summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-11-24T5775: firewall: re-add state-policy to firewall. These commands are now ↵Nicolas Fort
included in <set firewall global-options state-policy> node.
2023-11-23Merge pull request #2532 from jestabro/drop-http-api-confChristian Breunig
http-api: T5768: remove auxiliary http-api.conf
2023-11-22http-api: T5768: remove auxiliary http-api.confJohn Estabrook
2023-11-22Merge pull request #2522 from dmbaturin/require-api-keysChristian Breunig
https api: T5772: check if keys are configured unless PAM auth is enabled for GraphQL
2023-11-22Merge pull request #2528 from nicolas-fort/T5637-Extend-bridgeChristian Breunig
T5637: firewall: extend rule for default-action to firewall bridge
2023-11-22Merge pull request #2527 from c-po/t5630-mru-part-2Christian Breunig
pppoe: T5630: make MRU default to MTU if unspecified
2023-11-22T5637: firewall: extend rule for default-action to firewall bridge, in order ↵Nicolas Fort
to be able to catch logs using separte rule for default-action
2023-11-22pppoe: T5630: make MRU default to MTU if unspecifiedChristian Breunig
This fixes the implementation in e062a8c11 ("pppoe: T5630: allow to specify MRU in addition to already configurable MTU") and restores the bahavior that MRU defaults to MTU if MRU is not explicitly set. This was the behavior in VyOS 1.3.3 and below before we added ability to define the MRU value.
2023-11-22Merge pull request #2503 from c-po/t5759-vxlan-mtuChristian Breunig
vxlan: T5759: change default MTU from 1450 -> 1500 bytes
2023-11-22vxlan: T5759: change default MTU from 1450 -> 1500 bytesChristian Breunig
Found an odd behavior on Linux and the VyOS CLI implementation. If adding VXLAN interfaces using iproute2 the MTU differs depending on the creation syntax: ip -4 link add vxlan100 type vxlan dstport 4789 external df unset tos inherit \ ttl 16 nolearning vnifilter local 172.16.33.201 ip -4 link add vxlan200 type vxlan id 200 dstport 4789 local 172.16.33.201 dev eth0 ip -6 link add vxlan300 type vxlan id 300 dstport 4789 local 2001:db8:1::1 dev eth0 132: vxlan300: <BROADCAST,MULTICAST> mtu 1430 qdisc noop state DOWN group default qlen 1000 link/ether 4e:fb:e3:f5:d9:59 brd ff:ff:ff:ff:ff:ff 133: vxlan200: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000 link/ether 0e:4e:f4:76:59:3f brd ff:ff:ff:ff:ff:ff 134: vxlan100: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether ba:b6:b7:0c:b1:37 brd ff:ff:ff:ff:ff:ff VyOS always sets a default MTU of 1450 bytes which is correct for IPv4 p2p links or multicast, but invalid for IPv6 p2p. Also this will break EVPN deployments as ethernet bridges with MTU < 1500 bytes are less fun. Increase default MTU to 1500 bytes. Migrate old configurations to use 1450 bytes if not specified otherwise on the CLI.
2023-11-22Merge pull request #2499 from c-po/t5753-vxlan-vnifilterChristian Breunig
vxlan: T5753: add support for VNI filtering
2023-11-21Merge pull request #2519 from c-po/t5762-vhost-portJohn Estabrook
http: T5762: rename "virtual-host listen-port" -> "virtual-host port"
2023-11-22https api: T5772: check if keys are configuredDaniil Baturin
unless PAM auth is enabled for GraphQL
2023-11-21smoketest: macsec: T5770: fix NameError: name 'cipher' is not definedChristian Breunig
2023-11-21Merge pull request #2518 from giga1699/T5770Christian Breunig
T5770 Enable MACsec encryption stanza
2023-11-21Merge pull request #2516 from sever-sever/T5767Christian Breunig
T5767: HTTPS API add reboot and poweroff endpoints
2023-11-21macsec: T5770: enable iproute2 "encrypt on" stanzaGiga Murphy
2023-11-21http: T5762: rename "virtual-host listen-port" -> "virtual-host port"Christian Breunig
This complements commit f5e43b136 ("http: T5762: api: make API socket backend communication the one and only default") so we have a consistent port CLI node across VyOS components.
2023-11-21T5767: HTTPS API add reboot and poweroff endpointsViacheslav Hletenko
Add ability to reboot and poweroff the system via API curl -k --location --request POST 'https://vyos/reboot' \ --form data='{"op": "reboot", "path": ["now"]}' \ --form key='apikey' curl -k --location --request POST 'https://vyos/poweroff' \ --form data='{"op": "poweroff", "path": ["now"]}' \ --form key='apikey'
2023-11-20Merge pull request #2508 from c-po/t5762-https-api-socketDaniil Baturin
http: T5762: api: make API socket backend communication the one and only default
2023-11-20Merge pull request #2511 from jestabro/load-file-nameChristian Breunig
T5763: fix imprecise check for remote file name
2023-11-20T5763: fix imprecise check for remote file nameJohn Estabrook
2023-11-20http: T5762: api: make API socket backend communication the one and only defaultChristian Breunig
Why: Smoketests fail as they can not establish IPv6 connection to uvicorn backend server. https://github.com/vyos/vyos-1x/pull/2481 added a bunch of new smoketests. While debugging those failing, it was uncovered, that uvicorn only listens on IPv4 connections vyos@vyos# netstat -tulnp | grep 8080 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN - As the CLI already has an option to move the API communication from an IP to a UNIX domain socket, the best idea is to make this the default way of communication, as we never directly talk to the API server but rather use the NGINX reverse proxy.
2023-11-20Merge pull request #2506 from c-po/t5760-dhcp-user-classChristian Breunig
dhcp-client: T5760: add CLI option to pass user-class parameter
2023-11-19config-mgmt: T4957: remove TFTP user/pass from completion helperChristian Breunig
2023-11-19dhcp-client: T5760: add CLI option to pass user-class parameterChristian Breunig
Example: set interfaces ethernet eth0 dhcp-options user-class VyOS or set interfaces ethernet eth0 dhcp-options user-class 56:79:4f:53
2023-11-19dhcp-client: T5760: add constraints for dhclient string optionsChristian Breunig
The string data type specifies either an NVT ASCII string enclosed in double quotes, or a series of octets specified in hexadecimal, separated by colons. For example: set interfaces ethernet eth0 dhcp-options client-id CLIENT-FOO or set interfaces ethernet eth0 dhcp-options client-id 43:4c:49:45:54:2d:46:4f:4f As of now there was no input validation performed.
2023-11-19Merge pull request #2504 from c-po/commit-archive-helpDaniil Baturin
config-mgmt: T4957: T2405: add proper valueHelp strings for remote URL
2023-11-18config-mgmt: T4957: T2405: add proper valueHelp strings for remote URLChristian Breunig
vyos@vyos# set system config-management commit-archive location Possible completions: uri Uniform Resource Identifier Unfortunately URI is a bit "less" specific - add proper help strings: vyos@vyos# set system config-management commit-archive location Possible completions: http://<user>:<passwd>@<host>/<path> https://<user>:<passwd>@<host>/<path> ftp://<user>:<passwd>@<host>/<path> sftp://<user>:<passwd>@<host>/<path> scp://<user>:<passwd>@<host>/<path> tftp://<user>:<passwd>@<host>/<path> git+https://<user>:<passwd>@<host>/<path>
2023-11-18T2405: fix debian/control syntaxChristian Breunig
2023-11-18T2405: add Git support to commit-archiveYun Zheng Hu
T2405: add Git support to commit-archive
2023-11-18vxlan: T5753: add support for VNI filteringChristian Breunig
In a service provider network a service provider typically supports multiple bridge domains with overlapping vlans. One bridge domain per customer. Vlans in each bridge domain are mapped to globally unique VXLAN VNI ranges assigned to each customer. Without the ability of VNI filtering, we can not provide VXLAN tunnels with multiple tenants all requiring e.g. VLAN 10. To Test: set interfaces vxlan vxlan987 parameters external set interfaces vxlan vxlan987 source-interface eth0 set interfaces vxlan vxlan987 parameters vni-filter set interfaces vxlan vxlan987 vlan-to-vni 50 vni 10050 set interfaces vxlan vxlan987 vlan-to-vni 51 vni 10051 set interfaces vxlan vxlan987 vlan-to-vni 52 vni 10052 set interfaces vxlan vxlan987 vlan-to-vni 53 vni 10053 set interfaces vxlan vxlan987 vlan-to-vni 54 vni 10054 set interfaces vxlan vxlan987 vlan-to-vni 60 vni 10060 set interfaces vxlan vxlan987 vlan-to-vni 69 vni 10069 set interfaces bridge br0 member interface vxlan987 Add new op-mode command: show bridge vni Interface VNI ----------- ----------- vxlan987 10050-10054 vxlan987 10060 vxlan987 10069
2023-11-18Merge pull request #2500 from sever-sever/T5749Christian Breunig
T5749: Swap show interfaces and show interfaces summary
2023-11-17T5749: Swap show interfaces and show interfaces summaryViacheslav Hletenko
By default show VRF, MAC, MTU for `show interfaces` The original `show interfaces` moved to `show interfacces summary`
2023-11-16Merge pull request #1768 from zdc/T4516-sagittaJohn Estabrook
image: T4516: Added system image tools
2023-11-16tunnel: T3894: improve get_mac_synthetic() codeChristian Breunig
Remove stray whitespace in sed script and call Section.interfaces with vlan=False instead of a custom filter. This extends commit f19c92f25 ("tunnel: T3894: fix design when building synthetic MAC addresses")
2023-11-16xml: T5738: re-use "disable" building blockChristian Breunig
2023-11-16image: T4516: add raid-1 install supportJohn Estabrook
2023-11-16image: T4516: ensure compatibility with legacy RAID 1 installsJohn Estabrook
2023-11-16image: T4516: variable name spellingJohn Estabrook
2023-11-16image: T4516: restore select entry to set/delete imageJohn Estabrook
2023-11-16image: T4516: do not prompt for confirmation when setting defaultJohn Estabrook
2023-11-16image: T4516: reword some messages and promptsJohn Estabrook
2023-11-16image: T4516: add clearer error msg on attempt to upgrade to 1.2.xJohn Estabrook
An attempt to upgrade to 1.2.x is caught, but error is of failed checksum verification; add check and message.
2023-11-16image: T4516: use copy of pw_reset script for install, link for compatJohn Estabrook
Note that this was updated for the fix in T5739.
2023-11-16Merge pull request #2495 from JeffWDH/currentChristian Breunig
T3983: show pki certificate Doesnt show x509 certificates
2023-11-16Merge pull request #2481 from sever-sever/smoketest-apiChristian Breunig
smoketest: Extend HTTP-API tests
2023-11-16T3983: show pki certificate Doesnt show x509 certificatesJeffWDH
2023-11-16Merge pull request #2491 from sever-sever/T5747Christian Breunig
T5747: op-mode add show interfaces summary
2023-11-16T5747: op-mode add MAC and MTU for show interfaces summaryViacheslav Hletenko
Add op-mode "show interfaces summary" Add MAC, VRF and MTU options: vyos@r4# run show interfaces summary Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address MAC VRF MTU S/L Description ----------- ----------------- ----------------- ------- ----- ----- ------------- dum0 203.0.113.1/32 96:44:ad:c5:a1:a5 default 1500 u/u eth0 192.168.122.14/24 52:54:00:f1:fd:77 default 1500 u/u WAN eth1 192.0.2.1/24 52:54:00:04:33:2b foo 1500 u/u LAN-eth1 eth2 - 52:54:00:40:2e:af default 1504 u/u LAN-eth2 eth3 - 52:54:00:09:a4:b4 default 1500 A/D