summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-11-21macsec: T5770: enable iproute2 "encrypt on" stanzaGiga Murphy
(cherry picked from commit a7a90e81ad03ec33acb32beeab71dbd5f27a2044)
2023-11-21Merge pull request #2512 from zdc/T5577-sagittaChristian Breunig
PAM: T5577: Backported PAM settings from circinus
2023-11-20Merge pull request #2514 from vyos/mergify/bp/sagitta/pr-2511Christian Breunig
T5763: fix imprecise check for remote file name (backport #2511)
2023-11-20Merge pull request #2515 from vyos/mergify/bp/sagitta/pr-2508Christian Breunig
http: T5762: api: make API socket backend communication the one and only default (backport #2508)
2023-11-20http: T5762: api: make API socket backend communication the one and only defaultChristian Breunig
Why: Smoketests fail as they can not establish IPv6 connection to uvicorn backend server. https://github.com/vyos/vyos-1x/pull/2481 added a bunch of new smoketests. While debugging those failing, it was uncovered, that uvicorn only listens on IPv4 connections vyos@vyos# netstat -tulnp | grep 8080 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN - As the CLI already has an option to move the API communication from an IP to a UNIX domain socket, the best idea is to make this the default way of communication, as we never directly talk to the API server but rather use the NGINX reverse proxy. (cherry picked from commit f5e43b1361fb59a9c260739bdb28729d5119507c)
2023-11-20T5763: fix imprecise check for remote file nameJohn Estabrook
(cherry picked from commit fe9b08665367b8e7d9b906a0760d44efc9b5cafb)
2023-11-20init: T5577: clear mandatory and optional RADIUS/TACACS PAM settingsChristian Breunig
This complements commit 5181ab60bb ("RADIUS: T5577: Added 'mandatory' and 'optional' modes for RADIUS") and commit 1c804685d0 ("TACACS: T5577: Added 'mandatory' and 'optional' modes for TACACS+"). As those new services should also be cleaned during system boot.
2023-11-20pam: T5577: Improved PAM configs for RADIUS and TACACS+zsdc
After sources analysis, we found the next possible return statuses for PAM modules: 1. pam_tacplus Auth: - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_AUTHTOK_ERR - PAM_BUF_ERR - PAM_CRED_INSUFFICIENT - PAM_PERM_DENIED - PAM_SUCCESS - PAM_USER_UNKNOWN Account: - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_PERM_DENIED - PAM_SUCCESS - PAM_USER_UNKNOWN Session: - PAM_AUTHINFO_UNAVAIL - PAM_SESSION_ERR - PAM_SUCCESS - PAM_USER_UNKNOWN 2. pam_radius_auth Auth: - PAM_ABORT - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_AUTHTOK_ERR - PAM_BAD_ITEM - PAM_BUF_ERR - PAM_CONV_AGAIN - PAM_CONV_ERR - PAM_IGNORE - PAM_NO_MODULE_DATA - PAM_PERM_DENIED - PAM_SUCCESS - PAM_SYSTEM_ERR - PAM_USER_UNKNOWN Account: - PAM_SUCCESS Session: - PAM_ABORT - PAM_AUTHINFO_UNAVAIL - PAM_BAD_ITEM - PAM_BUF_ERR - PAM_CONV_AGAIN - PAM_CONV_ERR - PAM_IGNORE - PAM_NO_MODULE_DATA - PAM_PERM_DENIED - PAM_SUCCESS - PAM_SYSTEM_ERR - PAM_USER_UNKNOWN PAM configurations were replaced with tuned versions to take this into account.
2023-11-20TACACS: T5577: Added `mandatory` and `optional` modes for TACACS+zsdc
In CLI we can choose authentication logic: - `mandatory` - if TACACS+ answered with `REJECT`, authentication must be stopped and access denied immediately. - `optional` (default) - if TACACS+ answers with `REJECT`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if TACACS+ clearly answered that access should be denied (no user in TACACS+ database, wrong password, etc.). If TACACS+ is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-11-20RADIUS: T5577: Added `mandatory` and `optional` modes for RADIUSzsdc
In CLI we can choose authentication logic: - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be stopped and access denied immediately. - `optional` (default) - if RADIUS answers with `Access-Reject`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-11-20groups: T5577: Added `radius` and `tacacs` groupszsdc
We need separated groups for RADIUS and TACACS+ system users because they need to be used in PAM rules independently.
2023-11-20Merge pull request #2509 from c-po/pim6-frr-daemon-fixupDaniil Baturin
frr: T5733: enable pim6 daemon
2023-11-20frr: T5733: enable pim6 daemonChristian Breunig
2023-11-20Merge pull request #2505 from vyos/mergify/bp/sagitta/pr-2241Christian Breunig
T2405: add Git support to commit-archive (backport #2241)
2023-11-19config-mgmt: T4957: remove TFTP user/pass from completion helperChristian Breunig
(cherry picked from commit e92667504e0c503b7c0d125d89d8795d6b6d5876)
2023-11-19config-mgmt: T4957: T2405: add proper valueHelp strings for remote URLChristian Breunig
vyos@vyos# set system config-management commit-archive location Possible completions: uri Uniform Resource Identifier Unfortunately URI is a bit "less" specific - add proper help strings: vyos@vyos# set system config-management commit-archive location Possible completions: http://<user>:<passwd>@<host>/<path> https://<user>:<passwd>@<host>/<path> ftp://<user>:<passwd>@<host>/<path> sftp://<user>:<passwd>@<host>/<path> scp://<user>:<passwd>@<host>/<path> tftp://<user>:<passwd>@<host>/<path> git+https://<user>:<passwd>@<host>/<path> (cherry picked from commit dcb277ba0aed4a02f48572d10d3ba242942b8639)
2023-11-19T2405: add Git support to commit-archiveYun Zheng Hu
(cherry picked from commit a89243cfbfc90854a8cddd53c0ffc987f75abcee)
2023-11-19Merge pull request #2498 from nicolas-fort/T4072-sagittaChristian Breunig
T4072: firewall: backport bridge firewall to sagitta
2023-11-18Merge pull request #2502 from vyos/mergify/bp/sagitta/pr-2500Viacheslav Hletenko
T5749: Swap show interfaces and show interfaces summary (backport #2500)
2023-11-18T5749: Swap show interfaces and show interfaces summaryViacheslav Hletenko
By default show VRF, MAC, MTU for `show interfaces` The original `show interfaces` moved to `show interfacces summary` (cherry picked from commit 056885c02b8671279808c226a759de6c5356f578)
2023-11-16T4072: firewall: backport bridge firewall to sagittaNicolas Fort
2023-11-16tunnel: T3894: improve get_mac_synthetic() codeChristian Breunig
Remove stray whitespace in sed script and call Section.interfaces with vlan=False instead of a custom filter. This extends commit f19c92f25 ("tunnel: T3894: fix design when building synthetic MAC addresses") (cherry picked from commit c8ba5dccfa9b02533c6536903ecacd3ddb04351e)
2023-11-16xml: T5738: re-use "disable" building blockChristian Breunig
(cherry picked from commit 019723aaa4217403f1fcbcd636f573ea403f909c)
2023-11-16Merge pull request #2497 from vyos/mergify/bp/sagitta/pr-2495Christian Breunig
T3983: show pki certificate Doesnt show x509 certificates (backport #2495)
2023-11-16T3983: show pki certificate Doesnt show x509 certificatesJeffWDH
(cherry picked from commit 36de14913e0f4370d7c4e2828032a5378d3bba77)
2023-11-16Merge pull request #2489 from vyos/mergify/bp/sagitta/pr-2476Christian Breunig
pim(6): T5733: add missing FRR related features (backport #2476)
2023-11-16Merge pull request #2496 from vyos/mergify/bp/sagitta/pr-2481Christian Breunig
smoketest: Extend HTTP-API tests (backport #2481)
2023-11-16smoketest: Extend HTTP-API testsViacheslav Hletenko
(cherry picked from commit 15b5ede2cdd65af441be6de89b8b1df6d186f874)
2023-11-16Merge pull request #2494 from vyos/mergify/bp/sagitta/pr-2491Christian Breunig
T5747: op-mode add show interfaces summary (backport #2491)
2023-11-16T5747: op-mode add MAC and MTU for show interfaces summaryViacheslav Hletenko
Add op-mode "show interfaces summary" Add MAC, VRF and MTU options: vyos@r4# run show interfaces summary Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address MAC VRF MTU S/L Description ----------- ----------------- ----------------- ------- ----- ----- ------------- dum0 203.0.113.1/32 96:44:ad:c5:a1:a5 default 1500 u/u eth0 192.168.122.14/24 52:54:00:f1:fd:77 default 1500 u/u WAN eth1 192.0.2.1/24 52:54:00:04:33:2b foo 1500 u/u LAN-eth1 eth2 - 52:54:00:40:2e:af default 1504 u/u LAN-eth2 eth3 - 52:54:00:09:a4:b4 default 1500 A/D (cherry picked from commit dc3906f04fbfe8014531e092a77c1c8c2d10dfe0)
2023-11-16Merge pull request #2493 from vyos/mergify/bp/sagitta/pr-2490Christian Breunig
op-mode: vrf: T5150: add "show vrf vni" and "show vrf <name> vni" commands (backport #2490)
2023-11-16op-mode: vrf: T5150: add "show vrf vni" and "show vrf <name> vni" commandsChristian Breunig
vyos@vyos:~$ show vrf vni VRF VNI VxLAN IF L3-SVI State Rmac blue 2000 None None Down None green 3000 None None Down None red 1000 None None Down None vyos@vyos:~$ show vrf blue vni VRF VNI VxLAN IF L3-SVI State Rmac blue 2000 None None Down None (cherry picked from commit 2fb763ffbc5c5babe552ec97c06570c54ea4aad8)
2023-11-15pim: T5733: incorporate feedback from peer reviewChristian Breunig
(cherry picked from commit 64b4cfc71d402222fd6b034336b3588b5986ba24)
2023-11-15pim6: T5733: add missing FRR PIM6 related featuresChristian Breunig
(cherry picked from commit 403d2ffd6e46cb082b1d16ddf515e1784bee968c) # Conflicts: # data/templates/frr/pim6d.frr.j2 # interface-definitions/protocols-pim6.xml.in # smoketest/scripts/cli/test_protocols_pim6.py # src/conf_mode/protocols_pim6.py
2023-11-15igmp: T5736: support per interface "disable" CLI nodeChristian Breunig
(cherry picked from commit 6ce2ecb10884a4b79a7643e22596a2d03d805a91)
2023-11-15pim: T5733: fix CLI level of global PIM commandsChristian Breunig
(cherry picked from commit dd13213ae94f071bc30cc17f5fabef02fbf95939)
2023-11-15igmp: T5736: migrate "protocols igmp" to "protocols pim"Christian Breunig
IGMP and PIM are two different but related things. FRR has both combined in pimd. As we use get_config_dict() and FRR reload it is better to have both centrally stored under the same CLI node (as FRR does, too) to just "fire and forget" the commit to the daemon. "set protocols igmp interface eth1" -> "set protocols pim interface eth1 igmp" (cherry picked from commit bc83fb097719f5c4c803808572f690fbc367b9e5)
2023-11-15pim: T5733: rename watermark-warn -> watermark-warningChristian Breunig
(cherry picked from commit 45ea9ed72ee11809f69619a40ae243df562de39f)
2023-11-15pim: T5733: split out XML definitions to be re-used by pim6Christian Breunig
(cherry picked from commit c5e2c25f8968c0f06a9e4e992decc46a4f690868)
2023-11-15pim: T5733: add missing FRR PIM related featuresChristian Breunig
Migrate CLI configuration retrival to common get_config_dict(). In addition add new functionality to VyOS that is PIM related and already available in FRR. (cherry picked from commit 9abc02edcc237760f1f8aa1b3f08d7f4d18f866c) # Conflicts: # python/vyos/frr.py # src/op_mode/restart_frr.py
2023-11-15Merge pull request #2487 from vyos/mergify/bp/sagitta/pr-2486Daniil Baturin
T5732: generate firewall rule-resequence drops geoip country-code fro… (backport #2486)
2023-11-15T5732: generate firewall rule-resequence drops geoip country-code from outputJeffWDH
(cherry picked from commit aa7a5131a5d1bd901ffdc7670a62bad8218147ab)
2023-11-15Merge pull request #2474 from vyos/mergify/bp/sagitta/pr-2435Christian Breunig
mtr: T5658: Add VRF support for mtr (+ op_mode wrapper) (backport #2435)
2023-11-15Merge pull request #2484 from vyos/mergify/bp/sagitta/pr-2479Christian Breunig
xml: T5738: add source-address-ipv4-ipv6-multi building block (backport #2479)
2023-11-15Merge pull request #2485 from vyos/mergify/bp/sagitta/pr-2483Christian Breunig
remote: T5726: Disable the progressbar if the shell is noninteractive or the terminal is missing capabilities (backport #2483)
2023-11-15Merge pull request #2478 from nicolas-fort/T5729-SagittaChristian Breunig
T5729: firewall: multiple backports
2023-11-15remote: T5726: Disable the progressbar if the shell is noninteractive or the ↵erkin
terminal is missing capabilities (cherry picked from commit 59b432b97e361f3f5670302f51881ee596afe2f8)
2023-11-14xml: T5738: add source-address-ipv4-ipv6-multi building blockChristian Breunig
(cherry picked from commit dccca4307339d13e5c3ae78058194baf2fd04002)
2023-11-14Merge pull request #2482 from vyos/mergify/bp/sagitta/pr-2475Christian Breunig
T5728: OpenVPN server replace first_host_address to vpn_gateway (backport #2475)
2023-11-14T5728: OpenVPN server replace first_host_address to vpn_gatewayViacheslav Hletenko
Some OpenVPN clients (OpenVPN3) do not understand address of gateway for the pushed networks. It leads that pushed routes are not installed at all. Replace `subnet | first_host_address` to the `vpn_gateway` to fix it (cherry picked from commit 480711c329a38b773bb0b8f64f0e50dfc4ea4437)