summaryrefslogtreecommitdiff
path: root/src/conf_mode
AgeCommit message (Collapse)Author
2022-01-11policy: T2199: Refactor policy route script for better error handlingsarthurdev
* Migrates all policy route references from `ipv6-route` to `route6` * Update test config `dialup-router-medium-vpn` to test migration of `ipv6-route` to `route6`
2022-01-11firewall: T4159: Add warning when an empty group is applied to a rulesarthurdev
2022-01-11firewall: policy: T2199: Reload policy route script if `firewall group` node ↵sarthurdev
is changed
2022-01-11firewall: policy: T4159: T4164: Fix empty firewall groups, create separate ↵sarthurdev
file for group definitions.
2022-01-11policy: T4170: rename "policy ipv6-route" -> "policy route6"Christian Poessinger
In order to have a consistent looking CLI we should rename this CLI node. There is: * access-list and access-list6 (policy) * prefix-list and prefix-list6 (policy) * route and route6 (static routes)
2022-01-11containers: T2216: bugfix host networking on image upgradeMathew Inkson
The bug was partially fixed with this commit: https://github.com/vyos/vyos-1x/commit/358f0b481d8620cad4954e3fe418054b9a8c3ecd The earlier commit introduced a startup retry (up to 10 times) to allow the OS to settle before the container is started. However, it only applies if host networking is NOT used. This change applies the same for containers where host networking is employed. Since the retry portion of the code (written in the earlier commit) is now referenced twice, it has been moved to its own function.
2022-01-10nat: T2199: dry-run newly generated config before installChristian Poessinger
Before installing a new conntrack policy into the OS Kernel, the new policy should be verified by nftables if it can be loaded at all or if it will fail to load. There is no need to load a "bad" configuration if we can pre-test it.
2022-01-10conntrack: T3579: dry-run newly generated config before installChristian Poessinger
Before installing a new conntrack policy into the OS Kernel, the new policy should be verified by nftables if it can be loaded at all or if it will fail to load. There is no need to load a "bad" configuration if we can pre-test it.
2022-01-10conntrack: T3579: prepare for "conntrack timeout custom rule" CLI commandsChristian Poessinger
2022-01-10conntrack: T3579: migrate "conntrack ignore" tree to vyos-1x and nftablesChristian Poessinger
2022-01-10firewall: 4149: Fix verify steps being bypassed when base node is removedsarthurdev
2022-01-05firewall: zone-policy: T4133: Prevent firewall from trying to clean-up ↵sarthurdev
zone-policy chains * Prevent firewall names from using the reserved VZONE prefix
2022-01-05Merge pull request #1136 from sarthurdev/firewallChristian Poessinger
zone-policy: T4135: Raise error when using an invalid "from" zone.
2022-01-05zone-policy: T4135: Raise error when using an invalid "from" zone.sarthurdev
2022-01-05Merge pull request #1134 from sarthurdev/firewallChristian Poessinger
firewall: zone-policy: T2199: T4130: Fixes for firewall, state-policy and zone-policy
2022-01-05firewall: zone-policy: T2199: T4130: Fixes for firewall, state-policy and ↵sarthurdev
zone-policy
2022-01-04Merge pull request #1121 from sever-sever/T4109Christian Poessinger
keepalived: T4109: Add high-availability virtual-server
2022-01-04keepalived: T4109: Add high-availability virtual-serverViacheslav
Add new feature, high-availability virtual-server Change XML, python and templates Move vrrp to root node 'high-availability' as all logic are handler by root node 'high-availability'
2022-01-04Merge pull request #1130 from sarthurdev/firewallChristian Poessinger
firewall: T4130: Fix firewall state-policy errors
2022-01-04firewall: T4130: Fix firewall state-policy errorssarthurdev
Also fixes: * Issue with multiple state-policy rules being created on firewall updates * Prevents interface rules being inserted before state-policy
2022-01-03Merge pull request #1018 from sever-sever/T3872Christian Poessinger
monitoring: T3872: Add a new feature service monitoring
2022-01-03monitoring: T3872: Add a new feature service monitoring telegrafViacheslav
2022-01-01nat: T2199: rename iptables -> nftables variable prefixChristian Poessinger
2021-12-31Merge branch 'firewall' of https://github.com/sarthurdev/vyos-1x into currentChristian Poessinger
* 'firewall' of https://github.com/sarthurdev/vyos-1x: zone_policy: T3873: Implement intra-zone-filtering policy: T2199: Migrate policy route op-mode to XML/Python policy: T2199: Migrate policy route to XML/Python zone-policy: T2199: Migrate zone-policy op-mode to XML/Python zone-policy: T2199: Migrate zone-policy to XML/Python firewall: T2199: Migrate firewall op-mode to XML/Python firewall: T2199: Migrate firewall to XML/Python
2021-12-30snmp: T4124: migrate to get_config_dict()Christian Poessinger
2021-12-29configd: T4086: use 'copy' on mutable global var default_config_dataJohn Estabrook
2021-12-27snmp: T4093: add missing verify() step for required group per snmp v3 userChristian Poessinger
2021-12-27conntrack-sync: T4109: Change script name for vrrpViacheslav
The script vrrp.py was moved to high-availability.py As all logic are handle by root 'high-avalability' node
2021-12-26ospfv3: T4107: add support for "default-information originate"Christian Poessinger
2021-12-26ospfv3: T4108: add support for auto-cost parameterChristian Poessinger
2021-12-26ospfv3: T4102: nssa area support both no-summary and default-originateChristian Poessinger
2021-12-26flow-accounting: T4097: move configuration file to /runChristian Poessinger
2021-12-26flow-accounting: T4097: bugfix removing service from CLIChristian Poessinger
2021-12-26http: api: T4055: add VRF supportChristian Poessinger
2021-12-25https: T1443: remove duplicate CLI definitionChristian Poessinger
2021-12-25flow-accounting: T4106: support specification of capture packet lengthChristian Poessinger
2021-12-25flow-accounting: T4105: drop "sflow agent-address auto"Christian Poessinger
The implementation of the "auto" option to specify the sflow/netflow agent-address is very error prone. The current implementation will determine the IP address used for the "auto" value as follow: Get BGP router-id 1) If not found use OSPF router-id 2) If not found use OSPFv3 router-id 3) If not found use "the first IP address found on the system Well, what is the "first IP address found"? Also this changes if DHCP is in use. Also another disadvantage is when the BGP/OSPF/OSPFv3 router-id is changed, the agent-address is not updated upon the next reboot of the system. This task is about removing the "auto" keyword from the CLI at all and make it either entirely configurable by the user and hardcode the value in CLI, or not use this at all. If "auto" is specified we will query the system in the above order and set the proper router-id in the CLI. If none can be found the CLI node is removed.
2021-12-25flow-accounting: T4099: rename "netflow source-ip" to source-addressChristian Poessinger
sFlow uses the source-address CLI node and netflow uses source-ip this is just confusing and should be synced to the common source-address CLI node.
2021-12-25flow-accounting: T4097: move to get_config_dict()Christian Poessinger
2021-12-25ospfv3: T4102: add support for NSSA area-typeChristian Poessinger
2021-12-19vxlan: T3700: add support for Generic Protocol extension (VXLAN-GPE)Christian Poessinger
2021-12-19T4084: dehardcode the post-login bannerDaniil Baturin
2021-12-17Merge pull request #1103 from zdc/T3774-sagittaChristian Poessinger
logs: T3774: Added CLI options to control atop logs rotation
2021-12-17logs: T3774: Optimization for logrotate configszsdc
* Added proper handling of default values from CLI. * Replaced rsyslog restart postrotate action to native `rsyslog-rotate` script. * Removed unnecessary checks for `None` instead `dict` - with default values the situation becomes impossible. * Fixed default value from 10 to 1 in the rsyslog CLI.
2021-12-15http-api: T4076: allow setting CORS option 'Access-Control-Allow-Origin'John Estabrook
2021-12-13logs: T3774: Added new CLI itemzsdc
Added the ability to control the `/var/log/messages` rotation. Renamed the option `maxsize` to `max-size`.
2021-12-13logs: T3774: Improved logs config renderingzsdc
Switched to `vyos.util.dict_search()` to keep the style common with the rest components. Removed config file comparison - almost the same result may be reached by removing a configuration file with each boot, we already have such a feature in the `vyos-router`.
2021-12-13http-api: T4071: allow API to bind to unix domain socketJohn Estabrook
2021-12-12bgp: T3967: add support for conditional advertisementChristian Poessinger
The BGP conditional advertisement feature uses the non-exist-map or the exist-map and the advertise-map keywords of the neighbor advertise-map command in order to track routes by the route prefix. non-exist-map ============= * If a route prefix is not present in the output of non-exist-map command, then advertise the route specified by the advertise-map command. * If a route prefix is present in the output of non-exist-map command, then do not advertise the route specified by the addvertise-map command. exist-map ========= * If a route prefix is present in the output of exist-map command, then advertise the route specified by the advertise-map command. * If a route prefix is not present in the output of exist-map command, then do not advertise the route specified by the advertise-map command. This feature is useful when some prefixes are advertised to one of its peers only if the information from the other peer is not present (due to failure in peering session or partial reachability etc). The conditional BGP announcements are sent in addition to the normal announcements that a BGP router sends to its peer. CLI nodes can be found under: * set protocols bgp neighbor <ip> address-family <afi> conditional-advertisement * set protocols bgp peer-group <p> address-family <afi> conditional-advertisement
2021-12-11T3912: migrate "Welcome to VyOS" from issue file to motd to not silently ↵Christian Poessinger
expose OS