summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2023-04-21vrf: T5150: fix regex used on frr-reload when searching for discrete VRFChristian Breunig
We must only search and replace for "vrf red" or "vrf green" - the regex used infact matched on all VRFs which is wrong. This would remove all VRF VNI configurations when only changing a single VRf.
2023-04-21Merge pull request #1957 from aapostoliuk/T5042-sagittaChristian Breunig
ipsec: T5042: Rewritten 'show vpn ipsec remote-access' command
2023-04-21vrf: T5150: l3vni must be removed prior to removing BGP VRF processChristian Breunig
2023-04-21T1237: Failover route add policy for targets checkingViacheslav Hletenko
Add policy (any-available|all-available) for target checking for failover route set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check policy 'any-available' set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '192.168.122.1' set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '192.168.122.11' It depends if we need that all targets must be alive on just one target.
2023-04-21dns: T5144: Improve dynamic DNS validations and completionsIndrajit Raychaudhuri
Apply validations and completions to dynamic DNS protocols supported. This also opens up additional protocols supported by ddclient 3.10. Additional details: - Validation and constraint have been added for interface names as well. - While at it, the help texts got some copyedit and rewording.
2023-04-20ocserv: T3896: refactor: change ocserv config-per-x node nameJamie Austin
Changes the node name from config-per-x to identity-based-config, as a result the j2 templates and vpn_openeconnect.py has been refactored to update the node name when accessing it's child nodes.
2023-04-20Merge pull request #1963 from sarthurdev/pki_fixChristian Breunig
pki: T3642: Fix show command if no CA certs are present
2023-04-19Merge pull request #1958 from srividya0208/T5159Daniil Baturin
op-mode: T5159: dhcpv6 incorrect warning message
2023-04-19op-mode: T5159: dhcpv6 incorrect warning messagesrividya0208
The operational command "show dhcpv6 server leases" shows a warning message e ven if dhcpv6 setting are configured and ipv6 address got assigned to clients.
2023-04-18pki: T3642: Fix show command if no CA certs are presentsarthurdev
2023-04-17dns: T5144: Make dns dynamic status output legacy format compatibleIndrajit Raychaudhuri
Adjust the output of dynamic dns status to be compatible with both legacy and new ddclient cache format. This is necessary because the legacy format is still used by some of the dyndns2 family of protocols. This is a follow-up to commit 3f3621b6874354.
2023-04-17T5137: Refactoring show tech-support reportViacheslav Hletenko
Split script to small functions for flexible output reports. Improve header for commands. Each funciton easily can be modified or extended. Remove splitting command/output via percent symbol. Remove old commands and directiories like /etc/rc.local, iptables, brctl, etc. Remove ethtool operation for subinterfaces. Extend ethtool debug output. Add correct nftables command.
2023-04-14ipsec: T5042: Rewritten 'show vpn ipsec remote-access' commandaapostoliuk
Now 'show vpn ipsec remote-access' shows only IKEv2 Remote access VPN IPSec connections. Added option 'summary' that shows a summary table for these connections. Added option 'detail' that shows only RA SAs output of 'swanctl -l' Added options 'username' and 'connection-id' that filters output. Fixed output 'show vpn ipsec sa detail', the previous was 'show vpn ipsec sa verbose'.
2023-04-14container: T5082: enable aardvark-dns supportChristian Breunig
With commit 0ea3e1420 ("container: T5082: switch to netavark network stack") moving to a new network stack we should also enable the new DNS plugin provided by default. TODO: add CLI nodes to manually disable DNS and/or supply external DNS servers to the container.
2023-04-14container: T5082: shorten container network prefix to allow longer namesChristian Breunig
If the name of the network + the length of the podman- prefix exceeds the maximum supported length of netavark we get an error: Error: netavark: get bridge interface: Netlink error: Numerical result out of range (os error 34)
2023-04-13Merge pull request #1943 from c-po/t5150-frrDaniil Baturin
T5150: implementation of new Kernel/Zebra route-map support
2023-04-13Merge pull request #1930 from mkorobeinikov/currentChristian Breunig
T5137: refactoring the tech-support command
2023-04-13T5150: migrate CLI configs to new Kernel/Zebra route-map supportChristian Breunig
2023-04-13T5150: initial VRF support for Kernel/Zebra route-map filteringChristian Breunig
2023-04-13T5150: do not apply zebra route-map from routing-daemon config levelChristian Breunig
2023-04-13T5150: initial implementation of new Kernel/Zebra route-map supportChristian Breunig
It is possible to install a route-map which filters the routes between routing daemons and the OS kernel (zebra) As of now this can be done by e.g. * set protocols ospf route-map foo * set protocols ospfv3 route-map foo * set protocols bgp route-map foo Which in turn will install the following lines into FRR * ip protocol ospf route-map foo * ipv6 protocol ospf6 route-map foo * ip protocol bgp route-map foo The current state of the VyOS CLI is incomplete as there is no way to: * Install a filter for BGP IPv6 routes * Install a filter for static routes * Install a filter for connected routes Thus the CLI should be redesigned to close match what FRR does for both the default and any other VRF * set system ip protocol ospf route-map foo * set system ipv6 protocol ospfv3 route-map foo * set system ip protocol bgp route-map foo * set system ipv6 protocol bgp route-map foo The configuration can be migrated accordingly. This commit does not come with the migrator, it will be comitted later.
2023-04-13eigrp: T2472: remove pprint debug statementChristian Breunig
2023-04-11T4727: Change and fix RADIUS rate-limit option for pptpViacheslav Hletenko
Initially the option 'rate-limit' was implemented with the wrong place in the CLI: set vpn pptp remote-access authentication rate-limit <xxx> Expected under 'radius' section: set vpn pptp remote-access authentication radius rate-limit <xxx> Configuration for 'rate-limit' (Jinja2 template) never worked for pptp, fix it.
2023-04-11T5152: Get default hostname for telegraf from FQDN or hostnameViacheslav Hletenko
Fix for Telegraf agent hostname isn't qualified Try to get hostname from FQDN and then from hostname Used for metrics You may have more than one machine with different domain names r1 domain-name foo.local, hostname myhost r2 domain-name bar.local, hostname myhost It helps to detect from which exectly host we get metric for InfluxDB2
2023-04-10Merge pull request #1936 from indrajitr/ddclient-opmodeChristian Breunig
dns: T5144: Improve dns dynamic status output
2023-04-10Merge pull request #1949 from sever-sever/T5065Christian Breunig
T5065: Add verify for firewall port-group and port
2023-04-10T5065: Add verify for firewall port-group and portViacheslav Hletenko
We cannot use both 'port' and 'port-group' for the same direction in one rule at the same time Otherwise it generates wrong rules that don't block anything set P_pgrp { type inet_service flags interval auto-merge elements = { 101-105 } } chain NAME_foo { tcp dport 22 tcp dport @P_pgrp counter drop comment "foo-10" counter return comment "foo default-action accept" }
2023-04-10hostapd: T5151: Override ConditionFileNotEmptyAndrew Gunnerson
Debian's `debian/2%2.10-12` update of the hostap packaging added a ConditionFileNotEmpty directive for `/etc/hostapd/<...>` paths, which doesn't match the `/run/hostapd/<...>` paths that VyOS uses. This commit updates the override file to use the proper VyOS paths. https://salsa.debian.org/debian/wpa/-/commit/d204ceb5a2dc33db888eb55b5fee542a1005e69c Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>
2023-04-10Merge pull request #1941 from sever-sever/T1237Viacheslav Hletenko
T1237: Failover route add checks for multiple targets
2023-04-10Merge pull request #1942 from sever-sever/T4770Daniil Baturin
T4770: Ability to get OpenVPN iface state and description for raw
2023-04-10T5148: Fix OpenVPN plugin dir variableViacheslav Hletenko
Jinja2 template uses {{ plugin_dir }} that it gets from the interface-openvpn.py variable 'plugin_dir' but the correct var should be as part of 'openvpn' dictionary i.e. openvpn['plugin_dir']
2023-04-10T4770: Ability to get OpenVPN iface state and description for rawViacheslav Hletenko
2023-04-07openvpn: T5149: do not raise error in case of disabled interfaceJohn Estabrook
2023-04-07T1237: Failover route add checks for multiple targetsViacheslav Hletenko
There is only one target for checking ICMP/ARP Extend it for checking multiple targets set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '203.0.113.1' set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '203.0.113.11' The route will be installed only if all targets are 'alive'
2023-04-07T5137: refactoring the tech-support commandmkorobeinikov
Refactoring the tech-support command from .sh to .py
2023-04-06container: T5147: ensure container network exists before VRF operationChristian Breunig
Networks are started only as soon as there is a consumer. If only a network is created in the first place, no need to assign it to a VRF as there's no consumer, yet.
2023-04-04Merge pull request #1937 from aapostoliuk/T5135-sagittaChristian Breunig
opennhrp: T5135: Rewritten opennhrp script using vyos.ipsec
2023-04-04T5145: Add maximum number of all logins on systemViacheslav Hletenko
maxsyslogins maximum number of all logins on system; user is not allowed to log-in if total number of all user logins is greater than specified number (this limit does not apply to user with uid=0) set system login max-login-session 2
2023-04-04opennhrp: T5135: Rewritten opennhrp script using vyos.ipsecaapostoliuk
Rewritten opennhrp script using vyos.ipsec library
2023-04-03dns: T5144: Improve dns dynamic status outputIndrajit Raychaudhuri
Improve and fix the output of dynamic dns status to be compatible with new ddclient cache format. Additional details: - The status output is now formatted as a table with per-host dual-stack information in rows. Columns not having actual value present in the output will be kept empty. - The 'Last update' column is now formatted in Local time format instead of UTC.
2023-04-03Merge pull request #1932 from sever-sever/T5125Christian Breunig
T5125: Sflow op-mode add event_samples_suppressed option
2023-04-03T5141: Add numbers for dhclient-exit-hooks.d to enforce orderViacheslav Hletenko
Add numbers for all dhclient-exit-hooks.d to enforce script order execution Also, move '99-run-user-hooks' to '98-run-user-hooks' due to vyatta-dhclient-hook bug and exit with 'exit 1' it is described in the https://vyos.dev/T4856, so we should move this hook to the end. Rename 'vyatta-dhclient-hook' to '99-vyatta-dhclient-hook'
2023-04-03T5125: Sflow op-mode add event_samples_suppressed optionViacheslav Hletenko
Add "Packet drops suppressed" option Rename "Samples drop events sent" to "Packet drops sent"
2023-04-02container: T5134: support binding container network to specific VRFChristian Breunig
Container networks now can be bound to a specific VRF instance. set vrf name <foo> table <xxx> set container network <name> vrf <foo>
2023-04-01T5125: Extend op-mode show sflow add new metricViacheslav Hletenko
Add new metric, the number of packet-drop-events sent
2023-04-01container: T4959: bugfix credential validation on registriesChristian Breunig
Commit fe82d86d ("container: T4959: add registry authentication option") looked up the wrong config dict level when validating that both username and password need to be specified when registries are in use.
2023-04-01container: T5082: switch to netavark network stackChristian Breunig
We now support assigning discrete IPv6 addresses to a container.
2023-04-01container: T5047: bugfix TypeError: argument of type 'NoneType' is not iterableChristian Breunig
Commit 52e51ffb ("container: T5047: restart only containers that changed") started to iterate over a NoneType which is invalid. This happened when a network description was changed but no container was due for restart.
2023-04-01Merge pull request #1926 from aapostoliuk/T5093-sagittaChristian Breunig
ipsec: T5093: Fixed 'reset vpn ipsec profile' command
2023-03-31http-api: T5126: allow restricting client IP addressJohn Estabrook