (cherry picked from commit 275ea7303cfdb79c042da1b710622aee17a488a8)
2023-01-17T4906: Fix show vpn ipsec connections dataViacheslav Hletenko
We get incorrect data when shows connections As we get list of all connections we should compare the connection name with entries in list and set correct data if they match
2023-01-11webproxy: T4927: Changed restart to reload-or-restart in commitaapostoliuk
Changed restart to reload-or-restart in the commit. It allows to reload the config and not restart webproxy service during the commit. Backported from 1.4
2023-01-08ssh: T4922: extend verify() when both source-address and source-interface is ↵Christian Poessinger
used We need to ensure that source-address is assigned on source-interface before applying the configuration, else SSH client will have a hard time talking to someone. (cherry picked from commit d1ef90e1eb51334b99ad716969e17c7f257e1a39)
2023-01-08ssh: T4922: add source-interface support ssh-clientChristian Poessinger
(cherry picked from commit 87cc636bd2baf576a2a5ece7a4f8318eb4f69c2e)
2023-01-08ssh: T2651: use Debian style include directve for ssh_config.dChristian Poessinger
Commit 846e306700a ("ssh: T2651: add cli options for source address") added support for a basic SSH client option, but it grabbed the entire /etc/ssh/ssh_config file without the ability to make custom user adjustments via the /etc/ssh/ssh_config.d/ folder. This commit places the VyOS SSH options under /etc/ssh/ssh_config.d/ leaving the common override system alive. (cherry picked from commit 7763de6c4b93d3372ab3f4572d9fa6b7536102b3)
2022-12-30container: T578: backport podman from 1.4 development branchChristian Poessinger
2022-12-22Merge pull request #1722 from aapostoliuk/webproxybackportChristian Poessinger
T3810: Fixed all issues in T3810
2022-12-22T3810: Fixed all issues in T3810aapostoliuk
1. Added in script update webproxy blacklists generation of all DBs 2. Fixed: if the blacklist category does not have generated db, the template generates an empty dest category in squidGuard.conf and a Warning message. 3. Added template generation for local's categories in the rule section. 4. Changed syntax in the generation dest section for blacklist's categories 5. Fixed generation dest local sections in squidGuard.conf 6. Fixed bug in syntax. The word 'allow' changed to the word 'any' in acl squidGuard.conf 7. Backported all changes from 1.4 to 1.3 which were made in T3810 8. Fixed webproxy smoketest
2022-12-17Merge pull request #1259 from hensur/equuleus-ipv6-local-routeChristian Poessinger
backport: T4515: T4219: policy local-route6 and inbound-interface support
2022-12-17Merge pull request #1557 from initramfs/equuleus-fix-tcp-mssChristian Poessinger
firewall: T4709: fix firewall MSS clamping issues
2022-11-21T4812: Add op-mode Show vpn ipsec connectionsViacheslav Hletenko
Add op-mode CLI "show vpn ipsec connections" Add the ability to show all configured connections/tunnels and their states.
2022-11-15backport: T4815: Fix various name server config issuesYuxiang Zhu
This is a backport of https://github.com/vyos/vyos-1x/pull/1656. Note I also changed `ip-down.script.tmpl` to not wait for `systemctl stop dhcp6c@$iface.service`, because that command is slow and pppd will kill the ip-down script if it times out. I didn't see `ip-down.script.tmpl` or its equivalent in the 1.4 branch. Not sure if there is another mechanism to handle that functionality or it is missed.
2022-11-05dns: T4799: fix bug with not reloading powerdns configinitramfs
PowerDNS version 4.7 and above has changed the main process name from 'pdns-r/worker' to 'pdns_recursor'. This commit updates the process name check to use the new name. (cherry picked from commit ff09d4f47e5f54fad8258cd27fb0adfaa4c552b3)
2022-11-01strip-private: T4177: Fix for hiding private data token/url/bucketViacheslav
Add URL, token and bucket hidind data when is used function "strip-private" (cherry picked from commit f12d8b5a575f4b454426fe11f65b5add966ca53c)
2022-10-30keepalived: T4526: keepalived-fifo.py unable to load configSander Klein
keepalived-fifo.py cannot load the VyOS config because the script is started before the commit is completely finished. This change makes sure the script waits for the commit to be completed. It retries every 0.5 seconds. If the commit is still not completed it will continue as did the original implementation.
2022-09-26firewall: T4709: adjust TCP MSS clamping ranges and optionsinitramfs
This commit fixes MSS clamping ranges as well as reintroduces the clamp-mss-to-pmtu option value to clamp to PMTU instead.
2022-09-17wireguard: T4702: actively revoke peer if it gets disabledChristian Poessinger
When any configured peer is set to `disable` while the Wireguard tunnel is up and running it does not get actively revoked and removed. This poses a security risk as connections keep beeing alive. Whenever any parameter of a peer changes we actively remove the peer and fully recreate it on the fly. (cherry picked from commit a4feb96af9ac45aff41ded1744cf302b5c5a9e7e)
2022-09-15Merge pull request #1519 from c-po/t4630-equuleus-peth-macsecDaniil Baturin
T4630: disallow same source-interface for macsec and pseudo-ethernet
2022-09-14openvpn: T4679: Fix incorrect verify local and remote addressViacheslav Hletenko
In the OpenVPN site-to-site config we can use IPv6 peers without IPv4 configurations but "verify()" checks also local and remote IPv4 addresses that in this case will be empty lists For example: set interfaces openvpn vtun2 local-address 2001:db8::1 set interfaces openvpn vtun2 remote-address 2001:db8::2 Check in the commit (v4loAddr == v4remAddr) <= both empty lists commit DEBUG: [] == [] or ['2001:db8::2'] == [] So we should also check v4loAddr, v4remAddr, v6loAddr, v6remAddr are not empty
2022-09-04T4630: can not use same source-interface for macsec and pseudo-ethernetChristian Poessinger
A macsec interface requires a dedicated source interface, it can not be shared with another macsec or a pseudo-ethernet interface. set interfaces macsec macsec10 address '192.168.2.1/30' set interfaces macsec macsec10 security cipher 'gcm-aes-256' set interfaces macsec macsec10 security encrypt set interfaces macsec macsec10 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4232e44b7fda6f8e2d88a07bf78a7aff4' set interfaces macsec macsec10 security mka ckn '09924585a6f3010208cf5222ef24c821405b0e34f4b4f63b1f0ced474b9bb6e6' set interfaces macsec macsec10 source-interface 'eth1' commit set interfaces pseudo-ethernet peth0 source-interface eth1 commit Reuslts in FileNotFoundError: [Errno 2] failed to run command: ip link add peth0 link eth1 type macvlan mode private returned: exit code: 2 noteworthy: cmd 'ip link add peth0 link eth1 type macvlan mode private' returned (out): returned (err): RTNETLINK answers: Device or resource busy [[interfaces pseudo-ethernet peth0]] failed Commit failed (cherry picked from commit eb4a7ee3afc0765671ce0fa379ab5e3518e9e49e)
2022-09-02bonding: T4668: fix live bonding member add or removeinitramfs
Fixes several bugs around bonding member interface states not matching the committed configuration, including: - Disabled removed interfaces coming back up - Newly added disabled interfaces not staying down - Newly added interfaces not showing up in the bond
2022-09-02bonding: T4668: refactor configuration mode interface bonding scriptinitramfs
Refactor interfaces-bonding.py to simplify existing code and to remove potentially bugprone sections in preparation for member add/remove fixes for T4668.
2022-08-19ethernet: T4538: fix wrong systemd unit used for EAPoLChristian Poessinger
When MACsec was bound to an ethernet interface and the underlaying source-interface got changed (even description only) this terminated the MACsec session running on top of it. The root cause is when EAPoL was implemented in commit d59354e52a8a7f we re-used the same systemd unit which is responsible for MACsec. That indeed lead to the fact that wpa_supplicant was always stopped when anything happened on the underlaying source-interface that was not related to EAPoL. (cherry picked from commit f92a23ef9ab8be59681e5b7ba627e399d89bce53)
2022-08-15openconnect: T4616: bugfix KeyError: 'local_users'Christian Poessinger
To reproduce: set vpn openconnect authentication mode local commit Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/vpn_openconnect.py", line 147, in <module> verify(c) File "/usr/libexec/vyos/conf_mode/vpn_openconnect.py", line 64, in verify if not ocserv["authentication"]["local_users"] or not ocserv["authentication"]["local_users"]["username"]: KeyError: 'local_users'
2022-08-15macsec: T4592: can not create two interfaces using the same source-interfaceChristian Poessinger
(cherry picked from commit 993961f60ead2a18912eb577b1152463d4eb8b4e)
2022-08-15macsec: T4537: remove debug falg "-d" from systemd service fileChristian Poessinger
(cherry picked from commit fa25d349aebc86e43957f37db765787fb7e431db)
2022-08-15macsec: T4537: supply PID path via systemd service file to daemonChristian Poessinger
(cherry picked from commit 5e919d3f91bccaf64878a94756c21766896db132)
2022-08-15macsec: T4537: restart wpa_supplicant on errorChristian Poessinger
(cherry picked from commit b2ff1407330e383a9fff688376377efc534bcfbc)
2022-08-15macsec: T2023: fixup systemd unit descriptionChristian Poessinger
(cherry picked from commit bc70c1f502bc587627b1bd15f6803c6c09d20a66)
2022-08-15macsec: T4537: support online ciper and source-interface re-configurationChristian Poessinger
(cherry picked from commit 82d8494d349edd7707c3811a71ca0e9c0648204e)
2022-08-13Fix missing dict_search import in interfaces-macsec.pyDaniil Baturin
2022-08-04Merge pull request #1450 from c-po/bridge-fixes-equuleusChristian Poessinger
bridge: bugfixes for equuleus
2022-08-01macsec: T3368: check key length for gcm-aes-128/gcm-aes-256Christian Poessinger
(cherry picked from commit a09359828e38c5b51a4579af16b5ea263a98233f)
2022-08-01router-advert: T4582: fix preferred cannot equal valid lifetimeinitramfs
Allows preferred lifetime for prefix advertisements to equal the configured valid lifetime as per RFC 4861. (cherry picked from commit f6efe3035d352970dc492450c3c9ddf710dda5fe)
2022-07-31bridge: T4579: cleanup interface dict (remove empty keys)Christian Poessinger
(cherry picked from commit 54227591a0eb3c7aa8c896c6ec8b1826ce070ddf)
2022-07-24Merge pull request #1416 from sever-sever/T2763-eqDaniil Baturin
snmp: T2763: Add protocol TCP for service SNMP
2022-07-18Merge pull request #1406 from c-po/equuleus-interface-fixesDaniil Baturin
equuleus: Bond and Bridge interface fixes + new smoketests
2022-07-18interfaces: T4525: interfaces can not be member of a bridge/bond and a VRFChristian Poessinger
(cherry picked from commit 81e0f4a8dece85da7169ba05448e870206aaf57b)
2022-07-18bond: bridge: T4534: error out if member interface is assigned to a VRF instanceChristian Poessinger
It makes no sense to enslave an interface to a bond or a bridge device if it is bound to a given VRF. If VRFs should be used - the encapuslating/master interface should be part of the VRF. Error out if the member interface is part of a VRF. (cherry picked from commit 87d2dff241d9ab4de9f3a2c7fbf9852934557aef)
2022-07-18vrf: T4527: Prevent to create VRF with reserved namesViacheslav Hletenko
VRF names: "add, all, broadcast, default, delete, dev, get, inet, mtu, link, type, vrf" are reserved and cannot be used for vrf name (cherry picked from commit 52342f389af2da2995b858d026e6fbcad5c8bfaa)
2022-07-18vyos.configdict(): T4228: is_member() must use the "real" hardware interfaceChristian Poessinger
When is_member() is inspecting the bridge/Bond member interfaces it must work with the real interface (e.g. eth1) under the "ethernet" node and not work on the "member interface eth1" CLI tree, that makes no sense at all. (cherry picked from commit 3915791216998a18bf6831450df68ee199e2e4f8)
2022-07-15snmp: T2763: Add protocol TCP for service SNMPViacheslav Hletenko
Ability to listen TCP port for service SNMP set service snmp protocol tcp