Age | Commit message (Collapse) | Author |
|
T6203: remove obsoleted xml lib (backport #3255)
|
|
T6188: add description to show firewall (backport #3219)
|
|
For readability in console sessions, moved the description column to only be shown in the detail view.
Changed wrapping in the detail view for description to 65 characters to prevent full line wrapping in console sessions.
(cherry picked from commit 4dba82c7517f4a93b9727d22104e4a339bad127a)
|
|
- modified: src/op_mode/firewall.py
Changed behavior of "show firewall" for specific rule to only show rule and not also default-action
(cherry picked from commit a7c5205ab12e767c6c60887033694c597e01f21b)
|
|
- Added show firewall <sections> detail paths
modified: src/op_mode/firewall.py
- Added Description as a header to normal "show firewall" commands
- Added 'detail' view which shows the output in a list key-pair format
Description column was added for these commands and their subsections:
show firewall statistics
show firewall groups
show firewall <family>
Detail view was added for these commands:
show firewall bridge forward filter detail
show firewall bridge forward filter rule <rule#> detail
show firewall bridge name <chain> detail
show firewall bridge name <chain> rule <rule#> detail
show firewall ipv4 forward filter detail
show firewall ipv4 forward filter rule <rule#> detail
show firewall ipv4 input filter detail
show firewall ipv4 input filter rule <rule#> detail
show firewall ipv4 output filter detail
show firewall ipv4 output filter rule <rule#> detail
show firewall ipv4 name <chain> detail
show firewall ipv4 name <chain> rule <rule#> detail
show firewall ipv6 forward filter detail
show firewall ipv6 forward filter rule <rule#> detail
show firewall ipv6 input filter detail
show firewall ipv6 input filter rule <rule#> detail
show firewall ipv6 output filter detail
show firewall ipv6 output filter rule <rule#> detail
show firewall ipv6 name <chain> detail
show firewall ipv6 name <chain> rule <rule#> detail
show firewall group detail
show firewall group <group> detail
(cherry picked from commit 025438ccacc654274efbd3bea8b13fcc73ae08b6)
|
|
(cherry picked from commit b2ced47bdc547ada59b37e6617422188e150282c)
|
|
(cherry picked from commit 489e6fababa60d9c0fbfdb421305cbe563432499)
# Conflicts:
# src/migration-scripts/dhcp-server/9-to-10
# src/migration-scripts/dhcpv6-server/3-to-4
|
|
(cherry picked from commit aa1fb0733f18dfb0ccdfb37df36839c6a358d8ee)
|
|
(cherry picked from commit bec23808af82b0f84e8a7707bbd56839da2c48b0)
|
|
found using "git ls-files *.py | xargs pylint | grep W0611"
(cherry picked from commit 274b2da242acd1f1f64ff1dee471e34295137c5f)
|
|
(cherry picked from commit 1f0c33c00118c42fc2796d99aff94c428f434d4a)
|
|
for every client connection
Don't show duplicate info of vtunx
show header when clints is not connected but server is configured
(cherry picked from commit 66a009f367f8bf274eac9a4d4e1f4f8911c85872)
|
|
The current op-mode script simply calls sudo systemctl restart "dhclient@$4.service"
with no additional information about a client interface at all.
This results in useless dhclient processes
root 47812 4.7 0.0 5848 3584 ? Ss 00:30 0:00 /sbin/dhclient -4 -d
root 48121 0.0 0.0 4188 3072 ? S 00:30 0:00 \_ /bin/sh /sbin/dhclient-script
root 48148 50.0 0.2 18776 11264 ? R 00:30 0:00 \_ python3 -
Which also assign client leases to all local interfaces, if we receive one
valid DHCPOFFER
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address MAC VRF MTU S/L Description
----------- ----------------- ----------------- ------- ----- ----- -------------
eth0 - 00:50:56:bf:c5:6d default 1500 u/u
eth0.10 172.16.33.102/24 00:50:56:bf:c5:6d default 1500 u/u
eth1 172.16.33.131/24 00:50:56:b3:38:c5 default 1500 u/u
172.16.33.102/24 and 172.16.33.131/24 are stray DHCP addresses.
This commit moved the renew command to the DHCP op-mode script to properly
validate if the interface we request a renew for, has actually a dhcp address
configured. In additional this exposes the renew feature to the API.
(cherry picked from commit 7dbaa25a199a781aaa9f269741547e576410cb11)
|
|
does not show any result
|
|
The op-mode command `show conntrack table ipv4` fails if gets a
conntrack entrie with `flowtable` offload. Those entries do not
have key `timeout`
```
File "/usr/libexec/vyos/op_mode/conntrack.py", line 115, in get_formatted_output
timeout = meta['timeout']
~~~~^^^^^^^^^^^
```
Use the timeout `n/a` for those offload conntrack entries
(cherry picked from commit a75be3b6814dd39711c157c29405ee6bd83993f5)
|
|
To iterate files on ext* file systems GRUB reads their inodes one by one,
ignoring names. This breaks our configuration logic that relies on proper
loading order.
This commit adds a helper `sort_inodes()` that needs to be used whenever GRUB
configuration files are created. It recreates files, changing their inodes in a
way where inodes order matches alphabetical order.
(cherry picked from commit f74923202311e853b677e52cd83bae2be9605c26)
|
|
The current VyOS container image manipulation "delete container image" command
allows force removal of container images - even if they still have a container
running.
Drop the --force option from the op-mode script.
vyos@vyos:~$ delete container image 2636705a815a
Error: image used by 6adb0175d47f.. image is in use by a container: consider
listing external containers and force-removing image
(cherry picked from commit bfc065f2c4dcfc969981453e49b8156330674006)
|
|
container: T6060: support removing all container images at once via op-mode (backport #3046)
|
|
T5781: add ability to add additional minisign keys (backport #2633)
|
|
cpo@LR1.wue3:~$ show container image
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest 3f57d9401f8d 5 weeks ago 4.5 MB
docker.io/jacobalberty/unifi v7.5 f6df690d6c67 4 months ago 827 MB
docker.io/jacobalberty/unifi v7.4 7838b75ef7b9 7 months ago 786 MB
cpo@LR1.wue3:~$ delete container image
Possible completions:
3f57d9401f8d Delete container image
7838b75ef7b9
all
f6df690d6c67
cpo@LR1.wue3:~$ delete container image all
cpo@LR1.wue3:~$ show container image
REPOSITORY TAG IMAGE ID CREATED SIZE
(cherry picked from commit 9e51a1661fac3e0d762cffdd28705e7e4bad76e9)
|
|
Updated image_installer.py to try and validate image with all
minisign public keys in /usr/share/vyos/keys/
(cherry picked from commit dfbc854157fa4655a8f459b2447df64dc74119d1)
|
|
It does not make sense to perform the "podman login" command when setting up
containers, as images are not automatically pulled in from the registry - due
to issues with the default route during startup.
The same issue manifests in "podman login" where we can not login to a registry
unless there is a default route present.
This commit changes the behavior that the container registry is part of the
configuration, but it is only referenced during "add container image" and thus
never during system boot.
(cherry picked from commit baf30d8319ef4d0f0cc4cdf0f7c12f03f8a492b6)
|
|
Fixed L-Time in 'show vpn ike sa' command
(cherry picked from commit bb6e6fc2119584df6ec571e7e9335dc509d5faeb)
|
|
After `disconnect` and `connect` connection-oriented interfaces
like PPPoE, QoS policy has to be reapplied
(cherry picked from commit ffc6dc28780f4d3e8c548f3709c7f3d17babda68)
|
|
(cherry picked from commit d80530c48a78dfeb55293494a257f6234b0ef76d)
|
|
|
|
Update op-mode for dynamic dns to standardize on `vyos.opmode`. All
methods of `op_mode/dns_dynamic.py` are now available in standardized
`op_mode/dns.py`.
Move op-mode command `update dns dynamic` to `reset dns dynamic` to
reflect that it is not an update but a reset of the dynamic dns service.
Also, make the help texts more consistent for all op-mode commands for
`dns dynamic` and `dns forwarding`.
|
|
T4839: firewall: Add dynamic address group in firewall configuration (backport #2756)
|
|
appropiate commands to populate such groups using source and destination address of the packet.
(cherry picked from commit 6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122)
|
|
Streamline configuration and operation of dns forwarding service in
following ways:
- Remove `dns_forwarding_reset.py` as its functionality is now covered
by `dns.py`
- Adjust function names in `dns.py` to disambiguate between DNS
forwarding and dynamic DNS
- Remove `dns_forwarding_restart.sh` as its functionality is inlined in
`dns-forwarding.xml`
- Templatize systemd override for `pdns-recursor.service` and move the
generated override files in /run. This ensures that the override files
are always generated afresh after boot
- Simplify the systemd override file by removing the redundant overrides
- Relocate configuration path for pdns-recursor to `/run/pdns-recursor`
and utilize the `RuntimeDirectory` default that pdns-recursor expects
- We do not need to use custom `--socket-dir` path anymore, the default
path (viz., `/run/pdns-recursor` is fine)
(cherry picked from commit 1c1fb5fb4bd7c0d205b28caf90357ad56423464f)
|
|
(cherry picked from commit 119efb6d8d353482d598287f49e22aa68a22e960)
|
|
Add missing name validation in add_image, and fix typo in error msg
string.
(cherry picked from commit 0a66ba35d12f0451a88ed7cc3e3ae2ae90e38d6e)
|
|
In some cases we can get error:
```
Traceback (most recent call last):
File "/usr/libexec/vyos/op_mode/show_openvpn.py", line 173, in <module>
data = get_status(args.mode, intf)
File "/usr/libexec/vyos/op_mode/show_openvpn.py", line 130, in get_status
client["tunnel"] = get_vpn_tunnel_address(client['remote'], interface)
File "/usr/libexec/vyos/op_mode/show_openvpn.py", line 66, in get_vpn_tunnel_address
tunnel_ip = lst[0].split(',')[0]
IndexError: list index out of range
```
(cherry picked from commit 58683a2444877bb989929625ad40a7d76259075d)
|
|
|
|
|
|
|
|
|
|
cpo@LR1.wue3:~$ show ip multicast group interface eth0.201
Interface Family Address
----------- -------- ---------
eth0.201 inet 224.0.0.6
eth0.201 inet 224.0.0.5
eth0.201 inet 224.0.0.1
cpo@LR1.wue3:~$ show ipv6 multicast group interface eth0
Interface Family Address
----------- -------- -----------------
eth0 inet6 ff02::1:ff00:0
eth0 inet6 ff02::1:ffbf:c56d
eth0 inet6 ff05::2
eth0 inet6 ff01::2
eth0 inet6 ff02::2
eth0 inet6 ff02::1
eth0 inet6 ff01::1
(cherry picked from commit 3eea8dbed1bd201373eb8a452239d9565d468b33)
|
|
This is a combined backport for all accumulated changes done to the firewall
subsystem on the current branch.
|
|
(cherry picked from commit 01b7ae796e870be90d4e448100c5e7551d9767ec)
|
|
Fix the arg for the `reboot in x` command
The current arg is `--reboot_in [Minutes ...]`
The expected arg is `--reboot-in [Minutes ...]`
(cherry picked from commit 3b27d5bc97372c01cb02d4dd0cd3b0b6fa1c3d94)
|
|
When a router does not have wireless interfaces the proper
unconfigured message must be exist
(cherry picked from commit c97955b963ecc3da9638717485fe4d2c8599565c)
|
|
GRUB defaults to 9600 in case of serial console; explicitly set to
115200.
(cherry picked from commit 70122bef58eaa0084695f89c410992f8d7c1f9f6)
|
|
(cherry picked from commit 62f10e0ec8075634e1515d6cecc822d87053bccb)
|
|
(cherry picked from commit 17a1d31299e8960d9eba528e04c418b4c1007eb2)
|
|
The "idea" of this PR is to add new CLI nodes under the pki subsystem to
activate ACME for any given certificate.
vyos@vyos# set pki certificate NAME acme
Possible completions:
+ domain-name Domain Name
email Email address to associate with certificate
listen-address Local IPv4 addresses to listen on
rsa-key-size Size of the RSA key (default: 2048)
url Remote URL (default:
https://acme-v02.api.letsencrypt.org/directory)
Users choose if the CLI based custom certificates are used
set pki certificate EXAMPLE acme certificate <base64>
or if it should be generated via ACME.
The ACME server URL defaults to LetsEncrypt but can be changed to their staging
API for testing to not get blacklisted.
set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory
Certificate retrieval has a certbot --dry-run stage in verify() to see if it
can be generated.
After successful generation, the certificate is stored in under
/config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set
interfaces ethernet eth0 eapol certificate EXAMPLE) we call
vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the
base64 encoded certificate into the JSON data structure normally used when
using a certificate set by the CLI.
Using this "design" does not need any change to any other code referencing the
PKI system, as the base64 encoded certificate is already there.
certbot renewal will call the PKI python script to trigger dependency updates.
(cherry picked from commit b8db1a9d7baf91b70c1b735e58710f1e2bc9fc7a)
# Conflicts:
# debian/control
|
|
(cherry picked from commit 9f66b9ccfa25f56c209d90a0ad5ad779f3963bee)
|
|
We will use _ as CLI level divider. The XML definition filename and also
the Python helper should match the CLI node.
Example:
set interfaces ethernet -> interfaces_ethernet.xml.in
set interfaces bond -> interfaces_bond.xml.in
set service dhcp-server -> service_dhcp-server-xml.in
(cherry picked from commit 4ef110fd2c501b718344c72d495ad7e16d2bd465)
|
|
(cherry picked from commit 7ee9297a90625609e568394c9f5ea63e8c95a54b)
|
|
(cherry picked from commit d01aba1f5055cdaa43c8429a2c13580679ec12f7)
|