Age | Commit message (Collapse) | Author |
|
Missing comma in the list between services
'ssh', 'suricata' 'vrrp', 'webproxy'
Fix it
(cherry picked from commit a3ddd2cb8994deefd378951806b5dc35067d06a7)
|
|
Add ability to set the container network with a disable-dns setting to disable
the DNS plugin that is on be default.
set container network <network> no-name-server
(cherry picked from commit 1d5625d572cc25a9d53247b7c41177f17845b052)
|
|
(cherry picked from commit 7d20a52e02bec76474ca060fcb1eaeca52c52001)
|
|
During podman upgrade and a build from the original source the UNIX socket
definition for systemd got lost in translation.
This commit re-adds the UNIX socket which is started on boot to interact with
Podman.
Example:
curl --unix-socket /run/podman/podman.sock -H 'content-type: application/json' \
-sf http://localhost/containers/json
(cherry picked from commit f67e217f2716937115a3bdf6d316b172bbec75e5)
|
|
(cherry picked from commit d4b6bed84e5ac4214f2eae0e6ee7c1f4e0852222)
|
|
(cherry picked from commit 8500e8658ff10f52739143fd7814cf60c9195f16)
|
|
T6672: Fix system option ssh-client source-interface (backport #4000)
|
|
wireless: T6318: move country-code to a system wide configuration (backport #3656)
|
|
Wireless devices are subject to regulations issued by authorities. For any
given AP or router, there will most likely be no case where one wireless NIC is
located in one country and another wireless NIC in the same device is located
in another country, resulting in different regulatory domains to apply to the
same box.
Currently, wireless regulatory domains in VyOS need to be configured per-NIC:
set interfaces wireless wlan0 country-code us
This leads to several side-effects:
* When operating multiple WiFi NICs, they all can have different regulatory
domains configured which might offend legislation.
* Some NICs need additional entries to /etc/modprobe.d/cfg80211.conf to apply
regulatory domain settings, such as: "options cfg80211 ieee80211_regdom=US"
This is true for the Compex WLE600VX. This setting cannot be done
per-interface.
Migrate the first found wireless module country-code from the wireless
interface CLI to: "system wireless country-code"
(cherry picked from commit 9e22ab6b2aee48029d3455f65880e45c558cf1da)
|
|
(cherry picked from commit 5f780ebb7f1799eb9a93218bb83561db509c7e56)
Co-authored-by: Viacheslav Hletenko <v.gletenko@vyos.io>
|
|
Fix for system option ssh-client source-interface
For the `verify_source_interface` the key `ifname` if required
(cherry picked from commit f453b33a6056de8fc5145ca9e680361fbce68348)
# Conflicts:
# smoketest/scripts/cli/test_system_option.py
|
|
(cherry picked from commit 71d6d0fe31db13f4ddf5c75209b9bba88a1e0a32)
|
|
(cherry picked from commit 663e468de2b431f771534b4e3a2d00a5924b98fe)
|
|
(cherry picked from commit 69ab44309d56d73d92c2f8a7b0b4ca3016e61ff6)
|
|
configd: T6633: inject missing env vars for configfs utility (backport #3937)
|
|
configverify: T6642: verify_interface_exists requires config_dict arg (backport #3961)
|
|
(cherry picked from commit a9024f302fd9657a0e6ef274cfc1dedccaf9d1a3)
|
|
configd: T6640: enforce in_session returns False under configd (backport #3955)
|
|
The function verify_interface_exists requires a reference to the ambient
config_dict rather than creating an instance. As access is required to
the 'interfaces' path, provide as attribute of class ConfigDict, so as
not to confuse path searches of script-specific config_dict instances.
(cherry picked from commit 5f23b7275564cfaa7c178d320868b5f5e86ae606)
|
|
(cherry picked from commit ed63c9d1896a218715e13e1799fc059f4561f75e)
|
|
The CStore in_session check is a false positive outside of a config
session if a specific environment variable is set with an existing
referent in unionfs. To allow extensions when running under configd and
avoid confusion, enforce in_session returns False.
(cherry picked from commit 6543f444c42ff45e8115366256643186bf1dd567)
|
|
(cherry picked from commit 9979afa15650bd609399030da1751488baaac70b)
|
|
(cherry picked from commit 0162a27952d2166583a9e6aee2cd77b9c693062b)
|
|
(cherry picked from commit d5ae708581d453e2205ad4cf8576503f42e262b6)
|
|
(cherry picked from commit 4acad3eb8d9be173b76fecafc32b0c70eae9b192)
|
|
T6619: Remove the remaining uses of per-protocol FRR configs (backport #3916)
|
|
Functions called from config scripts outside of the standard functions
get_config/verify/generate/apply will not be called when run under
configd. Move as appropriate for the general config script structure and
the specific script requirements.
(cherry picked from commit aeb51976ea23d68d35685bdaa535042a05016185)
Co-authored-by: John Estabrook <jestabro@vyos.io>
|
|
(cherry picked from commit 31de01242a26dff8ff993061ea2f86102a8a7493)
Co-authored-by: John Estabrook <jestabro@vyos.io>
|
|
Move the remaining calls to check_kmod within a standard function,
with placement determined by the needs of the config script.
(cherry picked from commit 95eef73f1b002c8b9e8e769135ffed50c8ca6890)
|
|
(cherry picked from commit f2256ad338fc3fbaa9a5de2c0615603cd23e0f94)
|
|
(cherry picked from commit 4055090a8d4fd64288eab7ae41aa9440f5de4ece)
|
|
This command helps to generate users `.ovpn` files
Rewrite `generate openvpn client-config` to use Config()
It needs to get the default values as `ConfigTreeQuery` is
not supporting default values.
Fixed "ignores configured protocol type" if TCP is used
Fixed lzo, was used even if lzo not configured
Fixed encryption is not parse the dict
(cherry picked from commit fe50f1a9292b34e168b35453f2cfc2aee2ca4843)
|
|
(cherry picked from commit e97d86e619e134f4dfda06efb7df4a3296d17b95)
|
|
Removed unused pprint module
(cherry picked from commit cb1834742f4ed01d99d6396af8339dd59788ef65)
|
|
ipsec: T6148: Fixed reset command by adding init after terminating (backport #3763)
|
|
T6313: Add "NAT" to "generate" command for rule resequence (backport #3715)
|
|
ports
* Created op-mode command "restart serial console"
* Relocated service control to vyos.utils.serial helpers, used by conf- and
op-mode serial console handling
* Checking for logged-in serial sessions that may be affected by getty reconfig
* Warning the user when changes are committed and serial sessions are active,
otherwise restart services as normal. No prompts issued during commit,
all config gen/commit steps still occur except for the service restarts
(everything remains consistent)
* To apply committed changes, user will need to run "restart serial console"
to complete the process or reboot the whole router
* Added additional flags and target filtering for generic use of helpers.
(cherry picked from commit bc9049ebd76576d727fa87b10b96d1616950237c)
|
|
Strongswan does not initiate session after termination via vici.
Added an CHILD SAs initialization on the initiator side
of the tunnel.
(cherry picked from commit 8838b29180ccc26d2aca0c22c9c8ca5e274825b2)
|
|
(cherry picked from commit 142545b0535d0a994182389c99b7bcd6d7c37c24)
|
|
(cherry picked from commit 31acb42ecdf4ecf0f636f831f42a845b8a00d367)
|
|
iifname/oifname
When any of the following features NAT, NAT66 or Firewall is enabled, for every
VRF on the CLI we install one rule into nftables for conntrack:
chain vrf_zones_ct_in {
type filter hook prerouting priority raw; policy accept;
counter packets 3113 bytes 32227 ct original zone set iifname map @ct_iface_map
counter packets 8550 bytes 80739 ct original zone set iifname map @ct_iface_map
counter packets 5644 bytes 67697 ct original zone set iifname map @ct_iface_map
}
This is superfluous.
(cherry picked from commit d6e9824f1612bd8c876437c071f31a1a0f44af5d)
|
|
T6605: restore configd error formatting to be consistent with CLI (backport #3868)
|
|
(cherry picked from commit 115e99630a317cab62c6f99e0461f6ce2c1edaf3)
|
|
by TuneD (#3863)
(cherry picked from commit 7b82e4005724683c6311fab22358746f2cca4c1b)
Co-authored-by: Nataliia Solomko <natalirs1985@gmail.com>
|
|
(cherry picked from commit 645f24908c9b338adc56ecc83f8c44d0b0206550)
|
|
Only some (e.g. ethernet or wireguard) interfaces validate if the supplied VRF
actually exists. If this is not validated, one can pass an invalid VRF to the
system which generates an OSError exception.
To reproduce
set interfaces vxlan vxlan1 vni 1000
set interfaces vxlan vxlan1 remote 1.2.3.4
set interfaces vxlan vxlan1 vrf smoketest
results in
OSError: [Errno 255] failed to run command: ip link set dev vxlan1 master smoketest_mgmt
This commit adds the missing verify_vrf() call to the missing interface types
and an appropriate smoketest for all interfaces supporting VRF assignment.
(cherry picked from commit dd0ebffa33728e452ac6e11737c2283f0e390359)
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
(cherry picked from commit 79407cd5bbec3194a9b6542418229b33eab05121)
|
|
This was found during smoketesting as thoase started to repeadingly fail in the last weeks
File "/usr/libexec/vyos/tests/smoke/cli/test_interfaces_wireless.py", line 534, in test_wireless_security_station_address
self.assertTrue(process_named_running('hostapd'))
AssertionError: None is not true
Digging into this revealed that this is NOT related to the smoketest coding but
to hostapd/systemd instead. With a configured WIFI interface and calling:
"sudo systemctl reload-or-restart hostapd@wlan1" multiple times in a short
period caused systemd to report:
"Jul 18 16:15:32 systemd[1]: hostapd@wlan1.service: Deactivated successfully."
According to the internal systemd logic used in our version this is explained by:
/* If there's a stop job queued before we enter the DEAD state, we shouldn't act on Restart=, in order to not
* undo what has already been enqueued. */
if (unit_stop_pending(UNIT(s)))
allow_restart = false;
if (s->result == SERVICE_SUCCESS)
s->result = f;
if (s->result == SERVICE_SUCCESS) {
unit_log_success(UNIT(s));
end_state = SERVICE_DEAD;`
Where unit_log_success() generates the log message in question.
Improve the restart login in the wireless interface script and an upgrade to
hostapd solved the issue.
(cherry picked from commit a67f49d99eda00998c425f9a663e138dbd0f7755)
|
|
Authored-By: Alain Lamar <alain_lamar@yahoo.de>
(cherry picked from commit d5e988ba2d0fa0189feff22374c9b46eb49e2e79)
|
|
Commit e3c71af1466 ("remove secrets file if the tunnel is deleted and fix
opmode commands") added a code path into verify() which removed files on the
system if TOTP was not defined.
This commit moves the code path to the appropriate generate() function.
(cherry picked from commit 40c835992db9217f48e54dbbf15a7fbf1dcba482)
|