summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2024-06-11T6219: Add support for container sysctl parameter (backport #3614) (#3629)mergify[bot]
* container: T6219: Add support for container sysctl / kernel parameters (cherry picked from commit 717ea64e4c54a8be619ffc29c16c6203b29319dd) * T6219: align with system sysctl and limit parameters to supported (cherry picked from commit f030464952168b553b5b3e29b461d437c2642a9b) --------- Co-authored-by: Ben Pilgrim <ben@pilgrim.me.uk> Co-authored-by: Nicolas Vollmar <nvollmar@gmail.com>
2024-06-10vyos.utils: T5195: import vyos.cpu to this packageChristian Breunig
The intention of vyos.utils package is to have a common ground for repeating actions/helpers. This is also true for number of CPUs and their respective core count. Move vyos.cpu to vyos.utils.cpu (cherry picked from commit e318eb33446de47835480d4b8f1646b39fb5c388)
2024-06-10Merge pull request #3619 from vyos/mergify/bp/sagitta/pr-3610Christian Breunig
op-mode: T6424: ipsec: honor certificate CN and CA chain during profile generation (backport #3610)
2024-06-10op-mode: T6424: ipsec: filter out duplicate CA certificates in Apple IOS profileChristian Breunig
(cherry picked from commit 4e51569013b3f78abea9c18e5a6ecb9ff5ae4687)
2024-06-10op-mode: T6424: ipsec: honor certificate CN and CA chain during profile ↵Christian Breunig
generation In e6fe6e50a5c ("op-mode: ipsec: T6407: fix profile generation") we fixed support for multiple CAs when dealing with the generation of Apple IOS profiles. This commit extends support to properly include the common name of the server certificate issuer and all it's paren't CAs. A list of parent CAs is automatically generated from the "PKI" subsystem content and embedded into the resulting profile. (cherry picked from commit d65f43589612c30dfaa5ce30aca5b8b48bf73211)
2024-06-10pki: T6463: reverse-proxy service not reloaded when updating SSL certificate(s)Christian Breunig
The haproxy reverse proxy was not reloaded/restarted with the new SSL certificate(s) after a change in the PKI subsystem. This was due to missing dependencies. (cherry picked from commit 6ce8efdc8dafef67541bed89fc7dc7cd83335bf4)
2024-06-09Merge pull request #3605 from vyos/mergify/bp/sagitta/pr-3598Christian Breunig
reverse-proxy: T6454: Set default value of http for haproxy mode (backport #3598)
2024-06-09reverse-proxy: T6454: Set default value of http for haproxy modeAlex W
(cherry picked from commit 60d7c0ecaff49ec62f4600a460f5fbe7b26a0d9c)
2024-06-09T6460: fixes duid formattingNicolas Vollmar
2024-06-03bfd: T6440: BFD peer length typoHannes Tamme
(cherry picked from commit 5490c76f9b9f53751fc527f455090f0a3820e8fe)
2024-06-03reverse-proxy: T6434: Support additional healthcheck options (#3574) (#3577)mergify[bot]
(cherry picked from commit 3e5cc0b7fb8ae4a0f8b7c9270d9db0a0f252c448) Co-authored-by: Alex W <embezzle.dev@proton.me>
2024-05-31T6422: Smoke test for NS record configration in authoritative DNS, typo & ↵Haim Gelfenbeyn
style fixes (cherry picked from commit f2d0701f50061374b5a4f55d33201629b3293248)
2024-05-31dns: T6422: allow multiple redundant NS recordsHaim Gelfenbeyn
NS is unlike CNAME or PTR, multiple NS records are perfectly valid and is a common use case: multiple redundant DNS servers is a common configuration and should be supported. (cherry picked from commit 19d8415512dcf87dc3a87feabf128652ffc74594)
2024-05-31op-mode: T683: remove superfluous debug print in snmpv3 display codeChristian Breunig
This was a leftover from the early days. (cherry picked from commit d5271e084cca8af54f425816916a821b0eab1a5a)
2024-05-30reverse-proxy: T6409: unindent migration script code pathChristian Breunig
(cherry picked from commit dd2516904527c74e01e0ced5166afe72a479ee00)
2024-05-30reverse-proxy: T6409: Remove unused backend parametersAlex W
(cherry picked from commit fb6602f431f5595b97ea3726467ec782fa50ceb8)
2024-05-30op-mode: ipsec: T6407: fix profile generationChristian Breunig
Commit 952b1656f51 ("ipsec: T5606: T5871: Use multi node for CA certificates") added support for multiple CA certificates which broke the OP mode command to generate the IPSec profiles as it did not expect a list and was rather working on a string. Now multiple CAs can be rendered into the Apple IOS profile. (cherry picked from commit e6fe6e50a5c817e18c453e7bc42bb2e1c4b17671)
2024-05-30Merge pull request #3555 from vyos/mergify/bp/sagitta/pr-3546Christian Breunig
reverse-proxy: T6419: build full CA chain when verifying backend server (backport #3546)
2024-05-30reverse-proxy: T6419: build full CA chain for frontend SSL certificateChristian Breunig
(cherry picked from commit 4b189a76c0a9a28504aab6715658840b929fc243)
2024-05-30reverse-proxy: T6419: build full CA chain when verifying backend serverChristian Breunig
(cherry picked from commit d83a6e5c5dc7e97e773f08bec7ba377530baafc9)
2024-05-30reverse-proxy: T5231: remove frontend ca-certificate code pathChristian Breunig
The code path to handle the ca certificate used for the frontend service is removed, as there is no way on the XLI to define the CA certificate used for the frontend service. (cherry picked from commit 6000c47f068503522b0ccfe57c51f34ad9892e87)
2024-05-30container: T6406: fix NameError: name 'vyos' is not definedChristian Breunig
Commit 74910564f ("T6406: rename cpus to cpu") did not import the function from the Python module. (cherry picked from commit 8439f8a43e93c0560f1abfc2aa60990f521b4d4d)
2024-05-29nat: T6371: fix op mode display of configured ports when comma separated ↵Ginko
list of ports/ranges exists Before: Issuing the op mode command "show nat source rules" will throw an exception if the user has configured NAT rules using a list of ports as a comma-separated list (e.g. '!22,telnet,http,123,1001-1005'). Also there was no handling for the "!" rule and so '!53' would display as '53'. With this PR: Introduced iteration to capture all configured ports and append to the appropriate string for display to the user as well as handling of '!' if present in user's configuration. (cherry picked from commit b7595ee9d328778105c70e3d4399ac45f555b304)
2024-05-29openvpn: T6374: only check TLS role for s2s if TLS is configuredDaniil Baturin
(cherry picked from commit f4069582273e1ee9916dea7de1e6ec176db81bc6)
2024-05-28openvpn: T6374: ensure that TLS role is configured for site-to-site with TLSDaniil Baturin
(cherry picked from commit 380e998b10341b6dd42bb94d00a9d7a462ada27a)
2024-05-28T6406: rename cpus to cpuNicolas Vollmar
(cherry picked from commit 74910564f82e2837cd7eb35ea21f07601e5f8f0d)
2024-05-28T6406: add container cpu limit optionNicolas Vollmar
(cherry picked from commit 81dea053e7178b8fea836a85aacde2a38ffb9e09)
2024-05-27reverse-proxy: T6402: Fix invalid checks in validation scriptAlex W
(cherry picked from commit d4d70929a81b2ee1f66a9412a3545911b3874a62)
2024-05-26op-mode: T6400: pki: unable to generate fingerprint for ACME issued certificatesChristian Breunig
This fixes (for and ACME generated certificate) vyos@vyos:~$ show pki certificate vyos fingerprint sha512 Traceback (most recent call last): File "/usr/libexec/vyos/op_mode/pki.py", line 1081, in <module> show_certificate_fingerprint(args.certificate, args.fingerprint) File "/usr/libexec/vyos/op_mode/pki.py", line 934, in show_certificate_fingerprint print(get_certificate_fingerprint(cert, hash)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/vyos/pki.py", line 76, in get_certificate_fingerprint fp = cert.fingerprint(hash_algorithm) ^^^^^^^^^^^^^^^^ AttributeError: 'bool' object has no attribute 'fingerprint' After the fix: vyos@vyos# run show pki certificate vyos fingerprint sha256 10:2C:EF:2C:DA:7A:EE:C6:D7:8E:53:12:F0:F5:DE:B9:E9:D0:6C:B4:49:1C:8B:70:2B:D9:AF:FC:9B:75:A3:D2 (cherry picked from commit b6ee07c7efbb818787deba20116f4289853fb5c9)
2024-05-26dhcpv6-server: T3493: add proper validation for prefix-delegation start/stop ↵Christian Breunig
address ISC DHCP server expects a string: "prefix6 2001:db8:290:: 2001:db8:29f:: /64;" where the IPv6 prefix/range must be :: terminaated with a delegated prefix length at the end. This commit changes the validator that the IPv6 address defined on the CLI must always end with ::. In addition a verify() step is added to check that the stop address is greater than start address.
2024-05-26Revert "dhcpv6-server: T3493: adds prefix range validation"Christian Breunig
This reverts the prefix start/stop address must be inside network part from commit 4cde0b8ce778d269d3fe1d4f33ba5b2caf424181.
2024-05-26smoketest: support dynamic enable of smoketest debuggingChristian Breunig
$ touch /tmp/vyos.smoketest.debug will enable dynamic debugging of the smoketests - showing the appropriate CLI commands on stdout (cherry picked from commit 0cb4294fdfe5ae0e0e8fd06436f38b67f16413a2)
2024-05-23reverse-proxy: T6370: Set custom HTTP headers in reverse-proxy responsesAlex W
(cherry picked from commit e1450096b4c667a4c33a3fcd8f67ebf6a39d441d)
2024-05-23nat: T6345: source NAT port mapping "fully-random" is superfluous in Kernel ↵Christian Breunig
>=5.0 random - In kernel 5.0 and newer this is the same as fully-random. In earlier kernels the port mapping will be randomized using a seeded MD5 hash mix using source and destination address and destination port. https://git.netfilter.org/nftables/commit/?id=fbe27464dee4588d906492749251454 (cherry picked from commit 7fe568ca1672f1dfbd2b56ee3ef7a6ab48b03070)
2024-05-23nat66: T6365: remove warnings for negated interface selections by nameChristian Breunig
(cherry picked from commit 59781ff365a5e1b15ef6c4c2481f3d3815548b9d)
2024-05-22nat: T6365: use interface_exists() over netifaces.interfaces()Christian Breunig
(cherry picked from commit 645c43ba60d29ca676a4323ccc5ca16c6bd8127a)
2024-05-22nat: T6365: use string startswith() over [0] index accessChristian Breunig
(cherry picked from commit 3870247517741ce23e2fcee8aaa1d194f0ad621b)
2024-05-22nat: T6365: remove warnings for negated interface selections by nameRyazanov Alexander Mihailovich
(cherry picked from commit 03eae30b27433055ddc10f09fc134b83e9bd6cec)
2024-05-21dhcpv6-server: T3493: adds prefix range validation and fixes typos in select ↵Giggum
ConfigError messages
2024-05-17Merge pull request #3478 from vyos/mergify/bp/sagitta/pr-3471John Estabrook
op mode: T6348: SNAT op-mode fails with flowtable offload entries (backport #3471)
2024-05-17op mode: T6348: SNAT op-mode fails with flowtable offload entriesNataliia Solomko
(cherry picked from commit 1cba74f91a67348bc8e8ad3e2ef4325dc9f9d6e0)
2024-05-17T6358: Add config option for host process namespaceNicolas Vollmar
(cherry picked from commit f5051de4fc034bd95677ef142423e59eae47cd2f)
2024-05-17T6358: Remove duplicate host name handlingNicolas Vollmar
(cherry picked from commit 240f199cdfadbc12ce713dae74c8db3af44a398c)
2024-05-16T6335: Add/Update EVPN op commandsl0crian1
Converted completion helpers from python to bash for performance Previous commit: Added the following commands: show evpn show evpn es show evpn es <es-id> show evpn es detail show evpn es-evi show evpn es-evi detail show evpn es-evi vni <num> show evpn vni show evpn vni detail show evpn vni <num> Updated the following commands: show evpn access-vlan show evpn arp-cache show evpn mac show evpn next-hops show evpn rmac (cherry picked from commit 3917e3e9f985063ab7419c903f6019116224f640)
2024-05-16T6335: Add/Update EVPN op commandsl0crian1
Added the following commands: show evpn show evpn es show evpn es <es-id> show evpn es detail show evpn es-evi show evpn es-evi detail show evpn es-evi vni <num> show evpn vni show evpn vni detail show evpn vni <num> Updated the following commands: show evpn access-vlan show evpn arp-cache show evpn mac show evpn next-hops show evpn rmac (cherry picked from commit c6be441c86bc8fe2e938e2bd3c85f99071cbfb49)
2024-05-16Merge pull request #3462 from nvollmar/T4519Christian Breunig
op mode: T4519: Show DUID instead of IAID_DUID
2024-05-16T4519: Switch to display DUIDNicolas Vollmar
2024-05-16op mode: T6339: display build flavor and comment in "show version"Daniil Baturin
(cherry picked from commit cc0573a78aac4d6ac4479fdf951d151a36b88cbc)
2024-05-14T3420: Remove service upnpViacheslav Hletenko
Remove `service upnp` as it never worked as expected, nft rules do not integrated and custom patches do not seem like a suitable solution for now. Security: UPnP has been historically associated with security risks due to its automatic and potentially unauthenticated nature. UPnP devices might be vulnerable to unauthorized access or exploitation. (cherry picked from commit 7c438caa2c21101cbefc2eec21935ab55af19c46)
2024-05-12ethernet: T6306: add support for EVPN MH uplink/core trackingChristian Breunig
When all the underlay links go down the PE no longer has access to the VxLAN +overlay. To prevent blackholing of traffic the server/ES links are protodowned on the PE. A link can be setup for uplink tracking via the following configuration: set interfaces ethernet eth0 evpn uplink (cherry picked from commit 5565f27d15c5e7378e94aae8db8a894a12e25d7b)