summaryrefslogtreecommitdiff
path: root/src/conf_mode
AgeCommit message (Collapse)Author
2021-08-17bgp: T3759: add l3vpn "import vrf" commandsChristian Poessinger
2021-08-17bgp: T2771: adjust verify() logic to common coding style for validationChristian Poessinger
2021-08-16conntrack: T3579: bugfix when deleting non existent iptable rulesChristian Poessinger
We only delete iptables rules if they really exist - if we try to delete a non- existing rule a PermissionError exception is thrown. We could either ignore the error code (that is what the old Vyatta code did), or we check what we are doing beforehand.
2021-08-16conntrack: T3579: remove debug print()Christian Poessinger
2021-08-16ospf: T3757: verify() bugfix for interface areaChristian Poessinger
Commit 6f87d8c9 ("ospf: T3757: support to configure area at an interface level") did not allow the old way an area and netwokr was set-up as the if expression was missing a check if 'area' was set in both the interface and the ospf process.
2021-08-15pbr: T3702: Fix incorrect splits for fwmarkViacheslav
2021-08-15ospf: T3757: support to configure area at an interface levelChristian Poessinger
FRR supports configuring either network prefixes per area, or assign an interface to an area to participate in the routing process. This is already well known from other venders and supported by FRR. A valid VyOS OSPF configuration would then look like: vyos@vyos# show protocols ospf { interface dum0 { area 0 } interface eth0.201 { area 0 authentication { md5 { key-id 10 { md5-key vyos } } } dead-interval 40 hello-interval 10 priority 1 retransmit-interval 5 transmit-delay 1 } log-adjacency-changes { detail } parameters { abr-type cisco router-id 172.18.254.201 } passive-interface default passive-interface-exclude eth0.201 }
2021-08-15Merge pull request #944 from sever-sever/T3702Christian Poessinger
pbr: T3702: Add rules match fwmark
2021-08-15conntrack: T3275: migrate 'disable' syntax to 'enable' syntax for the new ↵Lulu Cathrinus Grimalkin
default behavior
2021-08-14ospf: T3236: use proper daemon named template fileChristian Poessinger
2021-08-13vrf: T3734: T3728: vni must be configured with a higher priority then bgpdChristian Poessinger
When removing bgp (vrf) instances the assigned VRF vni must be deleted from FRR prior the removal of the bgp settings (T3734). This is now done by moving the CLI command "set vrf name red vni 1000" to a dedicated Python script with a priority higher then bgp.
2021-08-13openvpn: T3738: Disable authentication option for server modeViacheslav
2021-08-13Merge pull request #967 from sever-sever/T3708-currChristian Poessinger
isis: T3708: Fix errors in MTU calculation
2021-08-13isis: T3708: Fix errors in MTU calculationViacheslav
2021-08-12T3749: Moving some counters into the proper loopKroy
2021-08-10snmp: T3709: Allow enable oid ipCidrRouteTableViacheslav
2021-08-09ipsec: T3720: assigning vti secondary address caused interface in A/D stateChristian Poessinger
2021-08-08ipsec: l2tp: T2816: remove duplicate 3des-sha1-modp1024 proposalChristian Poessinger
2021-08-06frr: T3694: temporary disable VRF VNI assignmentChristian Poessinger
Somehow we hit a priority inversion here as we need to remove the VRF assigned VNI before we can remove a BGP bound VRF instance. Maybe move this to an individual helper script that set's up the VNI for the given VRF after any routing protocol (in our case this was triggered by running "make testc" when building an ISO image by the bgp-rpki config).
2021-08-06frr: T2175: remove no longer required loop when removing VRF VNIChristian Poessinger
This is a completing commit to a55585a833 ("frr: T2175: remove no longer required loop when removing routing protocols") that was missed out previously.
2021-08-04ipsec: T3718: fix default processing of ike dh-group proposalsChristian Poessinger
IKE dh-group defaults to 2 (modp1024).
2021-08-03isis: T1316: rename Jinja2 template to match other FRR daemonsChristian Poessinger
2021-08-02pbr: T3702: Add rules match fwmarkViacheslav
2021-08-01Merge pull request #943 from Cheeze-It/currentChristian Poessinger
isis: T3693: Adding IPv6 redistribution to ISIS
2021-07-31isis: T3693: Adding IPv6 redistribution to ISISCheeze_It
In this commit we add the ability to redistribute into ISIS for IPv6 address family.
2021-07-31bgp: vrf: T3694: cannot delete default BGP instance when VRF BGP instance existsChristian Poessinger
2021-07-30vyos.util: drop custom implementations in favor of is_systemd_service_running()Christian Poessinger
Commit f520182b ("vyos.util: add is_systemd_service_running() helper function") added a new helper function that can be used to check if a systemd service is running. Drop all custom implementations in favor of this library call.
2021-07-26ipsec: T1210: remote-access connections only work with IKEv2Christian Poessinger
2021-07-25ifconfig: T2653: obey conding styleChristian Poessinger
2021-07-25ipsec: T1210: add RADIUS authentication for remote-access IKEv2 VPNChristian Poessinger
set vpn ipsec remote-access connection rw authentication client-mode 'eap-radius' set vpn ipsec remote-access connection rw authentication id '192.0.2.1' set vpn ipsec remote-access connection rw authentication server-mode 'x509' set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'CAcert_Class_3_Root' set vpn ipsec remote-access connection rw authentication x509 certificate 'vyos' set vpn ipsec remote-access connection rw esp-group 'ESP-RW' set vpn ipsec remote-access connection rw ike-group 'IKE-RW' set vpn ipsec remote-access connection rw local-address '192.0.2.1' set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4' set vpn ipsec remote-access connection rw unique 'never' set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.2' set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.168.22.0/24' set vpn ipsec remote-access radius nas-identifier 'fooo' set vpn ipsec remote-access radius server 172.16.100.10 key 'secret'
2021-07-25ipsec: T1210: move DHCP server configuration unter remote-access nodeChristian Poessinger
As this is only related to remote-access, keeping it under "options" simply feels wrong.
2021-07-23frr: T2175: remove no longer required loop when removing routing protocolsChristian Poessinger
2021-07-23login: T3699: verify system username does not conflict with Linux base usersChristian Poessinger
(cherry picked from commit 7292631373ea50f9908796ef2eda32e672d1df2e)
2021-07-22ipsec: T2816: remove "auto-update" CLI optionChristian Poessinger
Update/refresh of DNS records is now handled internally by Strongswan.
2021-07-22pki: https: T3642: Migrate HTTPS to use PKI configurationsarthurdev
2021-07-21pki: openvpn: T3642: Migrate OpenVPN to PKI and refactorsarthurdev
2021-07-20pki: eapol: T3642: Migrate EAPoL to use PKI configurationsarthurdev
2021-07-20pki: sstp: T3642: Migrate SSTP to PKI configurationsarthurdev
2021-07-20pki: openconnect: T3642: Migrate OpenConnect SSL to PKI configurationsarthurdev
2021-07-19vrf: T3655: fix potential error when removing VRF connection tracking tableChristian Poessinger
This extends commit 22791e26 ("VRF: T3655: proper connection tracking for VRFs") so that when the netfilter table is removed, we first check if it exists at all, and if it does not exist we do not remove it. This fixes the smoketest error: PermissionError: [Errno 1] failed to run command: nft delete table inet vrf_zones
2021-07-19Merge pull request #929 from sarthurdev/pki_wgChristian Poessinger
pki: wireguard: T3642: Migrate Wireguard private key directly into CLI
2021-07-19pki: wireguard: T3642: Migrate Wireguard private key directly into CLIsarthurdev
Also renames peer pubkey to public-key for consistency
2021-07-19ipsec: T1210: split out pool from remote-access configurationChristian Poessinger
Remote access IP pools can now be defined at a global level and referenced in IPSec remote-access connections. To defined a pool use: set vpn ipsec remote-access pool global-ipv4 name-server '172.16.1.1' set vpn ipsec remote-access pool global-ipv4 prefix '192.168.0.0/24' set vpn ipsec remote-access pool global-ipv6 name-server '2001:db8::1' set vpn ipsec remote-access pool global-ipv6 prefix '2001:db8:1000::/64' A connection can then reference the pool: set vpn ipsec remote-access connection foo pool 'global-ipv4' set vpn ipsec remote-access connection foo pool 'global-ipv6'
2021-07-18ipsec: T1210: remote-access pools can not hold both IPv4 and IPv6 prefixesChristian Poessinger
... this enables a dual-stack IKEv2 VPN deployment.
2021-07-18ipsec: T2816: limit remote-access nameservers to two IPv4 and two for IPv6Christian Poessinger
2021-07-18ipsec: l2tp: T2816: use common if 'key' in dict patternChristian Poessinger
2021-07-17ipsec: T2816: add missing +x permission on Python helperChristian Poessinger
2021-07-17Merge pull request #927 from zdc/T3655-sagittaChristian Poessinger
VRF: T3655: proper connection tracking for VRFs
2021-07-17VRF: T3655: proper connection tracking for VRFszsdc
Currently, all VRFs share the same connection tracking table, which can lead to problems: - traffic leaks to a wrong VRF - improper NAT rules handling when multiple VRFs contain the same IP networks - stateful firewall rules issues The commit implements connection tracking zones support. Each VRF utilizes its own zone, so connections will never mix up. It also adds some restrictions to VRF names and assigned table numbers, because of nftables and conntrack requirements: - VRF name should always start from a letter (interfaces that start from numbers are not supported in nftables rules) - table number must be in the 100-65535 range because conntrack supports only 65535 zones
2021-07-17ipsec: T2816: restore erroneous deleted fileChristian Poessinger
Commit 22739144 ('ipsec: T2816: migrate "ipsec interfaces" to "interface"') by accident deleted the vpn_ipsec.py Python handler. Handler was restored.