summaryrefslogtreecommitdiff
path: root/python
AgeCommit message (Collapse)Author
2024-04-02configverify: T6198: add common helper for PKI certificate validationChristian Breunig
The next evolutional step after adding get_config_dict(..., with_pki=True) is to add a common verification function for the recurring task of validating SSL certificate existance in e.g. EAPoL, OpenConnect, SSTP or HTTPS. (cherry picked from commit 3b758d870449e92fece9e29c791b950b332e6e65)
2024-04-02vrf: T3655: always use full nft command name (e.g. --check over -c)Christian Breunig
(cherry picked from commit 09ac2851f89f2b7d94a21c3506e46f380e961fba)
2024-04-02firewall: T2199: always use full nft command name (e.g. --file over -f)Christian Breunig
(cherry picked from commit 6e0fdbcbba39691461f791c7a68a2c6c5091d2c1)
2024-04-01dhcpv6-client: T2590: fix vyos-hostsd update for nameserver and search domainsChristian Breunig
After migrating from ISC DHCLIENT for IPv6 to wide-dhcp-client the logic which was present to update /etc/resolv.conf with the DHCP specified nameservers and also the search domain list was no longer present. This commit adds a per interface rendered script to inform vyos-hostsd about the received IPv6 nameservers and search domains. (cherry picked from commit ece425f0191762638b7c967097accd8739e9103d)
2024-03-31accel-ppp: T6187: use correct CPU counts adjusted for SMTDaniil Baturin
(cherry picked from commit 6927c0b622c8feaece907944bae3d4724f1e55a0)
2024-03-29Merge pull request #3196 from HollyGurza/T4718-sagittaDaniil Baturin
dhcp-server: T4718: Listen-address is not commited if the IP address is on the interface with a VRF
2024-03-28grub: T4516: correct a format stringDaniil Baturin
(cherry picked from commit 74e502c16109b8d6d197751fc63ac5a32ff44404)
2024-03-28op-mode: T6175: "renew dhcp interface <name>" does not check for DHCP interfaceChristian Breunig
The current op-mode script simply calls sudo systemctl restart "dhclient@$4.service" with no additional information about a client interface at all. This results in useless dhclient processes root 47812 4.7 0.0 5848 3584 ? Ss 00:30 0:00 /sbin/dhclient -4 -d root 48121 0.0 0.0 4188 3072 ? S 00:30 0:00 \_ /bin/sh /sbin/dhclient-script root 48148 50.0 0.2 18776 11264 ? R 00:30 0:00 \_ python3 - Which also assign client leases to all local interfaces, if we receive one valid DHCPOFFER vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address MAC VRF MTU S/L Description ----------- ----------------- ----------------- ------- ----- ----- ------------- eth0 - 00:50:56:bf:c5:6d default 1500 u/u eth0.10 172.16.33.102/24 00:50:56:bf:c5:6d default 1500 u/u eth1 172.16.33.131/24 00:50:56:b3:38:c5 default 1500 u/u 172.16.33.102/24 and 172.16.33.131/24 are stray DHCP addresses. This commit moved the renew command to the DHCP op-mode script to properly validate if the interface we request a renew for, has actually a dhcp address configured. In additional this exposes the renew feature to the API. (cherry picked from commit 7dbaa25a199a781aaa9f269741547e576410cb11)
2024-03-28dhcp-server: T4718: Listen-address is not commit if the ip address is on the ↵khramshinr
interface with vrf
2024-03-24Merge pull request #3175 from vyos/mergify/bp/sagitta/pr-3151Christian Breunig
bgp: T6106: Show complete FRR output on internal errors (backport #3151)
2024-03-24Merge pull request #3163 from vyos/mergify/bp/sagitta/pr-3157Viacheslav Hletenko
vti: T6085: bring VTI interfaces up only when the IPsec tunnel is up (backport #3157)
2024-03-24Revert "ethernet: T5566: disable energy efficient ethernet (EEE) for interfaces"Christian Breunig
This reverts commit ab30509b25d54dac99294b76ba03fd49c3d2c946. As in T6152 there seem to be some NICs that have a non working implementation of reading the EEE registers. Remove this feature in the meantime until there is a less exploding solution hindering boards to boot. Return to Kernel defaults by removing this code path. (cherry picked from commit 946f93778f15f4af9f31cd5b164efcd931693635)
2024-03-23bgp: T6106: Valid commit error for route-reflector-client option defined in ↵khramshinr
peer-group handle vtysh bgp error (cherry picked from commit 6fa72591972618f02ac1c66c084a99e006ce18f3)
2024-03-23vyos.configverify: T6131: verify_interface_exists() checks CLI interfaces, tooChristian Breunig
Extend the way how we determine if interfaces exist in VyOS. In the past we only validated if the interface in question really exists at the OS level. This has some drawbacks as services (like OSPF or OSPFv3) can also handle interfaces dynamically which appear or leaf the OS. This commit not only checks for OS interfaces but also if the interface in question was configured at the CLI level, this is proof enough to pass the check. If it does not exist at the CLI level, we continue searching it it's maybe a Kernel interface - useful for container networks. In addition we can now not only raise() an error but simply show a warning if an interface does not exist. (cherry picked from commit f7250ecf1d119f14d72f99ee379deaaae0790f0e)
2024-03-21vti: T6085: interface is always down and only enabled by IPSec daemonChristian Breunig
When a VTI interface is just created, it is in ADMIN UP state by default, even if an IPSec peer is not connected. After the peer is disconnected the interface goes to DOWN state as expected. This breaks routing logic - for example, static routes through VTI interfaces will be active even if a peer is not connected. This changes to logic so ADMIN UP/DOWN state can only be changed by the vti-up-down helper script. Error was introduced during the Perl -> Python migration and move to the generic vyos.ifconfig abstraction during the 1.4 development cycle. (cherry picked from commit 9eb018c4935235d292d7c693ac15da5761be064a)
2024-03-21bridge: T6125: support 802.1ad (ethertype 0x88a8) VLAN filteringChristian Breunig
Linux bridge uses EtherType 0x8100 by default. In some scenarios, an EtherType value of 0x88A8 is required. Reusing CLI command from VIF-S (QinQ) interfaces: set interfaces bridge br0 protocol 802.1ad (cherry picked from commit 9c9b1febff6863ccd3632a04d9e307909b3efe7a)
2024-03-20qos: T1871: add MTU option when configure limiter traffic-policykhramshinr
add mtu to default and specified class update smoke test (cherry picked from commit 84bbcdf5b7980f701aba6e158a2be4a05e7076d9)
2024-03-17T6133: append domain-name to commit-archive if definedChristian Breunig
(cherry picked from commit 4291a1a423c3cbbae9e4142575b36d6fbe1c126f)
2024-03-13grub: T4548: Fixed configuration files orderzsdc
To iterate files on ext* file systems GRUB reads their inodes one by one, ignoring names. This breaks our configuration logic that relies on proper loading order. This commit adds a helper `sort_inodes()` that needs to be used whenever GRUB configuration files are created. It recreates files, changing their inodes in a way where inodes order matches alphabetical order. (cherry picked from commit f74923202311e853b677e52cd83bae2be9605c26)
2024-03-06remote: T6104: fix logic of failure case in MissingHostKeyPolicyJohn Estabrook
(cherry picked from commit 73e215dc338c8c3a6c9b3d10c952477ba00b923b)
2024-03-06T6061: fix rule parsing when connection-status is usedNicolas Fort
(cherry picked from commit 8f2534e9654b61b7db45788bb52ac6cf8017b054)
2024-03-04T5646: Skip add filter for qos policy limiter class without matchNataliia Solomko
(cherry picked from commit 2104424c1a43dc027567e051262e1eed6506491f)
2024-03-04vyos.ethtool: T6083: use JSON input data for ethernet interface flow-control ↵Christian Breunig
settings (cherry picked from commit 5ee89f46096626ca8aac37da9237635e3d17766a)
2024-03-04vyos.ethtool: T6083: use JSON input data for ethernet driver feature detectionChristian Breunig
Feature detection is used to see if certain offload settings are available on the given NIC. (cherry picked from commit 63ccdc5125e19f8737bf1445938998bef803d1bd)
2024-03-04T6086: NAT: fix nat rules when using source-groups and translation address ↵Nicolas Fort
is a network. (cherry picked from commit a7a0c90404d03f7deccb74a46d0fe1f99116907a)
2024-03-02vyos.ethtool: T6083: use JSON input data for ring-buffer methodsChristian Breunig
(cherry picked from commit b984cf8d179cf3d4b16e7f3e5cf94f822055cb04)
2024-03-01qos: T6081: QoS policy shaper target and interval wrong calcuationsNataliia Solomko
(cherry picked from commit c7f5b510cfd117e57f2d22e259c843600ef4cc76)
2024-02-29vyos.ethtool: T6070: fix EEE reading the incorrect status lineup-n-atom
EEE enabled status is on the 2nd line of ethtool output and not the 3rd. Subsequently, reading the 3rd line was causing an out-of-bounds access for the bnx2x driver as well. (cherry picked from commit 775348a4cda34e6be16454d43c77b525e57c4e47)
2024-02-28vrf: conntrack: T6073: Populate VRF zoning chains only while conntrack is ↵sarthurdev
required (cherry picked from commit 6f7d1e15665655e37e8ca830e28d9650445c1217)
2024-02-17image-tools: T6041: fix logic of is_live_boot to allow for PXE bootJohn Estabrook
(cherry picked from commit 5949ff72a9f953da9d06d1ad75add0e6023d0dc4)
2024-02-15T6029: Rewritten Accel-PPP services to an identical feature setaapostoliuk
Removed dhcp-interface option (l2tp) Added wins-server (sstp) Added description (ipoe, pppoe, sstp, pptp) Added exteded-script (l2tp, sstp, pptp) Added shaper (ipoe, pptp, sstp, l2tp) Added limits (ipoe, pptp, sstp, l2tp) Added snmp ( ipoe, pptp,sstp, l2tp) Refactoring and reformated code. (cherry picked from commit ac6a16f6c5ad7700789759e1ec093236c2e182a2)
2024-02-13pki: T6034: add OpenSSH key supportChristian Breunig
set pki openssh rpki private key ... set pki openssh rpki public key ... set pki openssh rpki public type 'ssh-rsa' (cherry picked from commit 8c78ef0879f22ffd4a5f7fdb175e9109b46e9d7b)
2024-02-09T6028: Fix QoS policy shaper wrong class_id_max and default_minor_idViacheslav Hletenko
The `class_id_max` is wrong due to `tmp.sort` of Strings If we have class 5 and class 10 we get sorted max value 5, expected 10 ``` >>> tmp = ['5', '10'] >>> tmp.sort() >>> tmp ['10', '5'] >>> >>> hex(5+1) '0x6' >>> >>> hex(10+1) '0xb' >>> ``` This way we get wrong default maximum class value: ``` tc qdisc replace dev eth1 root handle 1: htb r2q 444 default 6 ``` Expect: ``` tc qdisc replace dev eth1 root handle 1: htb r2q 444 default b ``` Fix this converting Strings to Integers and get max value. (cherry picked from commit 2e8fa45c7f0663549edd118622b3381e7c428b2e)
2024-02-09Merge pull request #2974 from vyos/mergify/bp/sagitta/pr-2643Daniil Baturin
T5828: fix grub installation on arm64-efi machines (backport #2643)
2024-02-09T5828: fix grub installation on arm64-efi machinesMathew McBride
Since the migration of GRUB handling to vyos-1x, the grub install sequence has hardcoded references to x86. Change the GRUB sequence so it can work on arm64 as well. (cherry picked from commit 37bd574c4e1f49b03f985c4293513ff7107ae82f)
2024-02-09T5960: Rewritten authentication node in PPTP to a single viewaapostoliuk
Rewritten authentication node in accel-ppp services to a single view. In particular - PPTP authentication. (cherry picked from commit 018110200c9a82815dd5d0510f0732d7159c0d59)
2024-02-07init: T2044: only start rpki if cache is configuredChristian Breunig
This extends commit 9199c87cf ("init: T2044: always start/stop rpki during system boot") to check the bootup configuration if an RPKI cache is defined. Only start RPKI if this is the case. (cherry picked from commit 9b8e11e078c42e3ae86ebfa45fec57336f25a0af)
2024-02-07T6021: Fix QoS shaper r2q calculationViacheslav Hletenko
The current calculation `r2q` is wrong as it uses `Floor division` but expecting `division` This way `math.ceil` calculate wrong value as we expect round a number upward to its nearest integer For example for speed 710 mbits expected value `444` but we get `443` ``` from math import ceil MAXQUANTUM = 200000 speed = 710000000 speed_bps = int(speed) // 8 >>> speed_bps // MAXQUANTUM 443 >>> speed_bps / MAXQUANTUM 443.75 >>> >>> >>> ceil(speed_bps // MAXQUANTUM) 443 >>> ceil(speed_bps / MAXQUANTUM) 444 >>> ``` (cherry picked from commit ce1035e1e8642bf740e2a21693a72fe2127b8f72)
2024-02-06image-tools: T6016: wait for umount in cleanup functionJohn Estabrook
(cherry picked from commit d80530c48a78dfeb55293494a257f6234b0ef76d)
2024-02-03configdict: T5894: preserve old behavior when dealing with PKIChristian Breunig
Commit b152b5202 ("configdict: T5894: add get_config_dict() flag with_pki") added the generic PKI flag but if there was no PKI subsystem available in the configuration, no pki dict key ever manifested in the resulting dictionary requested by the caller. This is different to the old behavior (which each caller implementing the call itself) where there always was a pki key present - even if it was empty. This triggered a bug in the IPSec script Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/vpn_ipsec.py", line 600, in <module> verify(ipsec) File "/usr/libexec/vyos/conf_mode/vpn_ipsec.py", line 372, in verify verify_pki_rsa(ipsec['pki'], rsa) ~~~~~^^^^^^^ KeyError: 'pki' As it wanted to verify keys, but there was no pki dictionary key available. This commit restores the previous behavior. (cherry picked from commit 9b56a86def674886721a367c02371f9da65c3fd3)
2024-02-02qos: T5848: Add triple-isolate option to CAKE policy configMatthew Kobayashi
(cherry picked from commit 61342083d7db8c30d015474fae5cb71f480487d8)
2024-02-02Merge pull request #2928 from vyos/mergify/bp/sagitta/pr-2891Viacheslav Hletenko
T5971: Rewritten ppp options in accel-ppp services (backport #2891)
2024-02-02T5971: Rewritten ppp options in accel-ppp servicesaapostoliuk
Rewritten 'ppp-options' to the same view in all accel-ppp services. Adding IPv6 support to PPTP. (cherry picked from commit d9e57fe65dd538c6ea80637f4f6f23cf11dc583d)
2024-02-01T2719: Add 'update' in standard op-mode function listIndrajit Raychaudhuri
2024-02-01T4839: firewall: Add dynamic address group in firewall configuration, and ↵Nicolas Fort
appropiate commands to populate such groups using source and destination address of the packet. (cherry picked from commit 6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122)
2024-02-01Merge pull request #2916 from vyos/mergify/bp/sagitta/pr-2832Christian Breunig
T5865: Moved ipv6 pools to named ipv6 pools in accel-ppp (backport #2832)
2024-02-01T5974: Fix QoS shape bandwidth and ceil calculation for defaultViacheslav Hletenko
The default `bandwidth` and `ceiling` should calculate values based on <tag> bandwidth but currently it gets the value from qos.base `/sys/class/net/{self._interface}/speed` ``` set qos policy shaper SHAPER bandwidth '20mbit' set qos policy shaper SHAPER default bandwidth '95%' set qos policy shaper SHAPER default ceiling '100%' ``` It causes wrong calculations for class `default` i.e 950Mbit for bandwidth (expected 95% of bandwidth, 19Mbit) 1Gbit for ceil (expected 100% of bandwidth, 20Mbit) Gets incorrect values ``` r4# tc class show dev eth1 class htb 1:1 root rate 20Mbit ceil 20Mbit burst 1600b cburst 1600b class htb 1:a parent 1:1 leaf 8053: prio 0 rate 200Kbit ceil 200Kbit burst 1Mb cburst 1600b class htb 1:b parent 1:1 leaf 8054: prio 7 rate 950Mbit ceil 1Gbit burst 15200b cburst 1375b ``` Fix this (cherry picked from commit 6ddfe6328e1cbdde1b70763b39e3a87f8374755a)
2024-02-01T5865: Moved ipv6 pools to named ipv6 pools in accel-pppaapostoliuk
Moved ipv6 pools to named ipv6 pools in accel-ppp services (cherry picked from commit d187803c31175e471397dd4f77040ab56d2e1073)
2024-01-30Merge pull request #2888 from vyos/mergify/bp/sagitta/pr-2886John Estabrook
system-option: T5979: Add configurable kernel boot options (backport #2886)
2024-01-29remote: T5994: fix typo in check_storage for Ftp classJohn Estabrook
(cherry picked from commit 858ccb20b3e0c326fc7b7f791bd6798cf15b6b46)