summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2024-01-22firewall: T5729: T5681: T5217: backport subsystem from current branchChristian Breunig
This is a combined backport for all accumulated changes done to the firewall subsystem on the current branch.
2024-01-18conntrack: T5376: T5779: backport from currentChristian Breunig
Backport of the conntrack system from current branch. (cherry picked from commit fd0bcaf12) (cherry picked from commit 5acf5aced) (cherry picked from commit 42ff4d8a7) (cherry picked from commit 24a1a7059)
2024-01-17T5953: Changed values of 'close-action' to Strongswan valuesaapostoliuk
Changed the value from 'hold' to 'trap' in the 'close-action' option in the IKE group. Changed the value from 'restart' to 'start' in the 'close-action' option in the IKE group. (cherry picked from commit 8870fabf1b4358618fca7db459515106653214b5)
2024-01-17image-tools: T5923: update system_console.py for new GRUB file structureJohn Estabrook
Add util function to set serial console speed in accordance with revised GRUB file structure; in keeping with the intentions of the config_mode script, adjust the GRUB var 'console_speed' to only modify ttyS0. (cherry picked from commit 5ceaff2ef970cb9c567ac317bafbffca5b073f4a)
2024-01-16T4658: Renamed DPD action value from 'hold' to 'trap'aapostoliuk
Renamed DPD action value from 'hold' to 'trap' (cherry picked from commit 9f4aee5778eefa0a17d4795430d50e4a046e88b0)
2024-01-16T5889: Fix migration scripts nat 5-to-6Viacheslav Hletenko
The current migration drop interface name for NAT where not should ``` nat { source { rule 100 { outbound-interface { name "eth0" ... } } } ``` After migration we lost interface: /home/vyos# /opt/vyatta/etc/config-migrate/migrate/nat/5-to-6 tmp.conf /home/vyos# /home/vyos# cat tmp.conf | grep "nat {" -A 10 nat { source { rule 100 { outbound-interface { interface-name "" ... } } } ``` This commit fixes it. (cherry picked from commit 813237d9766f636394b9ab385bb825fbf83202b3)
2024-01-16bgp: T5937: fix migration script for IPv6 AFI peer-groupChristian Breunig
Migrate "bgp <ASN> neighbor <NEIGH> address-family ipv6-unicast peer-group" to "bgp neighbor <NEIGH> peer-group" (cherry picked from commit 9febed1344e93815dc3a94047daa69967c3af160)
2024-01-15ospf: T5936: when migrating passive interfaces set_tag() must be setChristian Breunig
(cherry picked from commit 495c3c3cc646c378746dc458f30da72c85f16dba)
2024-01-15Merge pull request #2827 from vyos/mergify/bp/sagitta/pr-2823Christian Breunig
T4856: Fix IPsec DHCP-client exit hook (backport #2823)
2024-01-15T5901: Add DHCP base_path dir during first bootViacheslav Hletenko
We should create dhclient base_path dir `/run/dhclient` during the first boot. It fixes cloud-init boot issues ``` /etc/dhcp/dhclient-exit-hooks.d/03-vyos-dhclient-hook: line 33: /run/dhclient/dhclient_eth0.lease: No such file or directory ``` (cherry picked from commit e613983721c48c13c2e6e73e7c4dbdbaa8e9eacf)
2024-01-15T4856: Fix IPsec DHCP-client exit hookViacheslav Hletenko
The script acually does not have the variable `secrets_lines` and secret lines itself does not have the marker `# dhcp:{interface}` in `to_find` Needs to rewrite this script in the future if it is required This commit fixes DHCP-client exit hook: ``` dhclient[6800]: NameError: name 'secrets_lines' is not defined root[6801]: /etc/dhcp/dhclient-exit-hooks.d/99-ipsec-dhclient-hook returned non-zero exit status 1 ``` (cherry picked from commit a9cf7246d4450c8b3e1b749b36c3393b0963404b)
2024-01-15op-mode: T5944: remove double whitespace in reboot error messageChristian Breunig
(cherry picked from commit 01b7ae796e870be90d4e448100c5e7551d9767ec)
2024-01-14T5944: Fix reboot in argViacheslav Hletenko
Fix the arg for the `reboot in x` command The current arg is `--reboot_in [Minutes ...]` The expected arg is `--reboot-in [Minutes ...]` (cherry picked from commit 3b27d5bc97372c01cb02d4dd0cd3b0b6fa1c3d94)
2024-01-14bgp: T591: add SRv6 per address-family SID supportChristian Breunig
set protocols bgp address-family ipv4-unicast sid vpn export <auto|1-1048575> set protocols bgp address-family ipv6-unicast sid vpn export <auto|1-1048575> (cherry picked from commit d7e248ba514108461ca9d5875c0be077c80ceca7)
2024-01-12T5857: Fix op-mode show interfaces wireless info unconf messageViacheslav Hletenko
When a router does not have wireless interfaces the proper unconfigured message must be exist (cherry picked from commit c97955b963ecc3da9638717485fe4d2c8599565c)
2024-01-12image-tools: T5910: explicitly set transmission speed of serial consoleJohn Estabrook
GRUB defaults to 9600 in case of serial console; explicitly set to 115200. (cherry picked from commit 70122bef58eaa0084695f89c410992f8d7c1f9f6)
2024-01-12bgp: T5306: fix verify_remote_as() to support v6only interface with peer-groupChristian Breunig
To test: set protocols bgp neighbor eth0 interface v6only peer-group 'fabric' set protocols bgp peer-group fabric address-family ipv4-unicast set protocols bgp peer-group fabric address-family ipv6-unicast set protocols bgp peer-group fabric capability extended-nexthop set protocols bgp peer-group fabric remote-as 'external' set protocols bgp system-as 64496 (cherry picked from commit 12e81dbb47b942b3d9a7a69189adefb5b176c4ef)
2024-01-11firewall: T5814: Retain legacy 'accept' behaviour and re-order migrationsarthurdev
Pre-1.4 firewall 'accept' action acted as a 'return'. This change ensures the migrated rules meet the expected behaviour. This commit also re-orders migrated in/out/local jumps ordered by direction instead of interface. (cherry picked from commit dc542f109460bca6453d1eeba9fe829aea38bb33)
2024-01-11ipsec: T5918: warn when dynamic interfaces are used to bind ipsec daemonChristian Breunig
Fix after commit 8452d8f4921 ("T5918: Fix typo in verify vpn ipsec interface") so that dynamic interfaces can be used by ipsec but a warning is issued that this will only work after they are available on the system. PPPoE interfaces are the best example for this, as they are down during system bootup and will be available anytime after the boot once we've dialed into the BRAS. (cherry picked from commit 8c941e316035e56757d77b782cf39702c73546e0)
2024-01-11dns: T5791: use common pattern for exclude check of dynamic interfacesChristian Breunig
This uses a more common pattern froma base class while the original code from 0a1c9bc38 ("T5791: DNS dynamic exclude check for dynamic interfaces PPPoE") is still retained. (cherry picked from commit e5ce4222c6e9b24d276625678db7339ada0c54ef)
2024-01-11T5915:firewall: re-add opmode command for zone based firewallNicolas Fort
(cherry picked from commit 62f10e0ec8075634e1515d6cecc822d87053bccb)
2024-01-11Merge pull request #2789 from vyos/mergify/bp/sagitta/pr-2777Christian Breunig
T5688: Changed 'range' to multi in 'client-ip-pool' for accell-ppp (backport #2777)
2024-01-11Merge pull request #2794 from sarthurdev/T5787_sagittaChristian Breunig
dhcp: T5787: Prevent duplicate IP addresses on static mappings (backport)
2024-01-10image-tools: T5917: annotate image list with (running)/(default boot)John Estabrook
(cherry picked from commit 17a1d31299e8960d9eba528e04c418b4c1007eb2)
2024-01-10dhcp: T5787: Prevent duplicate IP addresses on static mappingssarthurdev
2024-01-10T5918: Fix typo in verify vpn ipsec interfaceViacheslav Hletenko
The correct CLI command is `interface` and not `interfaces` ``` set vpn ipsec interface xxx ``` (cherry picked from commit 8452d8f49216d224bc5d5751354414274982f5be)
2024-01-10T5688: Changed 'range' to multi in 'client-ip-pool' for accell-pppaapostoliuk
Changed node 'range' to multi in 'client-ip-pool' for accell-ppp services. Added completionHelp to default-pool and next-pool. Fixed verification in vpn l2tp config script. (cherry picked from commit 4ffec67d04670192d9b722353cbaef04cb0ba129)
2024-01-10T5916: Added segment routing check for index base size and SRGB base sizeCheeze_It
(cherry picked from commit cfb5b052c84ffba789d61a59350676b6b4a0a5f7)
2024-01-10Merge pull request #2783 from vyos/mergify/bp/sagitta/pr-2263Christian Breunig
T5530: isis: Adding loop free alternate feature (backport #2263)
2024-01-10T5530: isis: Adding loop free alternate featureCheeze_It
(cherry picked from commit 7a2b70bd73c8579a885348b93b8addfb20fb006c)
2024-01-10boot-config-loader: T1622: add missing groups to failsafe userChristian Breunig
This extends commit 86d1291ec5 ("[boot-config-loader] T1622: Add failsafe and back trace") and adds missing groups to the vyos user. Without this change the vyos user will only have operator (vyos@vyos>) privileges, even if this level is discontinued. One could hack himself up as the user has sudo rights, but rather place the user in the right groups from the beginning. NOTE: This user is only added if booted with "vyos-config-debug" and an error when the configuration can not be loaded at all. (cherry picked from commit 07e802a2d3f98cdf29928bf321cc8b89cb41766c)
2024-01-10pki: T5911: fix service update algorithm if certificate name contains a ↵Christian Breunig
hyphen (-) When testing for changed PKI certificates using node_changed(), we should not use key_mangling=('-', '_'), as this will make certificate updates with a hypen not possible. (cherry picked from commit fc6926fdf32a7bdf9f943c7818ee6ea4a8131fba)
2024-01-10https: T5902: remove virtual-host configurationChristian Breunig
We have not seen the adoption of the https virtual-host CLI option. What it did? * Create multiple webservers each listening on a different IP/port (but in the same VRF) * All webservers shared one common document root * All webservers shared the same SSL certificates * All webservers could have had individual allow-client configurations * API could be enabled for a particular virtual-host but was always enabled on the default host This configuration tried to provide a full webserver via the CLI but VyOS is a router and the Webserver is there for an API or to serve files for a local-ui. Changes Remove support for virtual-hosts as it's an incomplete and thus mostly useless "thing". Migrate all allow-client statements to one top-level allow statement. (cherry picked from commit d0d3071e99eb65edb888c26ef2fdc9e038438887)
2024-01-08ipsec: T5905: use interface_exists() wrapper over raw calls to os.path.exists()Christian Breunig
(cherry picked from commit 410458c00e6202dd9a5c52b3c5ac00a90db5bc53)
2024-01-08pki: T5905: do not use expand_nodes=Diff.ADD|Diff.DELETE) in node_changed()Christian Breunig
This fixes a priority inversion when doing initial certificate commits. * pki subsystem is executed with priority 300 * vti uses priority 381 * ipsec uses priority 901 On commit pki.py will be executed first, detecting a change in dependencies for vpn_ipsec.py which will be executed second. The VTI interface was yet not created leading to ConfigError('VTI interface XX for site-to-site peer YY does not exist!') The issue is caused by this new line of code in commit b8db1a9d7ba ("pki: T5886: add support for ACME protocol (LetsEncrypt)") file src/conf_mode/pki.py line 139 which triggers the dependency update even if a key is newly added. This commit changes the "detection" based on the cerbot configuration on disk. (cherry picked from commit 9162631f12ade65392ea2fa53642ea4af39627c7)
2024-01-08https: T5886: migrate https certbot to new "pki certificate" CLI treeChristian Breunig
(cherry picked from commit 9ab6665c80c30bf446d94620fc9d85b052d48072)
2024-01-08pki: T5886: add support for ACME protocol (LetsEncrypt)Christian Breunig
The "idea" of this PR is to add new CLI nodes under the pki subsystem to activate ACME for any given certificate. vyos@vyos# set pki certificate NAME acme Possible completions: + domain-name Domain Name email Email address to associate with certificate listen-address Local IPv4 addresses to listen on rsa-key-size Size of the RSA key (default: 2048) url Remote URL (default: https://acme-v02.api.letsencrypt.org/directory) Users choose if the CLI based custom certificates are used set pki certificate EXAMPLE acme certificate <base64> or if it should be generated via ACME. The ACME server URL defaults to LetsEncrypt but can be changed to their staging API for testing to not get blacklisted. set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory Certificate retrieval has a certbot --dry-run stage in verify() to see if it can be generated. After successful generation, the certificate is stored in under /config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set interfaces ethernet eth0 eapol certificate EXAMPLE) we call vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the base64 encoded certificate into the JSON data structure normally used when using a certificate set by the CLI. Using this "design" does not need any change to any other code referencing the PKI system, as the base64 encoded certificate is already there. certbot renewal will call the PKI python script to trigger dependency updates. (cherry picked from commit b8db1a9d7baf91b70c1b735e58710f1e2bc9fc7a) # Conflicts: # debian/control
2024-01-06openvpn: T3214: warn when setting nopool and server-ipv6 is being usedAntonio Quartulli
Currently OpenVPN does not allow having an IPv6 subnet if 'nopool' was specified on the --server directive. For this eason warn if this specific configuration is being hit. This is probably something that should be fixed upstream, but for now we can't allow this combination of parameters. Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> (cherry picked from commit 7a0e40ce8df386c0ea2de84bce8fb6c81a0353ce)
2024-01-06openvpn: T3214: allow configuring server with v6 onlyAntonio Quartulli
Starting with v2.5.0 OpenVPN allows configuring a server with an IPv6 only tunnel. For this reason there is no need to depend on the existence of an IPv4 subnet anymore. Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> (cherry picked from commit 3072e507eb1cdc18cfe5429fd0c03d223d2576fe)
2024-01-04T5159: nat: add option to map network and ports. Feature used for large ↵Nicolás Fort
deployments in cgnat. (#2694) (cherry picked from commit 3fc76505d0642c32a3eae9c0ce6ab3dd2ec32dbd)
2024-01-04T5897: frr should be stopped before vyos-routerDate Huang
Signed-off-by: Date Huang <tjjh89017@hotmail.com> (cherry picked from commit 6d16ab081b70bc4ea837b66dfe032ec6bdb563d7)
2024-01-04configdict: T5894: add get_config_dict() flag with_pkiChristian Breunig
VyOS has several services relaying on the PKI CLI tree to retrieve certificates. Consuming services like ethernet, openvpn or ipsec all re-implemented the same code to retrieve the certificates from the CLI. This commit extends the signature of get_config_dict() with a new option with_pki that defaults to false. If this option is set, the PKI CLI tree will be blended into the resulting dictionary. (cherry picked from commit b152b52023ba0cf0d4919eae39e92de28a458917)
2024-01-03Merge pull request #2719 from c-po/sagitta-backports-accel-pppChristian Breunig
Backports for Accel-PPP based serviced T5801, T5842 and T5688
2024-01-03Merge pull request #2732 from vyos/mergify/bp/sagitta/pr-2728Christian Breunig
T5880: verify_source_interface() should not allow dynamic interfaces like ppp, l2tp, ipoe or sstpc client interfaces (backport #2728)
2024-01-02T5888: fix migration script in order to fit new type-names for icmp and icmpv6.Nicolas Fort
(cherry picked from commit 1ccb3e634d45d0d1a8e190297cc0a310cb0069d6)
2024-01-01T5688: Fixed ip pool migration scripts for l2tp, sstp, pppoeaapostoliuk
Fixed migration 'subnet' option in l2tp, sstp, pppoe. 'subnet' option can contain several values. (cherry picked from commit 21e5db430f93fd48ebc598ddf95c67d77485f5f5)
2024-01-01T5842: Rewritten PPTP to get_config_dictaapostoliuk
Rewritten PPTP to get_config_dict Fixed 'dynamic-author' commands. These commands did not create anything in accel-ppp config. (cherry picked from commit f39eb894d991d296a82c69d1ab783011b5d0ed2f)
2024-01-01T5801: Rewritten L2TP to get_config_dictaapostoliuk
Rewritten L2TP to get_config_dict Rewritten L2TP xml to accel-ppp patterns Migrated 'idle' to 'ppp-options.lcp-echo-timeout' Migrated 'authentication.mppe' to 'ppp-options.mppe' Migrated 'authentication.radius.dae-server' to 'authentication.radius.dynamic-author' Migrated 'authentication.require' to 'authentication.protocol' Added 'authentication.radius.acct-interim-jitter' Added 'authentication.radius.preallocate-vif' Added 'authentication.radius.server.<IP>.acct-port' Added 'ppp-options.ipv4' Added smoke-tests Fixed 'preallocate-vif' in SSTP (cherry picked from commit 09e0a2ca035ee39a68a510b28cc74560669d0420)
2024-01-01Merge pull request #2734 from vyos/mergify/bp/sagitta/pr-2726Christian Breunig
login: T5875: restore home directory permissions only when needed (backport #2726)
2024-01-01login: T5875: restore home directory permissions only when neededChristian Breunig
This improves commit 3c990f49e ("login: T5875: restore home directory permissions when re-adding user account") in a way that the home directory owner is only altered if it differs from the expected owner. Without this change on every boot we would alter the owner which could increase the boot time if the home of a user is cluttered. (cherry picked from commit 1b364428f79b7e4588a000fca40582ef968fc7fd)