summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-08-23Merge pull request #2159 from c-po/t5491-wifiChristian Breunig
wifi: T5491: allow white-/blacklisting station MAC addresses for security
2023-08-23Merge pull request #2160 from sever-sever/T5448Christian Breunig
T5448: Add configuration host-name for zabbix-agent
2023-08-23Merge pull request #2162 from nicolas-fort/T5472Christian Breunig
T5472: nat redirect: allow redirection without defining redirected port
2023-08-23Merge pull request #2161 from sever-sever/T5463Christian Breunig
T5463: Container allow publish listen-addresses
2023-08-23bgp: T3759: add l3vpn "import vrf default" completion helperChristian Breunig
2023-08-23vrf: T5428: stop DHCP processes on VRf removalChristian Breunig
This is a workaround for the priority inversion from T5492 ("CLI node priority is not inversed on node deletion"). As this is a corner case bug that's only triggered if an interface is removed from a VRF and also the VRF is removed in one commit, priorities are not honored. Thus we implement this workaround which stop the DHCP(v6) client processes on the VRF associated interfaces to get out the DHCP RELEASE message before interfaces are shut down.
2023-08-23vrf: T5428: move helpers to common vyos.utils.network moduleChristian Breunig
Helper functions can and will be re-use din different code places.
2023-08-23Merge pull request #2142 from nicolas-fort/T5450Christian Breunig
T5450: allow inverted matcher for interface and interface-group
2023-08-23T5472: nat redirect: allow redirection without defining redirected portNicolas Fort
2023-08-23T5463: Container allow publish listen-addressesViacheslav Hletenko
Ability to publish multiple IP/IPv6 addresses for container set container name c1 port web destination '80' set container name c1 port web listen-address '192.0.2.1' set container name c1 port web listen-address '2001:db8:1111::1' set container name c1 port web source '8080' --publish 192.0.2.1:8080:80/tcp --publish [2001:db8:1111::1]:8080:80/tcp
2023-08-23T5450: update smoketest and interface definition in order to work with new ↵Nicolas Fort
firewall cli
2023-08-23T5448: Add configuration host-name for zabbix-agentViacheslav Hletenko
Ability to configure host-name for zabbix-agent set service monitoring zabbix-agent host-name 'r-vyos'
2023-08-23Merge pull request #2156 from giga1699/T5447Christian Breunig
T5447: Initial support for MACsec static keys
2023-08-22Merge pull request #2149 from nicolas-fort/T5478Viacheslav Hletenko
T5478: remove config-trap configuration parser in firewall
2023-08-20T5447: Adjust to positive logic in generare()Giga Murphy
2023-08-20T5447: Remove redundant self.set_admin_stateGiga Murphy
2023-08-20T5447: Update copyright yearsGiga Murphy
2023-08-20T5447: Corrected comment in _create headerGiga Murphy
2023-08-20T5447: Corrected comment for interface downGiga Murphy
2023-08-20T5447: Implement maintainer feedbackGiga Murphy
2023-08-20netplug: T5491: invoke DHCP helpers also on wifi interfacesChristian Breunig
2023-08-20wifi: T5491: import cleanupChristian Breunig
2023-08-20wifi: T5491: allow white-/blacklisting station MAC addresses for securityChristian Breunig
Station MAC address-based authentication means: * 'allow' accept all clients except the one on the deny list * 'deny' accept only clients listed on the accept list New CLI commands: * set interfaces wireless wlan0 security station-address mode <accept|deny> * set interfaces wireless wlan0 security station-address accept mac <mac> * set interfaces wireless wlan0 security station-address deny mac <mac>
2023-08-19wifi: T5470: improve error messageChristian Breunig
2023-08-19bgp: T5466: rename type on CLI per-nexhop -> per-nexthop for l3vpn MPLS labelsChristian Breunig
This fixes a CLI typo added in commit 77ef9f800 ("T5466: L3VPN label allocation mode").
2023-08-18T5447: Add verification of peer rx-key lengthGiga Murphy
2023-08-18T5447: Add smoketest for MACsec static keysGiga Murphy
2023-08-18smoketest: bgp: T5466: remove trailing whitespaceChristian Breunig
Commit 77ef9f800 ("T5466: L3VPN label allocation mode") added support for a new CLI node that is added "label vpn export allocation-mode per-nexthop" to FRRs running configuration. Unfortunately the smoketest contained a trailing whitespace and the above mentioned line could not be evaluated to true.
2023-08-18login: T5490: allow . (dot) in user home-directory pathChristian Breunig
his extends commit b9655365b ("login: T5490: add stricter validation for home-directory path") by adding a dot to the REGEX allow list. This was previously allowed and covered in out smoketests which failed.
2023-08-18T5447: MACsec static tx-key validationGiga Murphy
2023-08-18T5447: Initial support for MACsec static keysGiga Murphy
2023-08-17Merge pull request #2130 from aapostoliuk/T5409-sagittaChristian Breunig
wireguard: T5409: Added 'set interfaces wireguard wgX threaded'
2023-08-17wireless: T5409: add per-client-thread CLI optionChristian Breunig
Provides a per-device control to enable/disable the threaded mode for all the napi instances of the given network device, without the need for a device up/down.
2023-08-17wireguard: T5409: rename threaded CLI not to per-client-threadChristian Breunig
Using threaded as CLI node is a very deep term used by kernel threads. To make this more understandable to users, rename the node to per-client-thread. It's also not necessary to test if any one peer is configured and probing if the option is set. There is a base test which requires at least one peer to be configured.
2023-08-17Merge pull request #2155 from sever-sever/T5488Christian Breunig
T5488: Set correct priority -300 for conntrack entries
2023-08-17login: T5490: add stricter validation for home-directory pathChristian Breunig
2023-08-17radius: T5490: add stricter validation for keyChristian Breunig
2023-08-17T5488: Set correct priority -300 for conntrack entriesViacheslav Hletenko
For conntrack ignore priority must be less then -200
2023-08-17console-server: T2490: add op-mode commands to display logChristian Breunig
2023-08-17Revert: dhcp: T5428: always release lease from default VRFChristian Breunig
This reverts commit 9afcea251bdc895ffd49cb11f455fd636fdf817b A DHCP relese must also be originated from the VRF where the dhclient program is running, else the RELEASE message can not be send through the interface towards the DHCP server. The reason it did not work in the past was because of https://vyos.dev/T5476
2023-08-17Merge pull request #2152 from fett0/T5466Christian Breunig
T5466: L3VPN label allocation mode
2023-08-16 T5466: L3VPN label allocation modefett0
2023-08-16Merge pull request #2151 from c-po/netplug-t5476Christian Breunig
netplug: T5476: rewrite dhclient helper from Perl -> Python
2023-08-16Merge pull request #2150 from ↵John Estabrook
dmbaturin/T5271-openvpn-peer-fingerprint-restrictions T5271: allow OpenVPN peer-fingerprint to be used instead of a CA in site-to-site mode
2023-08-16netplug: T5476: rewrite dhclient helper from Perl -> PythonChristian Breunig
There are two hooks called for bridge, ethernet and bond interfaces if the link-state changes up -> down or down -> up. The helpers are: * /etc/netplug/linkdown.d/dhclient * /etc/netplug/linkup.d/dhclient As those helpers use Linux actions to start/restart the dhclient process in Perl it's time to rewrite it. First goal is to get rid of all Perl code and the second is that we now have a Proper Python library. Instead of checking if the process is running the then restarting it without even systemd noticing (yeah we might get two processes beeing alive) we should: * Add a Python helper that can be used for both up and down (see man 8 netplugd FILES section) * Query the VyOS CLI config if the interface in question has DHCP(v6) configured and is not disabled * Add IPv6 DHCPv6 support MAN page: https://linux.die.net/man/8/netplugd
2023-08-16wireguard: T1843: add peer description CLI optionChristian Breunig
2023-08-15T5483: clean up tmp config fileJohn Estabrook
2023-08-15T5271: allow the user to specify either CA or peer fingerprintDaniil Baturin
in OpenVPN site-to-site mode
2023-08-15T5271: correct dict path in the template for OpenVPN peer fingerprintDaniil Baturin
2023-08-15T5270: generate 'dh none' unconditionally when dh-params is no presentDaniil Baturin
The condition is useless since OpenVPN simply switches to ECDH in all modes when the classic DH prime is not specified