summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-11-22vxlan: T5759: change default MTU from 1450 -> 1500 bytesChristian Breunig
Found an odd behavior on Linux and the VyOS CLI implementation. If adding VXLAN interfaces using iproute2 the MTU differs depending on the creation syntax: ip -4 link add vxlan100 type vxlan dstport 4789 external df unset tos inherit \ ttl 16 nolearning vnifilter local 172.16.33.201 ip -4 link add vxlan200 type vxlan id 200 dstport 4789 local 172.16.33.201 dev eth0 ip -6 link add vxlan300 type vxlan id 300 dstport 4789 local 2001:db8:1::1 dev eth0 132: vxlan300: <BROADCAST,MULTICAST> mtu 1430 qdisc noop state DOWN group default qlen 1000 link/ether 4e:fb:e3:f5:d9:59 brd ff:ff:ff:ff:ff:ff 133: vxlan200: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000 link/ether 0e:4e:f4:76:59:3f brd ff:ff:ff:ff:ff:ff 134: vxlan100: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether ba:b6:b7:0c:b1:37 brd ff:ff:ff:ff:ff:ff VyOS always sets a default MTU of 1450 bytes which is correct for IPv4 p2p links or multicast, but invalid for IPv6 p2p. Also this will break EVPN deployments as ethernet bridges with MTU < 1500 bytes are less fun. Increase default MTU to 1500 bytes. Migrate old configurations to use 1450 bytes if not specified otherwise on the CLI. (cherry picked from commit 4a163b016333e58fee9d6ec6b53a09e0160b3213)
2023-11-22Merge pull request #2525 from vyos/mergify/bp/sagitta/pr-2499Christian Breunig
vxlan: T5753: add support for VNI filtering (backport #2499)
2023-11-22vxlan: T5753: add support for VNI filteringChristian Breunig
In a service provider network a service provider typically supports multiple bridge domains with overlapping vlans. One bridge domain per customer. Vlans in each bridge domain are mapped to globally unique VXLAN VNI ranges assigned to each customer. Without the ability of VNI filtering, we can not provide VXLAN tunnels with multiple tenants all requiring e.g. VLAN 10. To Test: set interfaces vxlan vxlan987 parameters external set interfaces vxlan vxlan987 source-interface eth0 set interfaces vxlan vxlan987 parameters vni-filter set interfaces vxlan vxlan987 vlan-to-vni 50 vni 10050 set interfaces vxlan vxlan987 vlan-to-vni 51 vni 10051 set interfaces vxlan vxlan987 vlan-to-vni 52 vni 10052 set interfaces vxlan vxlan987 vlan-to-vni 53 vni 10053 set interfaces vxlan vxlan987 vlan-to-vni 54 vni 10054 set interfaces vxlan vxlan987 vlan-to-vni 60 vni 10060 set interfaces vxlan vxlan987 vlan-to-vni 69 vni 10069 set interfaces bridge br0 member interface vxlan987 Add new op-mode command: show bridge vni Interface VNI ----------- ----------- vxlan987 10050-10054 vxlan987 10060 vxlan987 10069 (cherry picked from commit 35f6033d21053fa420e837f157cd9377a4ccd26a)
2023-11-22Merge pull request #2523 from vyos/mergify/bp/sagitta/pr-2519Viacheslav Hletenko
http: T5762: rename "virtual-host listen-port" -> "virtual-host port" (backport #2519)
2023-11-22http: T5762: rename "virtual-host listen-port" -> "virtual-host port"Christian Breunig
This complements commit f5e43b136 ("http: T5762: api: make API socket backend communication the one and only default") so we have a consistent port CLI node across VyOS components. (cherry picked from commit 0e885f1bf01424130b6876e769cc42612b19351b)
2023-11-22Merge pull request #2521 from vyos/mergify/bp/sagitta/pr-2516Daniil Baturin
T5767: HTTPS API add reboot and poweroff endpoints (backport #2516)
2023-11-22Merge pull request #2520 from vyos/mergify/bp/sagitta/pr-2518Daniil Baturin
T5770 Enable MACsec encryption stanza (backport #2518)
2023-11-22Merge pull request #2517 from nicolas-fort/T5419-FT-SagittaDaniil Baturin
T5419: firewall: backport firewall flowtable to Sagitta.
2023-11-22Merge pull request #2510 from vyos/mergify/bp/sagitta/pr-2506Daniil Baturin
dhcp-client: T5760: add CLI option to pass user-class parameter (backport #2506)
2023-11-21T5767: HTTPS API add reboot and poweroff endpointsViacheslav Hletenko
Add ability to reboot and poweroff the system via API curl -k --location --request POST 'https://vyos/reboot' \ --form data='{"op": "reboot", "path": ["now"]}' \ --form key='apikey' curl -k --location --request POST 'https://vyos/poweroff' \ --form data='{"op": "poweroff", "path": ["now"]}' \ --form key='apikey' (cherry picked from commit 36f3c329c2df0e78f2f5da933d9729a872fb2a11)
2023-11-21smoketest: macsec: T5770: fix NameError: name 'cipher' is not definedChristian Breunig
(cherry picked from commit 02a3e26e88f0ac3c7368e288769bfed38b41df46)
2023-11-21macsec: T5770: enable iproute2 "encrypt on" stanzaGiga Murphy
(cherry picked from commit a7a90e81ad03ec33acb32beeab71dbd5f27a2044)
2023-11-21T5419: firewall: backport firewall flowtable to Sagitta.Nicolas Fort
2023-11-21Merge pull request #2512 from zdc/T5577-sagittaChristian Breunig
PAM: T5577: Backported PAM settings from circinus
2023-11-20Merge pull request #2514 from vyos/mergify/bp/sagitta/pr-2511Christian Breunig
T5763: fix imprecise check for remote file name (backport #2511)
2023-11-20Merge pull request #2515 from vyos/mergify/bp/sagitta/pr-2508Christian Breunig
http: T5762: api: make API socket backend communication the one and only default (backport #2508)
2023-11-20http: T5762: api: make API socket backend communication the one and only defaultChristian Breunig
Why: Smoketests fail as they can not establish IPv6 connection to uvicorn backend server. https://github.com/vyos/vyos-1x/pull/2481 added a bunch of new smoketests. While debugging those failing, it was uncovered, that uvicorn only listens on IPv4 connections vyos@vyos# netstat -tulnp | grep 8080 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN - As the CLI already has an option to move the API communication from an IP to a UNIX domain socket, the best idea is to make this the default way of communication, as we never directly talk to the API server but rather use the NGINX reverse proxy. (cherry picked from commit f5e43b1361fb59a9c260739bdb28729d5119507c)
2023-11-20T5763: fix imprecise check for remote file nameJohn Estabrook
(cherry picked from commit fe9b08665367b8e7d9b906a0760d44efc9b5cafb)
2023-11-20init: T5577: clear mandatory and optional RADIUS/TACACS PAM settingsChristian Breunig
This complements commit 5181ab60bb ("RADIUS: T5577: Added 'mandatory' and 'optional' modes for RADIUS") and commit 1c804685d0 ("TACACS: T5577: Added 'mandatory' and 'optional' modes for TACACS+"). As those new services should also be cleaned during system boot.
2023-11-20pam: T5577: Improved PAM configs for RADIUS and TACACS+zsdc
After sources analysis, we found the next possible return statuses for PAM modules: 1. pam_tacplus Auth: - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_AUTHTOK_ERR - PAM_BUF_ERR - PAM_CRED_INSUFFICIENT - PAM_PERM_DENIED - PAM_SUCCESS - PAM_USER_UNKNOWN Account: - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_PERM_DENIED - PAM_SUCCESS - PAM_USER_UNKNOWN Session: - PAM_AUTHINFO_UNAVAIL - PAM_SESSION_ERR - PAM_SUCCESS - PAM_USER_UNKNOWN 2. pam_radius_auth Auth: - PAM_ABORT - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_AUTHTOK_ERR - PAM_BAD_ITEM - PAM_BUF_ERR - PAM_CONV_AGAIN - PAM_CONV_ERR - PAM_IGNORE - PAM_NO_MODULE_DATA - PAM_PERM_DENIED - PAM_SUCCESS - PAM_SYSTEM_ERR - PAM_USER_UNKNOWN Account: - PAM_SUCCESS Session: - PAM_ABORT - PAM_AUTHINFO_UNAVAIL - PAM_BAD_ITEM - PAM_BUF_ERR - PAM_CONV_AGAIN - PAM_CONV_ERR - PAM_IGNORE - PAM_NO_MODULE_DATA - PAM_PERM_DENIED - PAM_SUCCESS - PAM_SYSTEM_ERR - PAM_USER_UNKNOWN PAM configurations were replaced with tuned versions to take this into account.
2023-11-20TACACS: T5577: Added `mandatory` and `optional` modes for TACACS+zsdc
In CLI we can choose authentication logic: - `mandatory` - if TACACS+ answered with `REJECT`, authentication must be stopped and access denied immediately. - `optional` (default) - if TACACS+ answers with `REJECT`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if TACACS+ clearly answered that access should be denied (no user in TACACS+ database, wrong password, etc.). If TACACS+ is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-11-20RADIUS: T5577: Added `mandatory` and `optional` modes for RADIUSzsdc
In CLI we can choose authentication logic: - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be stopped and access denied immediately. - `optional` (default) - if RADIUS answers with `Access-Reject`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-11-20groups: T5577: Added `radius` and `tacacs` groupszsdc
We need separated groups for RADIUS and TACACS+ system users because they need to be used in PAM rules independently.
2023-11-20dhcp-client: T5760: add CLI option to pass user-class parameterChristian Breunig
Example: set interfaces ethernet eth0 dhcp-options user-class VyOS or set interfaces ethernet eth0 dhcp-options user-class 56:79:4f:53 (cherry picked from commit 260645d0c6ff078cc89601f3a586195902f9c18e)
2023-11-20dhcp-client: T5760: add constraints for dhclient string optionsChristian Breunig
The string data type specifies either an NVT ASCII string enclosed in double quotes, or a series of octets specified in hexadecimal, separated by colons. For example: set interfaces ethernet eth0 dhcp-options client-id CLIENT-FOO or set interfaces ethernet eth0 dhcp-options client-id 43:4c:49:45:54:2d:46:4f:4f As of now there was no input validation performed. (cherry picked from commit bed1cd01904ef89b5d31bd47de0f230214900f16)
2023-11-20Merge pull request #2509 from c-po/pim6-frr-daemon-fixupDaniil Baturin
frr: T5733: enable pim6 daemon
2023-11-20frr: T5733: enable pim6 daemonChristian Breunig
2023-11-20Merge pull request #2505 from vyos/mergify/bp/sagitta/pr-2241Christian Breunig
T2405: add Git support to commit-archive (backport #2241)
2023-11-19config-mgmt: T4957: remove TFTP user/pass from completion helperChristian Breunig
(cherry picked from commit e92667504e0c503b7c0d125d89d8795d6b6d5876)
2023-11-19config-mgmt: T4957: T2405: add proper valueHelp strings for remote URLChristian Breunig
vyos@vyos# set system config-management commit-archive location Possible completions: uri Uniform Resource Identifier Unfortunately URI is a bit "less" specific - add proper help strings: vyos@vyos# set system config-management commit-archive location Possible completions: http://<user>:<passwd>@<host>/<path> https://<user>:<passwd>@<host>/<path> ftp://<user>:<passwd>@<host>/<path> sftp://<user>:<passwd>@<host>/<path> scp://<user>:<passwd>@<host>/<path> tftp://<user>:<passwd>@<host>/<path> git+https://<user>:<passwd>@<host>/<path> (cherry picked from commit dcb277ba0aed4a02f48572d10d3ba242942b8639)
2023-11-19T2405: add Git support to commit-archiveYun Zheng Hu
(cherry picked from commit a89243cfbfc90854a8cddd53c0ffc987f75abcee)
2023-11-19Merge pull request #2498 from nicolas-fort/T4072-sagittaChristian Breunig
T4072: firewall: backport bridge firewall to sagitta
2023-11-18Merge pull request #2502 from vyos/mergify/bp/sagitta/pr-2500Viacheslav Hletenko
T5749: Swap show interfaces and show interfaces summary (backport #2500)
2023-11-18T5749: Swap show interfaces and show interfaces summaryViacheslav Hletenko
By default show VRF, MAC, MTU for `show interfaces` The original `show interfaces` moved to `show interfacces summary` (cherry picked from commit 056885c02b8671279808c226a759de6c5356f578)
2023-11-16T4072: firewall: backport bridge firewall to sagittaNicolas Fort
2023-11-16tunnel: T3894: improve get_mac_synthetic() codeChristian Breunig
Remove stray whitespace in sed script and call Section.interfaces with vlan=False instead of a custom filter. This extends commit f19c92f25 ("tunnel: T3894: fix design when building synthetic MAC addresses") (cherry picked from commit c8ba5dccfa9b02533c6536903ecacd3ddb04351e)
2023-11-16xml: T5738: re-use "disable" building blockChristian Breunig
(cherry picked from commit 019723aaa4217403f1fcbcd636f573ea403f909c)
2023-11-16Merge pull request #2497 from vyos/mergify/bp/sagitta/pr-2495Christian Breunig
T3983: show pki certificate Doesnt show x509 certificates (backport #2495)
2023-11-16T3983: show pki certificate Doesnt show x509 certificatesJeffWDH
(cherry picked from commit 36de14913e0f4370d7c4e2828032a5378d3bba77)
2023-11-16Merge pull request #2489 from vyos/mergify/bp/sagitta/pr-2476Christian Breunig
pim(6): T5733: add missing FRR related features (backport #2476)
2023-11-16Merge pull request #2496 from vyos/mergify/bp/sagitta/pr-2481Christian Breunig
smoketest: Extend HTTP-API tests (backport #2481)
2023-11-16smoketest: Extend HTTP-API testsViacheslav Hletenko
(cherry picked from commit 15b5ede2cdd65af441be6de89b8b1df6d186f874)
2023-11-16Merge pull request #2494 from vyos/mergify/bp/sagitta/pr-2491Christian Breunig
T5747: op-mode add show interfaces summary (backport #2491)
2023-11-16T5747: op-mode add MAC and MTU for show interfaces summaryViacheslav Hletenko
Add op-mode "show interfaces summary" Add MAC, VRF and MTU options: vyos@r4# run show interfaces summary Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address MAC VRF MTU S/L Description ----------- ----------------- ----------------- ------- ----- ----- ------------- dum0 203.0.113.1/32 96:44:ad:c5:a1:a5 default 1500 u/u eth0 192.168.122.14/24 52:54:00:f1:fd:77 default 1500 u/u WAN eth1 192.0.2.1/24 52:54:00:04:33:2b foo 1500 u/u LAN-eth1 eth2 - 52:54:00:40:2e:af default 1504 u/u LAN-eth2 eth3 - 52:54:00:09:a4:b4 default 1500 A/D (cherry picked from commit dc3906f04fbfe8014531e092a77c1c8c2d10dfe0)
2023-11-16Merge pull request #2493 from vyos/mergify/bp/sagitta/pr-2490Christian Breunig
op-mode: vrf: T5150: add "show vrf vni" and "show vrf <name> vni" commands (backport #2490)
2023-11-16op-mode: vrf: T5150: add "show vrf vni" and "show vrf <name> vni" commandsChristian Breunig
vyos@vyos:~$ show vrf vni VRF VNI VxLAN IF L3-SVI State Rmac blue 2000 None None Down None green 3000 None None Down None red 1000 None None Down None vyos@vyos:~$ show vrf blue vni VRF VNI VxLAN IF L3-SVI State Rmac blue 2000 None None Down None (cherry picked from commit 2fb763ffbc5c5babe552ec97c06570c54ea4aad8)
2023-11-15pim: T5733: incorporate feedback from peer reviewChristian Breunig
(cherry picked from commit 64b4cfc71d402222fd6b034336b3588b5986ba24)
2023-11-15pim6: T5733: add missing FRR PIM6 related featuresChristian Breunig
(cherry picked from commit 403d2ffd6e46cb082b1d16ddf515e1784bee968c) # Conflicts: # data/templates/frr/pim6d.frr.j2 # interface-definitions/protocols-pim6.xml.in # smoketest/scripts/cli/test_protocols_pim6.py # src/conf_mode/protocols_pim6.py
2023-11-15igmp: T5736: support per interface "disable" CLI nodeChristian Breunig
(cherry picked from commit 6ce2ecb10884a4b79a7643e22596a2d03d805a91)
2023-11-15pim: T5733: fix CLI level of global PIM commandsChristian Breunig
(cherry picked from commit dd13213ae94f071bc30cc17f5fabef02fbf95939)