summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2022-09-14openvpn: T4679: Fix incorrect verify local and remote addressViacheslav Hletenko
In the OpenVPN site-to-site config we can use IPv6 peers without IPv4 configurations but "verify()" checks also local and remote IPv4 addresses that in this case will be empty lists For example: set interfaces openvpn vtun2 local-address 2001:db8::1 set interfaces openvpn vtun2 remote-address 2001:db8::2 Check in the commit (v4loAddr == v4remAddr) <= both empty lists commit DEBUG: [] == [] or ['2001:db8::2'] == [] So we should also check v4loAddr, v4remAddr, v6loAddr, v6remAddr are not empty
2022-09-09Merge branch 'current' into standardize-show-system-storageChristian Poessinger
2022-09-08system: T4682: standardize op-mode 'show system storage'John Estabrook
2022-09-08system: T4681: convert 'show_uptime.py' script to standardized formatJohn Estabrook
2022-09-06graphql: T4674: print included op-mode error message, if it existsJohn Estabrook
2022-09-06bridge: T4673: raise UnconfiguredSubsystem on non-existent bridge intfJohn Estabrook
2022-09-03Merge pull request #1517 from initramfs/current-fix-bond-membersChristian Poessinger
bonding: T4668: Fix bond members not adding/interface state incorrect
2022-09-02bonding: T4668: fix live bonding member add or removeinitramfs
Fixes several bugs around bonding member interface states not matching the committed configuration, including: - Disabled removed interfaces coming back up - Newly added disabled interfaces not staying down - Newly added interfaces not showing up in the bond
2022-09-02bonding: T4668: refactor configuration mode interface bonding scriptinitramfs
Refactor interfaces-bonding.py to simplify existing code and to remove potentially bugprone sections in preparation for member add/remove fixes for T4668.
2022-09-01Merge pull request #1466 from sever-sever/T538Christian Poessinger
nat: T538: Add static NAT one-to-one
2022-09-01Merge pull request #1513 from roedie/T4665Christian Poessinger
T4665: Keepalived: Allow same VRID on interface
2022-09-01macvlan: T4663: Fix update mode for pethX interfaceViacheslav Hletenko
Fix the issue when configured pseudo-ethernet interface cannot change self mode
2022-09-01T4665: Keepalived: Allow same VRID on interfaceSander Klein
Using the same VRID on an interface is allowed as long as the address family is different (VRRPv2 vs VRRPv3)
2022-08-31nat: T538: Move nat configs to /run directoryViacheslav Hletenko
2022-08-30firewall: T4655: implement XML defaultValue for name and ipv6-nameChristian Poessinger
This extends the implementation of commit 0cc7e0a49094 ("firewall: T4655: Fix default action 'drop' for the firewall") in a way that we can now also use the XML <defaultValue> node under "firewall name" and "firewall ipv6-name". This is a much cleaner approach which also adds the default value automatically to the CLIs completion helper ("?").
2022-08-30Merge pull request #1505 from sever-sever/T4367Christian Poessinger
nat: T4367: Move nat rules from /tmp to /run/nftables_nat.conf
2022-08-30Merge pull request #1508 from zdc/T4646-sagittaChristian Poessinger
console: T4646: Fixed USB console issues
2022-08-30console: T4646: Fixed USB console issueszsdc
* fixed the `systemctl restart` command that used a value from config instead converted to `ttyUSBX` * moved systemd units from `/etc/` to `/run/`
2022-08-29nat: T4367: Move nat rules from /tmp to /run/nftables_nat.confViacheslav Hletenko
Move nftables nat configuration from /tmp to /run As we have for other services like firewall, conntrack Don't remove the config file '/run/nftables_nat.conf' after commit
2022-08-27Merge pull request #1493 from jestabro/gql-op-mode-errorChristian Poessinger
graphql: T4640: add schema defs and resolver support for op-mode errors
2022-08-27Merge pull request #1500 from aapostoliuk/T1070-sagittaChristian Poessinger
opennhrp: T1070: Fixed creating IPSEC tunnel to Hub
2022-08-27telegraf: T3872: replace local get_interfaces() function with ↵Christian Poessinger
Section.interface() Commit cfde4b49 ("ifconfig: T2223: add vlan switch for Section.interfaces()") added the functionality of the local get_interfaces() function to the base class so all other parts in the system can query for interface names of a given type including or excluding their vlan sub-interfaces.
2022-08-26nat: nat66: T4650: Rewrite op-mode nat translationViacheslav Hletenko
Rewrite op-moe "show nat|nat66 translation" to vyos.opmode format Ability to get machine-readable format "raw"
2022-08-26opennhrp: T1070: Fixed creating IPSEC tunnel to Hubaapostoliuk
Fixed creating IPSEC tunnel to Hub. Added continues of execution generator functions.
2022-08-25graphql: T4640: add schema defs and resolver support for op-mode errorsJohn Estabrook
2022-08-25Merge pull request #1458 from sever-sever/T4594Christian Poessinger
ipsec: T4594: Rewrite op-mode 'show vpn ipsec sa' to the new format
2022-08-25ssh: T2185: use reload-or-restart on configuration changesChristian Poessinger
2022-08-25ntp: T2185: use reload-or-restart on configuration changesChristian Poessinger
2022-08-25telegraf: T4617: add VRF supportChristian Poessinger
2022-08-25Merge pull request #1497 from sever-sever/T4645Christian Poessinger
op-mode: T4645: Show nat source statistics missing argument --family
2022-08-25op-mode: T4645: Show nat source stat missing argument --familyViacheslav Hletenko
As we use in commit 8d4205a9 argument '--family' for the function '_get_raw_data_rules(direction, family)' we must use it and for 'nat.py show_statistics' as it get raw data from the same function
2022-08-25sstp: T4644: Check SSTP bind port before commitViacheslav Hletenko
By default SSTP bind port '443' and this port can be used by another service like 'service https' or 'vpn openconnect' Check if port bound to another service
2022-08-24T4630: can not use same source-interface for macsec and pseudo-ethernetChristian Poessinger
A macsec interface requires a dedicated source interface, it can not be shared with another macsec or a pseudo-ethernet interface. set interfaces macsec macsec10 address '192.168.2.1/30' set interfaces macsec macsec10 security cipher 'gcm-aes-256' set interfaces macsec macsec10 security encrypt set interfaces macsec macsec10 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4232e44b7fda6f8e2d88a07bf78a7aff4' set interfaces macsec macsec10 security mka ckn '09924585a6f3010208cf5222ef24c821405b0e34f4b4f63b1f0ced474b9bb6e6' set interfaces macsec macsec10 source-interface 'eth1' commit set interfaces pseudo-ethernet peth0 source-interface eth1 commit Reuslts in FileNotFoundError: [Errno 2] failed to run command: ip link add peth0 link eth1 type macvlan mode private returned: exit code: 2 noteworthy: cmd 'ip link add peth0 link eth1 type macvlan mode private' returned (out): returned (err): RTNETLINK answers: Device or resource busy [[interfaces pseudo-ethernet peth0]] failed Commit failed
2022-08-24Merge pull request #1491 from sever-sever/T4626Christian Poessinger
nat66: T4626: Rewrite op-mode show nat66 rules
2022-08-24Merge pull request #1490 from aapostoliuk/T1070-sagittaChristian Poessinger
opennhrp: T1070: Fixed removal all SAs in script
2022-08-24ipsec: T2185: use systemd to start/stop serviceChristian Poessinger
2022-08-24Merge pull request #1486 from roedie/T4526-2Christian Poessinger
keepalived: T4526: keepalived-fifo.py unable to load config
2022-08-24Merge pull request #1488 from sever-sever/T4597Christian Poessinger
https: T4597: Verify bind port before apply HTTPS API service
2022-08-24Merge pull request #1489 from sever-sever/T4623Christian Poessinger
conntrack: T4623: Add conntrack statistics for op-mode
2022-08-24nat66: T4626: Rewrite op-mode show nat66 rulesViacheslav Hletenko
Rewrite op-mode "show nat66 source|destination rules" to the new format use "show_rules --direction <direction> --family <inet|inet6>" Delete old script show_nat66_rules.py
2022-08-24opennhrp: T1070: Fixed removal all SAs in scriptaapostoliuk
Fixed removal all dmvpn SAs. Changed vici terminate by child-sa name on terminate by ike-id
2022-08-23graphql: T3993: reorganize/rename directory structureJohn Estabrook
2022-08-23conntrack: T4623: Add conntrack statistics for op-modeViacheslav Hletenko
2022-08-23https: T4597: Verify bind port before apply HTTPS API serviceViacheslav Hletenko
If Nginx address/port is already binded to another service (for exampmle openconnect default port 443) https api cannot start and we don't see any error in the output. Add this check before applying service/commit
2022-08-22keepalived: T4526: keepalived-fifo.py unable to load configSander Klein
keepalived-fifo.py cannot load the VyOS config because the script is started before the commit is completely finished. This change makes sure the script waits for the commit to be completed. It retries every 0.5 seconds. If the commit is still not completed it will continue as did the original implementation.
2022-08-22graphql: T4544: fix for directly running on system for testingJohn Estabrook
2022-08-22graphql: T3993: add missing sys.exit()John Estabrook
2022-08-20ocserv: T4597: Fix check bounded port by service itselfViacheslav Hletenko
We check listen port before commit service if is port available and not bounded, but when we start openconnect our own port starts be bounded by "ocserv-main" process and next commit will be fail as port is already bound To fix it, extend check if port already bonded and it is not our self process "ocserv-main"
2022-08-19ethernet: T4538: fix wrong systemd unit used for EAPoLChristian Poessinger
When MACsec was bound to an ethernet interface and the underlaying source-interface got changed (even description only) this terminated the MACsec session running on top of it. The root cause is when EAPoL was implemented in commit d59354e52a8a7f we re-used the same systemd unit which is responsible for MACsec. That indeed lead to the fact that wpa_supplicant was always stopped when anything happened on the underlaying source-interface that was not related to EAPoL.
2022-08-17nat: T538: Add static NAT one-to-oneViacheslav Hletenko
Ability to set static NAT (one-to-one) in one rule set nat static rule 10 destination address '203.0.113.0/24' set nat static rule 10 inbound-interface 'eth0' set nat static rule 10 translation address '192.0.2.0/24' It will be enough for PREROUTING and POSTROUTING rules Use a separate table 'vyos_static_nat' as SRC/DST rules and STATIC rules can have the same rule number