Age | Commit message (Collapse) | Author |
|
* Use interface_exists() outside of verify()
* Use verify_interface_exists() in verify() to drop common error message
|
|
configverify: T6198: add common helper for PKI certificate validation
|
|
The next evolutional step after adding get_config_dict(..., with_pki=True) is
to add a common verification function for the recurring task of validating SSL
certificate existance in e.g. EAPoL, OpenConnect, SSTP or HTTPS.
|
|
T6192: allow binding SSH to multiple VRF instances
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Currently VyOS only supports binding a service to one individual VRF. It might
become handy to have the services (initially it will be VRF, NTP and SNMP) be
bound to multiple VRFs.
Changed VRF from leafNode to multi leafNode with defaultValue: default - which
is the name of the default VRF.
|
|
|
|
- modified: src/op_mode/firewall.py
Changed behavior of "show firewall" for specific rule to only show rule and not also default-action
|
|
- Added show firewall <sections> detail paths
modified: src/op_mode/firewall.py
- Added Description as a header to normal "show firewall" commands
- Added 'detail' view which shows the output in a list key-pair format
Description column was added for these commands and their subsections:
show firewall statistics
show firewall groups
show firewall <family>
Detail view was added for these commands:
show firewall bridge forward filter detail
show firewall bridge forward filter rule <rule#> detail
show firewall bridge name <chain> detail
show firewall bridge name <chain> rule <rule#> detail
show firewall ipv4 forward filter detail
show firewall ipv4 forward filter rule <rule#> detail
show firewall ipv4 input filter detail
show firewall ipv4 input filter rule <rule#> detail
show firewall ipv4 output filter detail
show firewall ipv4 output filter rule <rule#> detail
show firewall ipv4 name <chain> detail
show firewall ipv4 name <chain> rule <rule#> detail
show firewall ipv6 forward filter detail
show firewall ipv6 forward filter rule <rule#> detail
show firewall ipv6 input filter detail
show firewall ipv6 input filter rule <rule#> detail
show firewall ipv6 output filter detail
show firewall ipv6 output filter rule <rule#> detail
show firewall ipv6 name <chain> detail
show firewall ipv6 name <chain> rule <rule#> detail
show firewall group detail
show firewall group <group> detail
|
|
system: T6193: invalid warning "is not a DHCP interface but uses DHCP name-server option"
|
|
dhcpv6-client: T2590: fix vyos-hostsd update for nameserver and search domains
|
|
T6178: Check that certificate exists during reverse-proxy commit
|
|
After migrating from ISC DHCLIENT for IPv6 to wide-dhcp-client the logic which
was present to update /etc/resolv.conf with the DHCP specified nameservers and
also the search domain list was no longer present.
This commit adds a per interface rendered script to inform vyos-hostsd about
the received IPv6 nameservers and search domains.
|
|
name-server option"
This fixes an invalid warning when using a DHCP VLAN interface to retrieve the
system nameserver to be used. VLAN CLI config is not properly expanded
leading to a false warning:
[ system name-server eth1.10 ]
WARNING: "eth1.10" is not a DHCP interface but uses DHCP name-server option!
|
|
|
|
T6185: simplify marshalling of section and config data for config-sync
|
|
dhcp-server: T4718: Listen-address is not commit if the ip address is on the interface with vrf
|
|
|
|
bgp: T6106: Valid commit error for route-reflector-client option defined in peer-group
|
|
|
|
peer-group
changed exception condition
Improved route_reflector_client test
|
|
Package path/section data in single command containing a tree (dict) of
section paths and the accompanying config data. This drops the call to
get_config_dict and the need for a list of commands in request.
|
|
dhcp: T6174: Add TACACS/Radius users to _kea group
|
|
Also raise op-mode error when unable to fetch data from Kea socket
|
|
openvpn: T6159: Openvpn Server Op-cmd adds heading "OpenVPN status on vtunx" for every client connection
|
|
ipsec: T5606: T5871: Use multi node for CA certificates
|
|
T5872: ipsec remote access VPN: support dhcp-interface.
|
|
This changes behaviour from fetching CA chain in PKI, to the user manually setting CA certificates.
Prevents unwanted parent CAs existing in PKI from being auto-included as may not be desired/intended.
|
|
for every client connection
Don't show duplicate info of vtunx
show header when clints is not connected but server is configured
|
|
interface with vrf
|
|
The current op-mode script simply calls sudo systemctl restart "dhclient@$4.service"
with no additional information about a client interface at all.
This results in useless dhclient processes
root 47812 4.7 0.0 5848 3584 ? Ss 00:30 0:00 /sbin/dhclient -4 -d
root 48121 0.0 0.0 4188 3072 ? S 00:30 0:00 \_ /bin/sh /sbin/dhclient-script
root 48148 50.0 0.2 18776 11264 ? R 00:30 0:00 \_ python3 -
Which also assign client leases to all local interfaces, if we receive one
valid DHCPOFFER
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address MAC VRF MTU S/L Description
----------- ----------------- ----------------- ------- ----- ----- -------------
eth0 - 00:50:56:bf:c5:6d default 1500 u/u
eth0.10 172.16.33.102/24 00:50:56:bf:c5:6d default 1500 u/u
eth1 172.16.33.131/24 00:50:56:b3:38:c5 default 1500 u/u
172.16.33.102/24 and 172.16.33.131/24 are stray DHCP addresses.
This commit moved the renew command to the DHCP op-mode script to properly
validate if the interface we request a renew for, has actually a dhcp address
configured. In additional this exposes the renew feature to the API.
|
|
|
|
dhcp-server high-availability>.
|
|
Users can not (FRR fails) commit the same network belonging to different OSPF
areas. Add verify() check to prevent this.
|
|
grub: T6165: increase service TimeoutSec from 5 -> 60
|
|
The PCEngines APU2 systems with mSATA disks tend to be very slow. This results
in a service startup error:
$ systemctl status vyos-grub-update
× vyos-grub-update.service - Update GRUB loader configuration structure
Loaded: loaded (/lib/systemd/system/vyos-grub-update.service; enabled; preset: enabled)
Active: failed (Result: timeout) since Sun 2024-03-24 08:48:10 UTC; 14min ago
Main PID: 779 (code=killed, signal=TERM)
CPU: 869ms
Mar 24 08:48:05 LR4.wue3 systemd[1]: Starting vyos-grub-update.service - Update GRUB loader configuration structure...
Mar 24 08:48:10 LR4.wue3 systemd[1]: vyos-grub-update.service: start operation timed out. Terminating.
Mar 24 08:48:10 LR4.wue3 systemd[1]: vyos-grub-update.service: Main process exited, code=killed, status=15/TERM
Mar 24 08:48:10 LR4.wue3 systemd[1]: vyos-grub-update.service: Failed with result 'timeout'.
Mar 24 08:48:10 LR4.wue3 systemd[1]: Failed to start vyos-grub-update.service - Update GRUB loader configuration structure.
Measunring on an APU2 system after boot and memory is "hot", it still needs
almost 17 seconds to complete the job
cpo@LR4.wue3:~$ time sudo /usr/libexec/vyos/system/grub_update.py
real 0m16.803s
user 0m0.018s
sys 0m0.028s
|
|
|
|
This is a leftover after commit 0e050cb35 (isis: T3417: drop artificial "domain"
node identifying the IS-IS process name). Drop all references to "process"
variable.
Specifying:
set protocols isis interface eth1
set protocols isis net '49.0001.1921.6825.5255.00'
set protocols isis redistribute ipv4 bgp
Triggered an exception
Traceback (most recent call last):
File "/usr/libexec/vyos/conf_mode/protocols_isis.py", line 309, in <module>
verify(c)
File "/usr/libexec/vyos/conf_mode/protocols_isis.py", line 158, in verify
f'"protocols isis {process} redistribute {afi} {proto}"!')
^^^^^^^
NameError: name 'process' is not defined
|
|
|
|
vti: T6085: interface is always down and only enabled by IPSec daemon
|
|
policy: T6130: Revert commit 960cace
|
|
* Move global state-policy smoketest to it's own test, verify conntrack
|
|
When a VTI interface is just created, it is in ADMIN UP state by default, even
if an IPSec peer is not connected. After the peer is disconnected the interface
goes to DOWN state as expected.
This breaks routing logic - for example, static routes through VTI interfaces
will be active even if a peer is not connected.
This changes to logic so ADMIN UP/DOWN state can only be changed by the
vti-up-down helper script.
Error was introduced during the Perl -> Python migration and move to the generic
vyos.ifconfig abstraction during the 1.4 development cycle.
|