summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2023-11-20init: T5577: clear mandatory and optional RADIUS/TACACS PAM settingsChristian Breunig
This complements commit 5181ab60bb ("RADIUS: T5577: Added 'mandatory' and 'optional' modes for RADIUS") and commit 1c804685d0 ("TACACS: T5577: Added 'mandatory' and 'optional' modes for TACACS+"). As those new services should also be cleaned during system boot.
2023-11-20pam: T5577: Improved PAM configs for RADIUS and TACACS+zsdc
After sources analysis, we found the next possible return statuses for PAM modules: 1. pam_tacplus Auth: - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_AUTHTOK_ERR - PAM_BUF_ERR - PAM_CRED_INSUFFICIENT - PAM_PERM_DENIED - PAM_SUCCESS - PAM_USER_UNKNOWN Account: - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_PERM_DENIED - PAM_SUCCESS - PAM_USER_UNKNOWN Session: - PAM_AUTHINFO_UNAVAIL - PAM_SESSION_ERR - PAM_SUCCESS - PAM_USER_UNKNOWN 2. pam_radius_auth Auth: - PAM_ABORT - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_AUTHTOK_ERR - PAM_BAD_ITEM - PAM_BUF_ERR - PAM_CONV_AGAIN - PAM_CONV_ERR - PAM_IGNORE - PAM_NO_MODULE_DATA - PAM_PERM_DENIED - PAM_SUCCESS - PAM_SYSTEM_ERR - PAM_USER_UNKNOWN Account: - PAM_SUCCESS Session: - PAM_ABORT - PAM_AUTHINFO_UNAVAIL - PAM_BAD_ITEM - PAM_BUF_ERR - PAM_CONV_AGAIN - PAM_CONV_ERR - PAM_IGNORE - PAM_NO_MODULE_DATA - PAM_PERM_DENIED - PAM_SUCCESS - PAM_SYSTEM_ERR - PAM_USER_UNKNOWN PAM configurations were replaced with tuned versions to take this into account.
2023-11-20TACACS: T5577: Added `mandatory` and `optional` modes for TACACS+zsdc
In CLI we can choose authentication logic: - `mandatory` - if TACACS+ answered with `REJECT`, authentication must be stopped and access denied immediately. - `optional` (default) - if TACACS+ answers with `REJECT`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if TACACS+ clearly answered that access should be denied (no user in TACACS+ database, wrong password, etc.). If TACACS+ is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-11-20RADIUS: T5577: Added `mandatory` and `optional` modes for RADIUSzsdc
In CLI we can choose authentication logic: - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be stopped and access denied immediately. - `optional` (default) - if RADIUS answers with `Access-Reject`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-11-18T5749: Swap show interfaces and show interfaces summaryViacheslav Hletenko
By default show VRF, MAC, MTU for `show interfaces` The original `show interfaces` moved to `show interfacces summary` (cherry picked from commit 056885c02b8671279808c226a759de6c5356f578)
2023-11-16T3983: show pki certificate Doesnt show x509 certificatesJeffWDH
(cherry picked from commit 36de14913e0f4370d7c4e2828032a5378d3bba77)
2023-11-16Merge pull request #2489 from vyos/mergify/bp/sagitta/pr-2476Christian Breunig
pim(6): T5733: add missing FRR related features (backport #2476)
2023-11-16T5747: op-mode add MAC and MTU for show interfaces summaryViacheslav Hletenko
Add op-mode "show interfaces summary" Add MAC, VRF and MTU options: vyos@r4# run show interfaces summary Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address MAC VRF MTU S/L Description ----------- ----------------- ----------------- ------- ----- ----- ------------- dum0 203.0.113.1/32 96:44:ad:c5:a1:a5 default 1500 u/u eth0 192.168.122.14/24 52:54:00:f1:fd:77 default 1500 u/u WAN eth1 192.0.2.1/24 52:54:00:04:33:2b foo 1500 u/u LAN-eth1 eth2 - 52:54:00:40:2e:af default 1504 u/u LAN-eth2 eth3 - 52:54:00:09:a4:b4 default 1500 A/D (cherry picked from commit dc3906f04fbfe8014531e092a77c1c8c2d10dfe0)
2023-11-15pim: T5733: incorporate feedback from peer reviewChristian Breunig
(cherry picked from commit 64b4cfc71d402222fd6b034336b3588b5986ba24)
2023-11-15pim6: T5733: add missing FRR PIM6 related featuresChristian Breunig
(cherry picked from commit 403d2ffd6e46cb082b1d16ddf515e1784bee968c) # Conflicts: # data/templates/frr/pim6d.frr.j2 # interface-definitions/protocols-pim6.xml.in # smoketest/scripts/cli/test_protocols_pim6.py # src/conf_mode/protocols_pim6.py
2023-11-15pim: T5733: fix CLI level of global PIM commandsChristian Breunig
(cherry picked from commit dd13213ae94f071bc30cc17f5fabef02fbf95939)
2023-11-15igmp: T5736: migrate "protocols igmp" to "protocols pim"Christian Breunig
IGMP and PIM are two different but related things. FRR has both combined in pimd. As we use get_config_dict() and FRR reload it is better to have both centrally stored under the same CLI node (as FRR does, too) to just "fire and forget" the commit to the daemon. "set protocols igmp interface eth1" -> "set protocols pim interface eth1 igmp" (cherry picked from commit bc83fb097719f5c4c803808572f690fbc367b9e5)
2023-11-15pim: T5733: add missing FRR PIM related featuresChristian Breunig
Migrate CLI configuration retrival to common get_config_dict(). In addition add new functionality to VyOS that is PIM related and already available in FRR. (cherry picked from commit 9abc02edcc237760f1f8aa1b3f08d7f4d18f866c) # Conflicts: # python/vyos/frr.py # src/op_mode/restart_frr.py
2023-11-15T5732: generate firewall rule-resequence drops geoip country-code from outputJeffWDH
(cherry picked from commit aa7a5131a5d1bd901ffdc7670a62bad8218147ab)
2023-11-15Merge pull request #2474 from vyos/mergify/bp/sagitta/pr-2435Christian Breunig
mtr: T5658: Add VRF support for mtr (+ op_mode wrapper) (backport #2435)
2023-11-14T5729: T5590: T5616: backport to sagita fwall marks, fix on firewall logs ↵Nicolas Fort
parsing, and migration to valueless node for log and state matchers
2023-11-12op-mode: T5658: fix "monitor traceroute" completion helperChristian Breunig
(cherry picked from commit c0de93d37354ec89f44dde7f1b5a4c8af550a019)
2023-11-12op-mode: T5658: reduce amount of exposed optionsChristian Breunig
Example: we should focus on JSON output and not expose XML and CSV. (cherry picked from commit b8e9daf12eaef46747e7379042f8acd575e5b1d6)
2023-11-12T5658: add common methods interface_list() and vrf_list() to vyos.utils.networkChristian Breunig
Reduce amount of duplicated (3 times) code in op-mode scripts for ping, traceroute and mtr. (cherry picked from commit 7b27a20c8664460482301cc8d7554048f152485e)
2023-11-12op-mode: T5658: add VRF support for "monitor traceroute"bbabich
(cherry picked from commit 07ecc0c33fb32878cac25ec84f2f3a977588f0dd)
2023-11-11dhclient: T5724: run user hooks using run_hookdirgavol
User hooks are executed using run_hookdir (defined in the /sbin/dhclient-script script) instead of run-parts. That allows user hooks to modify variables set by the dhcp client (e.g., the new_routers variable to avoid the installation of the default routes). (cherry picked from commit 645a0e768e27912a3f46d00de31d0fc79b6fd463)
2023-11-09T1797: Delete VPP from vyos-1x as it is implemented in addonViacheslav Hletenko
(cherry picked from commit 59c8d5febb2b1333643372f8956fa8f219d022cb)
2023-11-07T5559: Add static neighbor-proxy featureViacheslav Hletenko
Ability to set ip neigbhor proxy set protocols static neighbor-proxy arp 192.0.2.1 interface 'eth0' set protocols static neighbor-proxy arp 192.0.2.2 interface 'eth0' set protocols static neighbor-proxy nd 2001:db8::1 interface 'eth1' (cherry picked from commit c56af995b6e3d867c2a67deeb4be79e498f0a7cf)
2023-11-07Merge pull request #2455 from vyos/mergify/bp/sagitta/pr-2437Christian Breunig
T5713: Strip string after "secret" in IPSEC configs (backport #2437)
2023-11-07Merge pull request #2456 from vyos/mergify/bp/sagitta/pr-2436Christian Breunig
T5706: Add custom systemd udev rules to exclude dynamic interfaces (backport #2436)
2023-11-07T5706: Add custom systemd udev rules to exclude dynamic interfacesViacheslav Hletenko
Add custom systemd udev rules to exclude some regular and dynamic interfaces from "systemd-sysctl" calls. It fixes high CPU utilization (100%) as we have a lot of calls per interface for dynamic interfaces like ppp|ipoe|sstp etc. /lib/systemd/systemd-udevd should not be called for those interfaces (cherry picked from commit ca9cc86233520eb495c17602bf7a110094c1d8e7)
2023-11-07T5713: only strip "secret" CLI node and nothing elseChristian Breunig
Commit 30eb308149 ("T5713: Strip string after "secret" in IPSEC config") had good intention but this will happen: use-secret foo CLI node will become " secret xxxxxx" so the output of strip-private invalidates the configuration. This has been changed to an exact match of "secret" only (cherry picked from commit 863af115df853987dd8ad25ecef3f0ea58485e83)
2023-11-07T5713: Strip string after "secret" in IPSEC configRageLtMan
Make "strip-private" strip the string after "secret" (cherry picked from commit 30eb308149f24b7f15aa3e40ced6918a8a3a04b8)
2023-11-07T5720: Fix for PPPoE-server adding new interfacesViacheslav Hletenko
If we add a new interface for PPPoe-server we MUST restart the `accel-ppp@pppoe.service` as `reload` is not implemented for accel-ppp daemon Otherwise we have listen interface in the /run/accel-pppd/pppoe.conf which does not work (cherry picked from commit ffda9068b22e2d8a6841fcd8cdf62bbe266ea02c)
2023-11-07Merge pull request #2444 from vyos/mergify/bp/sagitta/pr-2416Christian Breunig
T5698 EVPN ESI Multihoming (backport #2416)
2023-11-06bond: T5698: add support for EVPN MultihomingChristian Breunig
set interfaces bonding bond10 evpn es-df-pref '50' set interfaces bonding bond10 evpn es-id '10' set interfaces bonding bond10 evpn es-sys-mac '01:23:45:67:89:ab' set interfaces bonding bond10 member interface 'eth3' set interfaces bonding bond10 mode '802.3ad' (cherry picked from commit 937685608e61151275c4f60c6d00c0154f2ca06d)
2023-11-06vxlan: T3700: add bridge dependency call when altering member interfacesChristian Breunig
Commit 7f6624f5a6f8bd ("vxlan: T3700: support VLAN tunnel mapping of VLAN aware bridges") added support for Single VXLAN Device (SVD) containers supported by the Linux Kernel. When working with bridge VIFs it turned out that when deleting a VIF all the VXLAN tunnel mappings got deleted, too. In order to avoid this, if the bridge has a VXLAN member interface which vlan-to-vni mapping enabled, we add a dependency that we call VXLAN conf-mode script after messing arround with the bridge VIFs and re-create tunnel mappings. (cherry picked from commit fdf7f3a05edbaaf8aeca7e24a9980d5af67dca18)
2023-11-06T5541: firewall: fix ZBF template and ruleset generation for loca-zone rules.Nicolas Fort
2023-11-03Merge pull request #2429 from vyos/mergify/bp/sagitta/pr-2423Viacheslav Hletenko
T4726: Remove accel-ppp RADIUS vendor validators (backport #2423)
2023-11-03Merge pull request #2432 from nicolas-fort/T5513-fwall-show-sagittaDaniil Baturin
T5513: firewall - op-mode command backport
2023-11-03wireguard: T5707: remove previously deconfigured peerChristian Breunig
Changing the public key of a peer (updating the key material) left the old WireGuard peer in place, as the key removal command used the new key. WireGuard only supports peer removal based on the configured public-key, by deleting the entire interface this is the shortcut instead of parsing out all peers and removing them one by one. Peer reconfiguration will always come with a short downtime while the WireGuard interface is recreated. (cherry picked from commit 2fc8738bc9c2fb6364a22d86079e8635cee91949)
2023-11-02T5513: opmode command show firewall - Manual backportNicolas Fort
2023-11-02T4726: Remove accel-ppp RADIUS vendor validatorsViacheslav Hletenko
The vendor name could contain Uppercase or lowercase symbols and not rely on the dictionary name but on dictionary value / # cat /usr/share/freeradius/dictionary.cisco | grep -i vendor VENDOR Cisco 9 Another example VENDOR Alcatel-IPD 6527 This way if we use `vendor=cisco` instead of `vendor=Cisco` it will not work at all Delete vendor validators (cherry picked from commit bbc7cabc6be0d5f8629724e9b0025e425168e1a8)
2023-11-01T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher ↵Nicolas Fort
firewal, nat and nat66. (cherry picked from commit 51abbc0f1b2ccf4785cf7f29f1fe6f4af6007ee6)
2023-10-31vxlan: T5668: add CLI knob to enable ARP/ND suppressionChristian Breunig
In order to minimize the flooding of ARP and ND messages in the VXLAN network, EVPN includes provisions [1] that allow participating VTEPs to suppress such messages in case they know the MAC-IP binding and can reply on behalf of the remote host. In Linux, the above is implemented in the bridge driver using a per-port option called "neigh_suppress" that was added in kernel version 4.15. [1] https://www.rfc-editor.org/rfc/rfc7432#section-10 (cherry picked from commit ec9a95502daa88b9632af12524e7cefebf86bab6)
2023-10-30vxlan: T5699: migrate "external" CLI know to "parameters external"Christian Breunig
As we have a bunch of options under "paramteres" already and "external" is clearly one of them it should be migrated under that node as well. (cherry picked from commit cc7ba8824a5e9ec818f0bbe7fb85e1713a591527)
2023-10-30Merge pull request #2400 from vyos/mergify/bp/sagitta/pr-2355Viacheslav Hletenko
T5643: nat: add interface-groups to nat. Use same cli structure for i… (backport #2355)
2023-10-29op-mode: T5661: remove call to sudo in ssh.py and move it to XML definitionChristian Breunig
Try to have as few calls to sudo in the op-mode scripts as possible. The XML definitions can deal with it. (cherry picked from commit 428dee29d36cc3629990ec41afef887821886834)
2023-10-28T5661: Add show ssh dynamic-protection and show log ssh dynamic-protectionJeffWDH
2023-10-28T5653: Command to display SSH server fingerprintJeffWDH
2023-10-25T5683: Fix reverse-proxy PKI filenames mismatchViacheslav Hletenko
The current named for certificates are hardcoded in generated config to: - ca.pem - cert.pem.key - cert.pem It cause a generated config certificates and certificates itself are different (test-cert-1.pem and ca.pem) bind :::8080 v4v6 ssl crt /run/haproxy/test-cert-1.pem /run/haproxy/ca.pem It is a bug of initial impelemtation. Fix required correct names from PKI certificates (cherry picked from commit 0431f1b32c1fc90de82adea5a7e63dad1416c340)
2023-10-25T5497: Add ability to resequence rule numbers for firewallJeffWDH
Updated spacing. (cherry picked from commit f39a35338ac967381356f8b9b499ec1d730653fc)
2023-10-25T5497: Add ability to resequence rule numbers for firewallJeffWDH
(cherry picked from commit 5180622cd6c928812a644f427d65acae763c37cc)
2023-10-24T5643: nat: add interface-groups to nat. Use same cli structure for ↵Nicolas Fort
interface-name|interface-group as in firewall. (cherry picked from commit 2f2c3fa22478c7ba2e116486d655e07df878cdf4)
2023-10-23T5677: lldp shows empty platform if descr not in lldpctl outputAdam Smith
(cherry picked from commit fca8cce1c114f28cf2db8a0fe2ed7f8b37ea010c)