| Age | Commit message (Collapse) | Author |
|
execution
Replace all cmd() calls in the vyos.ifconfig library with cmdl(), passing
arguments as lists instead of interpolated strings. This eliminates a class
of command-injection risks that arise when building shell commands with
f-strings or other string formatting.
|
|
The decode argument of cmd() is never changed and thus always pointing to
utf-8, remove the code.
|
|
A list-argument variant of cmd() for safer subprocess execution named cmdl().
Command must be a list of strings; no shell interpolation is performed, which
eliminates a class of command-injection risks present when building commands
with f-strings or other string formatting.
|
|
get_wrapper() now returns [] instead of None. It makes the existing string
format usage in cmd() cleaner, as it will show just the command in debug runs
rather then "None /[path/to/cmd"
|
|
config: T8858: fix mutable default argument in config API methods
|
|
firewall: T8546: Fix conntrack_required for global state-policy
|
|
flush_ip() used flush_addr(label=iface_name) which only matches addresses
whose label equals exactly the interface name. Secondary IP addresses are
assigned with :N suffixed labels (e.g. defunct_eth0:2, defunct_eth0:3)
and are not matched, so they remain on the interface.
Fix by flushing addresses by interface index instead of label, which
removes all addresses regardless of their label.
|
|
|
|
T8923: normalize "can not" to "cannot" and other typo fixes
|
|
|
|
|
|
Replace two-word "can not" / "Can not" with "cannot" across comments,
ConfigError messages, CLI help text, and op-mode output.
Standard SNMP MIB files under mibs/ are left unchanged.
|
|
|
|
|
|
This is no real need to have these in config_mgmt; moving to config_sync
will localize needed modifications to local/remote configs for exclusion
mask.
|
|
Add util for commonly used retrieval of ConfigTree of the saved config.
|
|
|
|
vrf: T8936: Specify `pref 1998` when deleting fwmark routing rules on VRF removal
|
|
T8503: clean up linting errors, reformatting, and minor refactoring
|
|
remote: T8956: stop leaking URL credentials in TftpC.upload()
|
|
removal
|
|
TftpC.upload() printed `{command} "{urlstring}"` to stdout before running the
command. This was debug code from the time where VRF support was added. As TFTP
has no authentication - no credentials got leaked.
|
|
frr: T7931: Do not restart FRR on unrelated config changes when VRF protocols are configured
|
|
T8492: CRL generated by VyOS PKI lacks X.509 extensions required for strongSwan validation
|
|
protocols are configured
FRR was restarted on every commit when VRF protocols were configured, even when no
routing-related configuration changed. Root cause: the rendering loop mutated `config_dict`
in-place by injecting a `vrf` key into each VRF protocol sub-dict, polluting `cached_config_dict`
which holds a reference to the same object, causing the equality check to always fail on the
next commit.
|
|
|
|
Prevent access to missing dictionary key by probing for availability. On removal
of inbound-interface or outbound-interface name CLI node, there was a guard
missing when accessing the CLI dictionary containing the config data.
|
|
T8454: fix VRF-bind port availability check in service_https
|
|
For use in nosetests or other, allow passing ReferenceTree from an
internal cache in a non-standard location.
|
|
|
|
|
|
|
|
When service https is configured with a listen-address on a VRF
interface, adding or changing the vrf option causes the commit to
fail with "TCP port 443 is used by another service!" even though
no conflict exists.
Root cause: check_port_availability() performs a socket.bind() in
the default network namespace. When the listen-address belongs to
a VRF interface the address is unreachable from the default
namespace, so the bind fails with OSError which is misinterpreted
as "port in use". The secondary check via is_listen_port_bind_service()
also fails because psutil cannot see sockets bound inside a VRF.
Fix: add an optional vrf parameter to check_port_availability().
When set, the test socket is bound to the VRF master device via
SO_BINDTODEVICE before the bind() call, so that the address is
resolved in the correct L3 domain. This is done in-process (no
subprocess) and works for both IPv4 and IPv6.
service_https verify() now passes the configured VRF (if any) to
check_port_availability(). Non-VRF configurations are unaffected.
Add smoke test for HTTPS with listen-address inside a VRF.
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
geoip: T8590: fix initialization failure and set clobbering on boot and commit
|
|
`mmcli --simple-disconnect` can be called when the modem bearer is not active.
This causes cmd() to raise a `PermissionError` and abort the commit.
Handle the case gracefully so the configuration can be committed before the modem
is physically present or fully connected.
|
|
dhcpv6: T8862: Allow multiple addresses and prefixes for reservations
|
|
(#5186)
The port availability check in `verify()` was using `front_config.get('address')`
which always resolved to `None`, causing the validator to treat any process
holding a given port number as a conflict regardless of which IP it was
bound to.
|
|
Add a check to determine whether the NIC supports hardware
timestamp receive filters required for NTP timestamping.
Implement the query in a new python/vyos/netlink/timestamp.py module
using pyroute2 generic netlink ETHTOOL_MSG_TSINFO_GET,
avoiding ethtool output parsing.
|
|
|
|
Add support for allowing DHCPv6 to assign reservations for multiple
addresses and prefixes to a single client simultaneously.
|
|
Historically, commit_in_progress() used psutil.process_iter() to enumerate every
process on the system and inspect open file descriptors under /proc in order to
determine whether the configuration commit lock was held. That approach scales
linearly with process count and incurs substantial overhead under load.
Replace it with the shared lock-file utilities: attempt to acquire the commit
lock using a non-blocking exclusive lock. If acquisition fails, another holder
retains the lock and a commit is considered in progress; if it succeeds, no
commit was active and the lock acquired for the probe is released immediately.
|
|
* dhcpv6: T8849: Add time-zone support for Kea DHCPv6
Add DHCPv6 option support for time zone (RFC4833 options
41 and 42). This includes both the POSIX-style TZ string
(`new-posix-timezone`) and the IANA time zone name
(`new-tzdb-timezone`).
* dhcpv6: T8849: Refactor per code-review suggestion
* dhcpv6: T8849: Reformat for compliance
|
|
T8831: smoketests: irregular PermissionError caused by systemctl stop
|
|
Failures appear during PPPoEIf.remove() -> flush_addrs() -> set_dhcpv6(False),
where disable uses self._cmd(f'systemctl stop ...'), which raises on any
non-zero exit code of cmd().
PermissionError: [Errno 1] is misleading: cmd() raises OSError(exit_code,
feedback); exit code 1 maps to PermissionError in Python 3, so logs point at
"permissions" while the real signal is systemctl stop returned 1 (job failure,
timeout, restart contention with Restart=always on dhcp6c@.service.
Add a small systemd teardown helper stop_systemd_unit() validating the return
codes from the "systemctl stop" calls.
|
|
strongSwan validation
Previously generated CRLs were missing the Authority Key Identifier and
CRL Number extensions required by strongSwan for certificate revocation
validation. Without these extensions, strongSwan silently ignores the CRL,
allowing revoked certificates to authenticate successfully.
The migration regenerates existing CRLs for all CAs that have a private
key available. CAs with passphrase-protected keys are skipped with a
warning, as the passphrase cannot be provided non-interactively
|
|
According to Kea documentation:
When a data field is a string and that string contains
the comma (`,`; U+002C) character, the comma must be escaped
with two backslashes (`\\,`; U+005C) because both the routine
splitting of CSV data into fields and JSON use the same
escape character. A single escape (`\,`) would make the JSON
invalid.
Accordingly, the pcode generated for time-zone should have
the `,` double escaped. For example, `"GMT0BST,M3.5.0/1,M10.5.0"`
should be rendered as `"GMT0BST\\,M3.5.0/1\\,M10.5.0"`.
See: https://kea.readthedocs.io/en/stable/arm/dhcp4-srv.html#standard-dhcpv4-options
|
|
Four Config class methods used `default=[]` as a parameter default. The
empty list is created once at function-definition time and shared across
all calls; any mutation of the default leaks across callers. This is
mitigated in practice by `_make_path` returning `(self._level + path)`
(which creates a fresh list via `+` rather than mutating via `.append()`),
but the defensive `default=None` + explicit guard is preserved as an
additional safeguard.
Methods touched:
- return_values
- list_nodes
- return_effective_values
- list_effective_nodes
Also document the `default` parameter in each method's docstring `Args:`
section and the corresponding `Returns:` clarifications.
|
|
|
|
A partial path is one that may or may not include intervening tag node
values. For unspecified tag node values, the matching subtree is
returned.
For example ['interfaces', 'ethernet', 'address'] will return the
subtree of the config for which ethernet tag values have defined
address.
|
|
|