summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2023-09-19utils: T5239: add low-level read from config.bootJohn Estabrook
2023-09-18frr: T5239: use vyos.base.warning()Christian Breunig
2023-09-18Merge pull request #2276 from sarthurdev/conntrackViacheslav Hletenko
conntrack: T5571: Refactor conntrack using vyos.configdep
2023-09-18conntrack: T5217: Add tcp flag matching to `system conntrack ignore`sarthurdev
- Moves MSS node out of `tcp-flags.xml.i` and into `tcp-mss.xml.i` - Update smoketest to verify TCP flag matching
2023-09-16nat: Remove deprecated kernel checksarthurdev
/usr/libexec/vyos/conf_mode/nat.py:21: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives from distutils.version import LooseVersion
2023-09-16conntrack: T5571: Refactor conntrack to be independent conf script from ↵sarthurdev
firewall, nat, nat66
2023-09-15Merge pull request #2273 from sever-sever/T5586Christian Breunig
T5586: Disable by default SNMP for Keeplived VRRP service
2023-09-15Merge pull request #2185 from sever-sever/T5261-newViacheslav Hletenko
T5261: Add AWS load-balancing tunnel handler
2023-09-15T5586: Disable by default SNMP for Keeplived VRRP serviceViacheslav Hletenko
AgentX does not work stable. From time to time we see the system service crashing/degrading if something is wrong with SNMP from util net-snmp. We should disable it by default and enable it only if configured. set high-availability vrrp snmp
2023-09-15Merge pull request #2270 from indrajitr/ddclient-config-permissionChristian Breunig
ddclient: T5585: Fix file access mode for dynamic dns configuration
2023-09-15system: T5505: T5575: support calling system-ip(v6).py from init processChristian Breunig
After commit 976f82785 ("T5575: ARP/NDP table-size isnt set properly") the system bootup process got interrupted as both system-ip.py and system-ipv6.py tried to talk to FRR which was yet not started. This has been fixed by using a conditional path to only execute when FRR service has been enabled. This is safe to do as the initial commit call will has FRR service running and the path will be executed.
2023-09-14ddclient: T5585: Fix file access mode for dynamic dns configurationIndrajit Raychaudhuri
ddclient.conf file is expected to have permission 600. We need to set the permission explicitly while creating the file.
2023-09-14Merge pull request #2242 from nicolas-fort/T4072-op-modeChristian Breunig
T4072: Firewall op-mode command: add bridge capabilities
2023-09-14Merge pull request #2253 from nicolas-fort/T5561Christian Breunig
T5561: nat: inbound|outbound interface should not be mandatory
2023-09-14Merge pull request #2255 from Apachez-/T5575Christian Breunig
T5575: ARP/NDP table-size isnt set properly
2023-09-14Merge pull request #1637 from ordex/T3214Daniil Baturin
openvpn: T3214: fix server-ipv6 and nopool handling
2023-09-14Merge pull request #2062 from vfreex/simple-fastpath-supportViacheslav Hletenko
T4502: firewall: Add software flow offload using flowtable
2023-09-13T5575: ARP/NDP table-size isnt set properlyApachez
2023-09-13TACACS: T5577: Added `mandatory` and `optional` modes for TACACS+zsdc
In CLI we can choose authentication logic: - `mandatory` - if TACACS+ answered with `REJECT`, authentication must be stopped and access denied immediately. - `optional` (default) - if TACACS+ answers with `REJECT`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if TACACS+ clearly answered that access should be denied (no user in TACACS+ database, wrong password, etc.). If TACACS+ is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-09-13RADIUS: T5577: Added `mandatory` and `optional` modes for RADIUSzsdc
In CLI we can choose authentication logic: - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be stopped and access denied immediately. - `optional` (default) - if RADIUS answers with `Access-Reject`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-09-13T5575: ARP/NDP table-size isnt set properlyApachez
2023-09-13T5561: nat: defining inbound|outbound interface should not be mandatory ↵Nicolas Fort
while configuring dNAT|sNAT rule
2023-09-11frr: T5239: fix process startup orderChristian Breunig
- Reuse existing utility functions to check if a boot is ongoing (boot_configuration_complete()) - Run system_frr.py script to configure FRR daemon before initial launch - Add safety net to always have FRR running on the system This does yet not solve the error in T5239 but it's a small step towards the solution.
2023-09-11T4072: Firewall op-mode command: add bridge capabilitiesNicolas Fort
2023-09-11init: remove dependency on frr.service - required for router shutdownChristian Breunig
2023-09-10T5564: Fix show firewall group and show firewall summaryViacheslav Hletenko
The `rule` key could be not exists in the entry of the dictionary for examppe `{'default_action': 'drop'}` Fix it
2023-09-09Merge pull request #2179 from vfreex/add-mldChristian Breunig
T5518: Add basic MLD support
2023-09-09T4754: Fix path for popen moved to utils processViacheslav Hletenko
2023-09-09T4502: firewall: Add software flow offload using flowtableYuxiang Zhu
The following commands will enable nftables flowtable offload on interfaces eth0 eth1: ``` set firewall global-options flow-offload software interface <name> set firewall global-options flow-offload hardware interface <name> ``` Generated nftables rules: ``` table inet vyos_offload { flowtable VYOS_FLOWTABLE_software { hook ingress priority filter - 1; devices = { eth0, eth1, eth2, eth3 }; counter } chain VYOS_OFFLOAD_software { type filter hook forward priority filter - 1; policy accept; ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software } } ``` Use this option to count packets and bytes for each offloaded flow: ``` set system conntrack flow-accounting ``` To verify a connection is offloaded, run ``` cat /proc/net/nf_conntrack|grep OFFLOAD ``` This PR follows firewalld's implementation: https://github.com/firewalld/firewalld/blob/e748b97787d685d0ca93f58e8d4292e87d3f0da6/src/firewall/core/nftables.py#L590 A good introduction to nftables flowtable: https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath
2023-09-09Merge pull request #2228 from hlhc/fix/env-replaced-by-labelChristian Breunig
container: T5563 Fix environment replaced by label
2023-09-09vxlan: T3700: support VLAN tunnel mapping of VLAN aware bridgesChristian Breunig
FRR supports a new way of configuring VLAN-to-VNI mappings for EVPN-VXLAN, when working with the Linux kernel. In this new way, the mapping of a VLAN to a VNI is configured against a container VXLAN interface which is referred to as a 'Single VXLAN device (SVD)'. Multiple VLAN to VNI mappings can be configured against the same SVD. This allows for a significant scaling of the number of VNIs since a separate VXLAN interface is no longer required for each VNI. Sample configuration of SVD with VLAN to VNI mappings is shown below. set interfaces bridge br0 member interface vxlan0 set interfaces vxlan vxlan0 external set interfaces vxlan vxlan0 source-interface 'dum0' set interfaces vxlan vxlan0 vlan-to-vni 10 vni '10010' set interfaces vxlan vxlan0 vlan-to-vni 11 vni '10011' set interfaces vxlan vxlan0 vlan-to-vni 30 vni '10030' set interfaces vxlan vxlan0 vlan-to-vni 31 vni '10031'
2023-09-09container: T5563 Fix environment replaced by labelCyrus
2023-09-08Merge pull request #2220 from sever-sever/T5554Christian Breunig
T5554: Disable sudo for PAM RADIUS
2023-09-08Merge pull request #1602 from goodNETnick/goodnetnick-shloginotp-T4754Viacheslav Hletenko
login: T4754: show configured 2FA OTP key
2023-09-08T5554: Disable sudo for PAM RADIUSViacheslav Hletenko
Disable sudo for PAM RADIUS template that slows down the CLI commands To fix it add: session [default=ignore success=2] pam_succeed_if.so service = sudo
2023-09-08T5518: Add basic MLD supportYuxiang Zhu
Currently VyOS has `protocol igmp` option to enable IGMP querier and reports through FRR's pimd. I would like to add support for IPv6 as well since FRR's IPv6 multicast functionality has significantly improved. Enabling both MLD and IGMP on a VyOS router will allow us to turn on multicast snooping on layer-3 switches in dual-stack networks. Example commands: ``` // Enable on interface eth0 set protocols pim6 interface eth0 // Explicitly join multicast group ff18::1234 on interface eth1 set protocols pim6 interface eth1 mld join ff18::1234 // Explicitly join source-specific multicast group ff38::5678 with source address 2001:db8::1 on interface eth1 set protocols pim6 interface eth1 mld join ff38::5678 source 2001:db8::1 ```
2023-09-07Merge pull request #2216 from jestabro/ext-dependencyChristian Breunig
T5412: Add support for extending config-mode dependencies in add-on packages
2023-09-07system: T5555: Fix time-zone migrator changing valid time-zones to UTCsarthurdev
2023-09-06conf-mode: T5412: move dependency check from smoketest to nosetestJohn Estabrook
2023-09-06conf-mode: T5412: add script for add-on package check of dependenciesJohn Estabrook
2023-09-06Merge pull request #2199 from sarthurdev/T4309Christian Breunig
conntrack: T4309: T4903: Refactor `system conntrack ignore`, add IPv6 support and firewall groups
2023-09-06Merge pull request #2205 from sever-sever/T5489Christian Breunig
T5489: Add sysctl TCP congestion control by default to BBR
2023-09-06Merge pull request #2206 from sever-sever/T5423Christian Breunig
T5423: Fix for op-mode show vpn ike secrets
2023-09-05Merge pull request #2204 from sever-sever/T5480John Estabrook
T5480: Ability to disable SNMP for keepalived service VRRP
2023-09-05T5533: Fix for vrrp dict key if virtual-server is usedViacheslav Hletenko
When using `virtual-server` alongside Keepalived, there can be situations where the `vrrp` key is completely unused.
2023-09-05save-config: T5551: check if None before write, as is the case at bootJohn Estabrook
2023-09-05Merge branch 'netns' into currentChristian Breunig
* netns: smoketest: T5241: re-work netns assertions and provide common utility helper netns: T5241: simplify network namespace handling netns: T5241: improve get_interface_namespace() robustness netns: T5241: use common interface_exists() helper netns: T5241: provide is_netns_interface utility helper T5241: Support netns for veth and dummy interfaces
2023-09-05netns: T5241: simplify network namespace handlingChristian Breunig
2023-09-05T5423: Fix for op-mode show vpn ike secretsViacheslav Hletenko
We don't use ipsec.secrets anymore Fix op-mode for "show vpn ike secrets". Ability to get "RAW" format
2023-09-05T5489: Add sysctl TCP congestion control by default to BBRViacheslav Hletenko
Add by default sysctl TCP congestion control to BBR. Default value `cubic` is not optimal. net.core.default_qdisc=fq net.ipv4.tcp_congestion_control=bbr