summaryrefslogtreecommitdiff
path: root/src/conf_mode
AgeCommit message (Collapse)Author
2023-10-08Merge pull request #2263 from Cheeze-It/currentViacheslav Hletenko
T5530: isis: Adding loop free alternate feature
2023-10-07Merge pull request #2335 from c-po/t5630-pppoe-mruDaniil Baturin
pppoe: T5630: allow to specify MRU in addition to already configurable MTU
2023-10-06T5530: isis: Adding loop free alternate featureCheeze_It
2023-10-04Revert "login: T5521: home directory owner changed during reboot"Christian Breunig
This reverts commit 64d323299586da646ca847e78255ff2cd8464578.
2023-10-03pppoe: T5630: verify MRU is less or equal then MTUChristian Breunig
2023-10-03login: T5521: home directory owner changed during rebootChristian Breunig
During system startup the system-login.py script is invoked by vyos-router systemd service. As there is no complete configuration available at this point in time - and the sole purpose of this call is to reset/re-render the system NSS/PAM configs back to default - it accidently also deleted the local useraccounts. Once the VyOS configuration got mounted, users got recreated in alphabetical order and thus UIDs flipped and the /home suddenely belonged to a different account. This commit prevents any mangling with the local userdatabase during VyOS bootup phase.
2023-09-30ddclient: T5574: Support per-service cache management for servicesIndrajit Raychaudhuri
Add support for per-service cache management for ddclient providers via `wait-time` and `expiry-time` options. This allows for finer-grained control over how often a service is updated and how long the hostname will be cached before being marked expired in ddclient's cache. More specifically, `wait-time` controls how often ddclient will attempt to check for a change in the hostname's IP address, and `expiry-time` controls how often ddclient to a forced update of the hostname's IP address. These options intentionally don't have any default values because they are provider-specific. They get treated similar to the other provider- specific options in that they are only used if defined.
2023-09-30Merge pull request #2325 from sever-sever/T5165Christian Breunig
T5165: Migrate policy local-route rule x destination to address
2023-09-30Merge pull request #2303 from indrajitr/ddclient-misc-1Christian Breunig
ddclient: T5612: Miscellaneous improvements and fixes for dynamic DNS
2023-09-29T5165: Migrate policy local-route rule x destination to addressViacheslav Hletenko
Migrate policy local-route <destination|source> to node address replace 'policy local-route{v6} rule <tag> destination|source <x.x.x.x>' => 'policy local-route{v6} rule <tag> destination|source address <x.x.x.x>'
2023-09-29conntrack: T5376: Fixes for conntrack-sync configdepsarthurdev
Fixes `KeyError: 'conntrack_sync'` Ignore `ConfigError("ConfigError('Interface eth1 requires an IP address!')")` due to calling conntrack-sync too early
2023-09-29Merge pull request #2256 from zdc/T5577-circinusChristian Breunig
T5577: Optimized PAM configs for RADIUS/TACACS+
2023-09-28firewall: T5217: Synproxy bugfix and ct state conflict checkingsarthurdev
2023-09-28mdns: T5615: Rename avahi-daemon config fileIndrajit Raychaudhuri
Rename avahi-daemon config file to avahi-daemon.conf.j2 to match the convention used by other config files.
2023-09-28mdns: T5615: Allow controlling IP version to use for mDNS repeaterIndrajit Raychaudhuri
This commit adds a new configuration option to the mDNS repeater service to allow controlling which IP version to use for mDNS repeater. Additionally, publishing AAAA record over IPv4 and A record over IPv6 is disabled as suggested. See: - https://github.com/lathiat/avahi/issues/117#issuecomment-1651475104 - https://bugzilla.redhat.com/show_bug.cgi?id=669627#c2
2023-09-28Merge pull request #2295 from sever-sever/T5217-synproxyChristian Breunig
T5217: Add firewall synproxy
2023-09-28Merge pull request #2304 from sarthurdev/conntrack_helpersJohn Estabrook
conntrack: T5376: T5598: Restore kernel conntrack helpers
2023-09-28Merge pull request #2305 from sarthurdev/T5606Daniil Baturin
ipsec: T5606: Add support for whole CA chains
2023-09-27T5165: Add option protocol for policy local-routeViacheslav Hletenko
Add option `protocol` for policy local-route set policy local-route rule 100 destination '192.0.2.12' set policy local-route rule 100 protocol 'tcp' set policy local-route rule 100 set table '100'
2023-09-24conntrack: T5376: Use vyos.configdep to call conntrack-syncsarthurdev
2023-09-24conntrack: T5376: T5598: Fix for kernel conntrack helperssarthurdev
`nf_conntrack_helper` that auto-assigned helpers is removed from the kernel
2023-09-24ipsec: T5606: Add support for whole CA chainssarthurdev
Also includes an update to smoketest to verify
2023-09-23ddclient: T5612: Additional refactoring for scripts and smoketestsIndrajit Raychaudhuri
Additional cleanup and refactoring for ddclient scripts including the smotektests.
2023-09-23ddclient: T5612: Enable TTL support for web-service based protocolsIndrajit Raychaudhuri
Enable TTL support for web-service based protocols in addition to RFC2136 based (nsupdate) protocol. Since TTL is not supported by all protocols, and thus cannot have a configuration default, the existing XML snippet `include/dns/time-to-live.xml.i` does not have common `<defaultValue>300</defaultValue>` anymore and is instead added explicitly whenever necessary.
2023-09-23ddclient: T5612: Improve dual stack support for dyndns2 protocolIndrajit Raychaudhuri
dyndns2 protocol in ddclient honors dual stack for selective servers because of the way it is implemented in ddclient. We formalize the well known servers that support dual stack in a list and check against it when validating the configuration.
2023-09-23ddclient: T5612: Fix VRF support for ddclient serviceIndrajit Raychaudhuri
Fix VRF support interface definition and configuration mode for ddclient to actually capture the VRF name and pass it to the template.
2023-09-21T5217: Add firewall synproxyViacheslav Hletenko
Add ability to SYNPROXY connections It is useful to protect against TCP SYN flood attacks and port-scanners set firewall global-options syn-cookies 'enable' set firewall ipv4 input filter rule 10 action 'synproxy' set firewall ipv4 input filter rule 10 destination port '22' set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1' set firewall ipv4 input filter rule 10 protocol 'tcp' set firewall ipv4 input filter rule 10 synproxy tcp mss '1460' set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
2023-09-21frr: T5591: cleanup of daemons fileApachez
2023-09-20openvpn: T5269: add a deprecation warning for shared-secretDaniil Baturin
2023-09-19conntrack: firewall: T4502: Update conntrack check for new flowtable CLIsarthurdev
Also updates flowtable smoketest to verify conntrack enabled
2023-09-19firewall: ethernet: T4502: Add interface offload node and verify interface ↵sarthurdev
supports HW flowtable offload - Add required offload setting for interfaces + flowtable offload (hw-tc-offload) - Verification of interface support for hardware offloaded flowtables
2023-09-19firewall: T4502: Update to flowtable CLIsarthurdev
`set firewall flowtable <name> interface <ifname>` `set firewall flowtable <name> offload [software|hardware]` `set firewall [ipv4|ipv6] forward filter rule N action offload` `set firewall [ipv4|ipv6] forward filter rule N offload-target <name>`
2023-09-18frr: T5239: use vyos.base.warning()Christian Breunig
2023-09-18Merge pull request #2276 from sarthurdev/conntrackViacheslav Hletenko
conntrack: T5571: Refactor conntrack using vyos.configdep
2023-09-18conntrack: T5217: Add tcp flag matching to `system conntrack ignore`sarthurdev
- Moves MSS node out of `tcp-flags.xml.i` and into `tcp-mss.xml.i` - Update smoketest to verify TCP flag matching
2023-09-16nat: Remove deprecated kernel checksarthurdev
/usr/libexec/vyos/conf_mode/nat.py:21: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives from distutils.version import LooseVersion
2023-09-16conntrack: T5571: Refactor conntrack to be independent conf script from ↵sarthurdev
firewall, nat, nat66
2023-09-15Merge pull request #2273 from sever-sever/T5586Christian Breunig
T5586: Disable by default SNMP for Keeplived VRRP service
2023-09-15Merge pull request #2185 from sever-sever/T5261-newViacheslav Hletenko
T5261: Add AWS load-balancing tunnel handler
2023-09-15T5586: Disable by default SNMP for Keeplived VRRP serviceViacheslav Hletenko
AgentX does not work stable. From time to time we see the system service crashing/degrading if something is wrong with SNMP from util net-snmp. We should disable it by default and enable it only if configured. set high-availability vrrp snmp
2023-09-15Merge pull request #2270 from indrajitr/ddclient-config-permissionChristian Breunig
ddclient: T5585: Fix file access mode for dynamic dns configuration
2023-09-15system: T5505: T5575: support calling system-ip(v6).py from init processChristian Breunig
After commit 976f82785 ("T5575: ARP/NDP table-size isnt set properly") the system bootup process got interrupted as both system-ip.py and system-ipv6.py tried to talk to FRR which was yet not started. This has been fixed by using a conditional path to only execute when FRR service has been enabled. This is safe to do as the initial commit call will has FRR service running and the path will be executed.
2023-09-14ddclient: T5585: Fix file access mode for dynamic dns configurationIndrajit Raychaudhuri
ddclient.conf file is expected to have permission 600. We need to set the permission explicitly while creating the file.
2023-09-14Merge pull request #2253 from nicolas-fort/T5561Christian Breunig
T5561: nat: inbound|outbound interface should not be mandatory
2023-09-14Merge pull request #1637 from ordex/T3214Daniil Baturin
openvpn: T3214: fix server-ipv6 and nopool handling
2023-09-14Merge pull request #2062 from vfreex/simple-fastpath-supportViacheslav Hletenko
T4502: firewall: Add software flow offload using flowtable
2023-09-13TACACS: T5577: Added `mandatory` and `optional` modes for TACACS+zsdc
In CLI we can choose authentication logic: - `mandatory` - if TACACS+ answered with `REJECT`, authentication must be stopped and access denied immediately. - `optional` (default) - if TACACS+ answers with `REJECT`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if TACACS+ clearly answered that access should be denied (no user in TACACS+ database, wrong password, etc.). If TACACS+ is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-09-13RADIUS: T5577: Added `mandatory` and `optional` modes for RADIUSzsdc
In CLI we can choose authentication logic: - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be stopped and access denied immediately. - `optional` (default) - if RADIUS answers with `Access-Reject`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-09-13T5561: nat: defining inbound|outbound interface should not be mandatory ↵Nicolas Fort
while configuring dNAT|sNAT rule
2023-09-11frr: T5239: fix process startup orderChristian Breunig
- Reuse existing utility functions to check if a boot is ongoing (boot_configuration_complete()) - Run system_frr.py script to configure FRR daemon before initial launch - Add safety net to always have FRR running on the system This does yet not solve the error in T5239 but it's a small step towards the solution.