summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-08-23vrf: T5428: stop DHCP processes on VRf removalChristian Breunig
This is a workaround for the priority inversion from T5492 ("CLI node priority is not inversed on node deletion"). As this is a corner case bug that's only triggered if an interface is removed from a VRF and also the VRF is removed in one commit, priorities are not honored. Thus we implement this workaround which stop the DHCP(v6) client processes on the VRF associated interfaces to get out the DHCP RELEASE message before interfaces are shut down.
2023-08-23vrf: T5428: move helpers to common vyos.utils.network moduleChristian Breunig
Helper functions can and will be re-use din different code places.
2023-08-23Merge pull request #2142 from nicolas-fort/T5450Christian Breunig
T5450: allow inverted matcher for interface and interface-group
2023-08-23T5450: update smoketest and interface definition in order to work with new ↵Nicolas Fort
firewall cli
2023-08-23Merge pull request #2156 from giga1699/T5447Christian Breunig
T5447: Initial support for MACsec static keys
2023-08-22Merge pull request #2149 from nicolas-fort/T5478Viacheslav Hletenko
T5478: remove config-trap configuration parser in firewall
2023-08-20T5447: Adjust to positive logic in generare()Giga Murphy
2023-08-20T5447: Remove redundant self.set_admin_stateGiga Murphy
2023-08-20T5447: Update copyright yearsGiga Murphy
2023-08-20T5447: Corrected comment in _create headerGiga Murphy
2023-08-20T5447: Corrected comment for interface downGiga Murphy
2023-08-20T5447: Implement maintainer feedbackGiga Murphy
2023-08-19wifi: T5470: improve error messageChristian Breunig
2023-08-19bgp: T5466: rename type on CLI per-nexhop -> per-nexthop for l3vpn MPLS labelsChristian Breunig
This fixes a CLI typo added in commit 77ef9f800 ("T5466: L3VPN label allocation mode").
2023-08-18T5447: Add verification of peer rx-key lengthGiga Murphy
2023-08-18T5447: Add smoketest for MACsec static keysGiga Murphy
2023-08-18smoketest: bgp: T5466: remove trailing whitespaceChristian Breunig
Commit 77ef9f800 ("T5466: L3VPN label allocation mode") added support for a new CLI node that is added "label vpn export allocation-mode per-nexthop" to FRRs running configuration. Unfortunately the smoketest contained a trailing whitespace and the above mentioned line could not be evaluated to true.
2023-08-18login: T5490: allow . (dot) in user home-directory pathChristian Breunig
his extends commit b9655365b ("login: T5490: add stricter validation for home-directory path") by adding a dot to the REGEX allow list. This was previously allowed and covered in out smoketests which failed.
2023-08-18T5447: MACsec static tx-key validationGiga Murphy
2023-08-18T5447: Initial support for MACsec static keysGiga Murphy
2023-08-17Merge pull request #2130 from aapostoliuk/T5409-sagittaChristian Breunig
wireguard: T5409: Added 'set interfaces wireguard wgX threaded'
2023-08-17wireless: T5409: add per-client-thread CLI optionChristian Breunig
Provides a per-device control to enable/disable the threaded mode for all the napi instances of the given network device, without the need for a device up/down.
2023-08-17wireguard: T5409: rename threaded CLI not to per-client-threadChristian Breunig
Using threaded as CLI node is a very deep term used by kernel threads. To make this more understandable to users, rename the node to per-client-thread. It's also not necessary to test if any one peer is configured and probing if the option is set. There is a base test which requires at least one peer to be configured.
2023-08-17Merge pull request #2155 from sever-sever/T5488Christian Breunig
T5488: Set correct priority -300 for conntrack entries
2023-08-17login: T5490: add stricter validation for home-directory pathChristian Breunig
2023-08-17radius: T5490: add stricter validation for keyChristian Breunig
2023-08-17T5488: Set correct priority -300 for conntrack entriesViacheslav Hletenko
For conntrack ignore priority must be less then -200
2023-08-17console-server: T2490: add op-mode commands to display logChristian Breunig
2023-08-17Revert: dhcp: T5428: always release lease from default VRFChristian Breunig
This reverts commit 9afcea251bdc895ffd49cb11f455fd636fdf817b A DHCP relese must also be originated from the VRF where the dhclient program is running, else the RELEASE message can not be send through the interface towards the DHCP server. The reason it did not work in the past was because of https://vyos.dev/T5476
2023-08-17Merge pull request #2152 from fett0/T5466Christian Breunig
T5466: L3VPN label allocation mode
2023-08-16 T5466: L3VPN label allocation modefett0
2023-08-16Merge pull request #2151 from c-po/netplug-t5476Christian Breunig
netplug: T5476: rewrite dhclient helper from Perl -> Python
2023-08-16Merge pull request #2150 from ↵John Estabrook
dmbaturin/T5271-openvpn-peer-fingerprint-restrictions T5271: allow OpenVPN peer-fingerprint to be used instead of a CA in site-to-site mode
2023-08-16netplug: T5476: rewrite dhclient helper from Perl -> PythonChristian Breunig
There are two hooks called for bridge, ethernet and bond interfaces if the link-state changes up -> down or down -> up. The helpers are: * /etc/netplug/linkdown.d/dhclient * /etc/netplug/linkup.d/dhclient As those helpers use Linux actions to start/restart the dhclient process in Perl it's time to rewrite it. First goal is to get rid of all Perl code and the second is that we now have a Proper Python library. Instead of checking if the process is running the then restarting it without even systemd noticing (yeah we might get two processes beeing alive) we should: * Add a Python helper that can be used for both up and down (see man 8 netplugd FILES section) * Query the VyOS CLI config if the interface in question has DHCP(v6) configured and is not disabled * Add IPv6 DHCPv6 support MAN page: https://linux.die.net/man/8/netplugd
2023-08-16wireguard: T1843: add peer description CLI optionChristian Breunig
2023-08-15T5483: clean up tmp config fileJohn Estabrook
2023-08-15T5271: allow the user to specify either CA or peer fingerprintDaniil Baturin
in OpenVPN site-to-site mode
2023-08-15T5271: correct dict path in the template for OpenVPN peer fingerprintDaniil Baturin
2023-08-15T5270: generate 'dh none' unconditionally when dh-params is no presentDaniil Baturin
The condition is useless since OpenVPN simply switches to ECDH in all modes when the classic DH prime is not specified
2023-08-15T5478: remove config-trap configuration parser in firewallNicolas Fort
2023-08-14pki: T5477: use Config instead of ConfigTreeQuery for defaultsJohn Estabrook
2023-08-13smoketest: T5467: verify OSPF(v3) interface removal in VRF contextChristian Breunig
Testcases after the bugfix in commit 011697508 ("T5467: removing ospf(v3) or isis interface in VRF context did not clear FRR config"). For ISIS change in the tests - do not run self_commit() in a for loop if not really necessary, this will slow down the tests.
2023-08-13smoketest: openvpn: T5270:Christian Breunig
This fixes the smoketest after the change in commit e7d7bd20b ("openvpn: T5270: do not require classic DH params in any more Generate 'dh none' instead and let OpenVPN use ECDH") ... as there is no exception raised 05:47:26 DEBUG - ====================================================================== 05:47:26 DEBUG - FAIL: test_openvpn_server_verify (__main__.TestInterfacesOpenVPN.test_openvpn_server_verify) 05:47:26 DEBUG - ---------------------------------------------------------------------- 05:47:26 DEBUG - Traceback (most recent call last): 05:47:26 DEBUG - File "/usr/libexec/vyos/tests/smoke/cli/test_interfaces_openvpn.py", line 342, in test_openvpn_server_verify 05:47:26 DEBUG - with self.assertRaises(ConfigSessionError): 05:47:26 DEBUG - AssertionError: ConfigSessionError not raised
2023-08-12smoketest: T5465: add config migration test for VLAN interfaceChristian Breunig
2023-08-12Merge pull request #2117 from zdc/T5410-sagittaDaniil Baturin
utils: T5410: Extended supported types in `convert_data()`
2023-08-12T5160: fix merge regressionJohn Estabrook
2023-08-12T5467: removing ospf(v3) or isis interface in VRF context did not clear FRR ↵Christian Breunig
config To reproduce: set vrf name red table 2000 set vrf name red protocols ospf interface eth1 area 0 set vrf name red protocols ospf parameters router-id 1.1.1.1 set interfaces ethernet eth1 vrf red commit FRR now has an interface config vyos@vyos# vtysh -c "show run" no-header | sed -n "/^interface eth1/,/!/p" interface eth1 ip ospf area 0 ip ospf dead-interval 40 exit Now delete the interface from the OSPF(v3) or ISIS process delete vrf name red protocols ospf interface commit It's still there vyos@vyos# vtysh -c "show run" no-header | sed -n "/^interface eth1/,/!/p" interface eth1 ip ospf area 0 ip ospf dead-interval 40 exit ! Issue was caused in the FRR vtysh representation of an interface. It used to have a "vrf <name>" marker in earlier versions but FRR 8.5 and later no longer have the marker. So "interface eth1 vrf red" became "interface eth1" in vtysh, but our regex expected the "vrf" identifier when modifying FRR config.
2023-08-11ipv6: T5464: add support for per-interface dad (duplicate address detection) ↵Christian Breunig
setting
2023-08-11ipv6: T5464: use proper XML default for DAD transmitsChristian Breunig
This is only a cosmetic change so that the default value is properly retrieved from the defaultValue XML node.
2023-08-11Merge pull request #2016 from nicolas-fort/T5160Christian Breunig
T5160: Firewall refactor