summaryrefslogtreecommitdiff
path: root/src/conf_mode
AgeCommit message (Collapse)Author
2022-09-18Merge pull request #1543 from Cheeze-It/currentChristian Poessinger
isis: T4693: Fix ISIS segment routing configurations, part deux
2022-09-18Update protocols_isis.pyCheeze_It
isis: T4693: Fix ISIS segment routing configurations This change is to fix more bugs in which ISIS segment routing was broken due to a refactor. This change also introduces a few additions to the ISIS handler for checking per prefix validations for segment value and mutual exclusivity for two options.
2022-09-17Merge pull request #1546 from nicolas-fort/fwall-jumpChristian Poessinger
T4699: Firewall: Add jump action in firewall ruleset
2022-09-17wireguard: T4702: actively revoke peer if it gets disabledChristian Poessinger
When any configured peer is set to `disable` while the Wireguard tunnel is up and running it does not get actively revoked and removed. This poses a security risk as connections keep beeing alive. Whenever any parameter of a peer changes we actively remove the peer and fully recreate it on the fly.
2022-09-17pppoe-server: T4703: combine vlan-id and vlan-range into single CLI nodeChristian Poessinger
The initial Accel-PPP PPPoE implementation used: set service pppoe-server interface <name> vlan-id <id> set service pppoe-server interface <name> vlan-range <start-stop> This is actually a duplicated CLI node.
2022-09-16Merge pull request #1463 from sever-sever/T4118Daniil Baturin
ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer
2022-09-16T4699: Firewall: Add jump action in firewall rulestNicolas Fort
2022-09-16ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peerViacheslav Hletenko
Migration and Change boolean nodes "enable/disable" to disable-xxxx, enable-xxxx and just xxx for VPN IPsec configurations - IKE changes: - replace 'ipsec ike-group <tag> mobike disable' => 'ipsec ike-group <tag> disable-mobike' - replace 'ipsec ike-group <tag> ikev2-reauth yes|no' => 'ipsec ike-group <tag> ikev2-reauth' - ESP changes: - replace 'ipsec esp-group <tag> compression enable' => 'ipsec esp-group <tag> compression' - PEER changes: - replace: 'peer <tag> id xxx' => 'peer <tag> local-id xxx' - replace: 'peer <tag> force-encapsulation enable' => 'peer <tag> force-udp-encapsulation' - add option: 'peer <tag> remote-address x.x.x.x' Add 'peer <name> remote-address <name>' via migration script
2022-09-16Merge pull request #1544 from sever-sever/T4697Christian Poessinger
policy-route: T4697: Add missing rule_id for verify_rule func
2022-09-16ocserv: T4656: use "0.0.0.0" defaultValue via XML definition"Christian Poessinger
2022-09-16ocserv: openconnect: T4656: add listen-address CLI optionDemon_H
This will set the listen-host ocserv configuration option.
2022-09-16policy-route: T4697: Add missing rule_id for verify_rule funcViacheslav Hletenko
There is a missing 'rule_id' in verify_rule() function We call it from the loop but don't provide argument 'rule_id' It cause "NameError: name 'rule_id' is not defined" Fix it
2022-09-15Merge pull request #1477 from sempervictus/feature/ocserv_groupsViacheslav Hletenko
T3896(adjacent): Fix ocserv local user requirement, add groupconfig
2022-09-14Merge pull request #1530 from sever-sever/T4679Christian Poessinger
openvpn: T4679: Fix incorrect verify local and remote address
2022-09-14openvpn: T4679: Fix incorrect verify local and remote addressViacheslav Hletenko
In the OpenVPN site-to-site config we can use IPv6 peers without IPv4 configurations but "verify()" checks also local and remote IPv4 addresses that in this case will be empty lists For example: set interfaces openvpn vtun2 local-address 2001:db8::1 set interfaces openvpn vtun2 remote-address 2001:db8::2 Check in the commit (v4loAddr == v4remAddr) <= both empty lists commit DEBUG: [] == [] or ['2001:db8::2'] == [] So we should also check v4loAddr, v4remAddr, v6loAddr, v6remAddr are not empty
2022-09-14nhrp: T2199: Use separate table in nftables for NHRP rulessarthurdev
2022-09-13zone-policy: T2199: Migrate zone-policy to firewall nodesarthurdev
2022-09-13firewall: T4605: Rename filter tables to vyos_filtersarthurdev
2022-09-13firewall: T2199: Move initial firewall tables to datasarthurdev
2022-09-13firewall: T2199: Refactor firewall + zone-policy, move interfaces under ↵sarthurdev
firewall node * Refactor firewall and zone-policy rule creation and cleanup * Migrate interface firewall values to `firewall interfaces <name> <direction> name/ipv6-name <name>` * Remove `firewall-interface.py` conf script
2022-09-03Merge pull request #1517 from initramfs/current-fix-bond-membersChristian Poessinger
bonding: T4668: Fix bond members not adding/interface state incorrect
2022-09-02bonding: T4668: fix live bonding member add or removeinitramfs
Fixes several bugs around bonding member interface states not matching the committed configuration, including: - Disabled removed interfaces coming back up - Newly added disabled interfaces not staying down - Newly added interfaces not showing up in the bond
2022-09-02bonding: T4668: refactor configuration mode interface bonding scriptinitramfs
Refactor interfaces-bonding.py to simplify existing code and to remove potentially bugprone sections in preparation for member add/remove fixes for T4668.
2022-09-01Merge pull request #1466 from sever-sever/T538Christian Poessinger
nat: T538: Add static NAT one-to-one
2022-09-01Merge pull request #1513 from roedie/T4665Christian Poessinger
T4665: Keepalived: Allow same VRID on interface
2022-09-01macvlan: T4663: Fix update mode for pethX interfaceViacheslav Hletenko
Fix the issue when configured pseudo-ethernet interface cannot change self mode
2022-09-01T4665: Keepalived: Allow same VRID on interfaceSander Klein
Using the same VRID on an interface is allowed as long as the address family is different (VRRPv2 vs VRRPv3)
2022-08-31nat: T538: Move nat configs to /run directoryViacheslav Hletenko
2022-08-30firewall: T4655: implement XML defaultValue for name and ipv6-nameChristian Poessinger
This extends the implementation of commit 0cc7e0a49094 ("firewall: T4655: Fix default action 'drop' for the firewall") in a way that we can now also use the XML <defaultValue> node under "firewall name" and "firewall ipv6-name". This is a much cleaner approach which also adds the default value automatically to the CLIs completion helper ("?").
2022-08-30Merge pull request #1505 from sever-sever/T4367Christian Poessinger
nat: T4367: Move nat rules from /tmp to /run/nftables_nat.conf
2022-08-30Merge pull request #1508 from zdc/T4646-sagittaChristian Poessinger
console: T4646: Fixed USB console issues
2022-08-30console: T4646: Fixed USB console issueszsdc
* fixed the `systemctl restart` command that used a value from config instead converted to `ttyUSBX` * moved systemd units from `/etc/` to `/run/`
2022-08-29nat: T4367: Move nat rules from /tmp to /run/nftables_nat.confViacheslav Hletenko
Move nftables nat configuration from /tmp to /run As we have for other services like firewall, conntrack Don't remove the config file '/run/nftables_nat.conf' after commit
2022-08-27telegraf: T3872: replace local get_interfaces() function with ↵Christian Poessinger
Section.interface() Commit cfde4b49 ("ifconfig: T2223: add vlan switch for Section.interfaces()") added the functionality of the local get_interfaces() function to the base class so all other parts in the system can query for interface names of a given type including or excluding their vlan sub-interfaces.
2022-08-25ssh: T2185: use reload-or-restart on configuration changesChristian Poessinger
2022-08-25ntp: T2185: use reload-or-restart on configuration changesChristian Poessinger
2022-08-25telegraf: T4617: add VRF supportChristian Poessinger
2022-08-25sstp: T4644: Check SSTP bind port before commitViacheslav Hletenko
By default SSTP bind port '443' and this port can be used by another service like 'service https' or 'vpn openconnect' Check if port bound to another service
2022-08-24T4630: can not use same source-interface for macsec and pseudo-ethernetChristian Poessinger
A macsec interface requires a dedicated source interface, it can not be shared with another macsec or a pseudo-ethernet interface. set interfaces macsec macsec10 address '192.168.2.1/30' set interfaces macsec macsec10 security cipher 'gcm-aes-256' set interfaces macsec macsec10 security encrypt set interfaces macsec macsec10 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4232e44b7fda6f8e2d88a07bf78a7aff4' set interfaces macsec macsec10 security mka ckn '09924585a6f3010208cf5222ef24c821405b0e34f4b4f63b1f0ced474b9bb6e6' set interfaces macsec macsec10 source-interface 'eth1' commit set interfaces pseudo-ethernet peth0 source-interface eth1 commit Reuslts in FileNotFoundError: [Errno 2] failed to run command: ip link add peth0 link eth1 type macvlan mode private returned: exit code: 2 noteworthy: cmd 'ip link add peth0 link eth1 type macvlan mode private' returned (out): returned (err): RTNETLINK answers: Device or resource busy [[interfaces pseudo-ethernet peth0]] failed Commit failed
2022-08-24ipsec: T2185: use systemd to start/stop serviceChristian Poessinger
2022-08-23https: T4597: Verify bind port before apply HTTPS API serviceViacheslav Hletenko
If Nginx address/port is already binded to another service (for exampmle openconnect default port 443) https api cannot start and we don't see any error in the output. Add this check before applying service/commit
2022-08-20ocserv: T4597: Fix check bounded port by service itselfViacheslav Hletenko
We check listen port before commit service if is port available and not bounded, but when we start openconnect our own port starts be bounded by "ocserv-main" process and next commit will be fail as port is already bound To fix it, extend check if port already bonded and it is not our self process "ocserv-main"
2022-08-19ethernet: T4538: fix wrong systemd unit used for EAPoLChristian Poessinger
When MACsec was bound to an ethernet interface and the underlaying source-interface got changed (even description only) this terminated the MACsec session running on top of it. The root cause is when EAPoL was implemented in commit d59354e52a8a7f we re-used the same systemd unit which is responsible for MACsec. That indeed lead to the fact that wpa_supplicant was always stopped when anything happened on the underlaying source-interface that was not related to EAPoL.
2022-08-18T3896: Drop cserv local user req, add groupconfigRageLtMan
From ocserv documentation: ``` If the groupconfig option is set, then config-per-user will be overriden, and all configuration will be read from radius. That also includes the Acct-Interim-Interval, and Session-Timeout values. ``` Implement yes/no configuration and parameter handling during jinja rendering. Fix bug wherein openconnect-server configuration requires creation of local user accounts even when RADIUS authentication is used. Testing: Set the groupconfig=yes param and observed change in generated /run/ocserv/ocserv.conf. Removed the local users via `delete vpn openconnect authentication local-users` and observed commit & service operation
2022-08-17nat: T538: Add static NAT one-to-oneViacheslav Hletenko
Ability to set static NAT (one-to-one) in one rule set nat static rule 10 destination address '203.0.113.0/24' set nat static rule 10 inbound-interface 'eth0' set nat static rule 10 translation address '192.0.2.0/24' It will be enough for PREROUTING and POSTROUTING rules Use a separate table 'vyos_static_nat' as SRC/DST rules and STATIC rules can have the same rule number
2022-08-16Merge pull request #1475 from sever-sever/T4613Christian Poessinger
upnp: T4613: Verify listen key in dictionary
2022-08-16upnp: T4613: Verify listen key in dictionaryViacheslav Hletenko
There is no check if 'listen' is exist in the dictionary, fix it Fix odd ValueHelp format
2022-08-16T4619: Replacing instead of adding a static arp entryDaniilHarun
2022-08-08Merge pull request #1461 from nicolas-fort/nat66-excludeChristian Poessinger
nat66: T4598: Add exclude options in nat66
2022-08-05nat66: T4598: Add exclude options in nat66Nicolas Fort