summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2023-12-29login: T5875: restore home directory permissions when re-adding user accountChristian Breunig
After deleting a user account and working with a newly added account, we see that after rebooting in the previously saved configuration, the user is re-added but it's home directory might have an old UID set on the filesystem. This is due to the fact that vyos config does not store UIDs. When adding a user account to the system we now check if the home directory already exists and adjust the ownership to the new UID.
2023-12-29Merge pull request #2704 from c-po/template-t5869Christian Breunig
vyos.template: T5869: first_host_address() does not honor RFC4291 section 2.6.1
2023-12-29nat: T5681: relax wording on non existing interface Warning messageChristian Breunig
Remove the word "error" from a Warning only message to not irritate the user.
2023-12-29tests: T5869: consolidate duplicated test casesChristian Breunig
We have had duplicated test cases in test_jinja_filters.py and test_template.py, They have been consolidated into test_template.py.
2023-12-29vyos.template: T5869: first_host_address() does not honor RFC4291 section 2.6.1Christian Breunig
The subnet router anycast address is predefined. Its format is as follows: | n bits | 128-n bits | +------------------------------------------------+----------------+ | subnet prefix | 00000000000000 | +------------------------------------------------+----------------+ The "subnet prefix" in an anycast address is the prefix that identifies a specific link. This anycast address is syntactically the same as a unicast address for an interface on the link with the interface identifier set to zero. Packets sent to the Subnet-Router anycast address will be delivered to one router on the subnet. All routers are required to support the Subnet-Router anycast addresses for the subnets to which they have interfaces. The Subnet-Router anycast address is intended to be used for applications where a node needs to communicate with any one of the set of routers. Our code as of now returns the subnet router anycast address as the first_host_address().
2023-12-28container: T5867: disable healthchecks due to upstream issueChristian Breunig
conmon 402de34b31388b5a2e1c <error>: Unable to send container stderr message to parent Broken pipe https://github.com/containers/conmon/issues/438
2023-12-28container: T5829: fix base key "container" re-use in for loopChristian Breunig
2023-12-28container: T5829: verify container network used supports the given AFIChristian Breunig
2023-12-28Merge pull request #2658 from aapostoliuk/T5801-circinusChristian Breunig
T5801: Rewritten L2TP to get_config_dict
2023-12-28Merge pull request #2695 from aapostoliuk/T5842-circinusChristian Breunig
T5842: Rewritten PPTP to get_config_dict
2023-12-28Merge pull request #2650 from indrajitr/kea-reservation-fixChristian Breunig
dhcp: T3316: Support hostname, DUID and MAC address in reservation
2023-12-27T5842: Rewritten PPTP to get_config_dictaapostoliuk
Rewritten PPTP to get_config_dict Fixed 'dynamic-author' commands. These commands did not create anything in accel-ppp config.
2023-12-26firewall: T5834: Migration for 'enable-default-log' to 'default-log'Indrajit Raychaudhuri
2023-12-26ddclient: T5144: Warn against configuration with broken IP lookup serviceIndrajit Raychaudhuri
We always enable HTTPS in ddclient configuration, however `http://checkip.dyndns.org` is HTTP only and does not support HTTPS. Warn the user if they are using this service. Also, make `url` in `web-options` mandatory.
2023-12-26Merge pull request #2686 from indrajitr/ddclient-update-20231224-01Christian Breunig
ddclient: T5144: Migrate web-options url to stricter format
2023-12-25snmp: T5855: migrate "set service lldp snmp enable" to "set service lldp snmp"Christian Breunig
2023-12-25snmp: T5855: add GPL license headerChristian Breunig
2023-12-25ddclient: T5144: Migrate web-options url to stricter formatIndrajit Raychaudhuri
Legacy ddclient allowed arbitrary URLs in web-options, but the new has stricter validations. Apply migration to the old URLs. Also migrate checkip.dyndns.org to https://domains.google.com/checkip for better TLS support.
2023-12-24ddclient: T5791: Adjust migration to normalize underscore in config namesIndrajit Raychaudhuri
2023-12-24Merge pull request #2682 from c-po/node-changed-t5837Christian Breunig
configdict: T5837: add support to return added nodes when calling node_changed()
2023-12-24Merge pull request #2683 from c-po/snmp-T5865Viacheslav Hletenko
snmp: 5856: fix service removal error
2023-12-24snmp: 5856: fix service removal errorChristian Breunig
When deleting SNMP from CLI the 'delete' key was not honored in the config dictionary, leading to a false process startup causing the following error: Job for snmpd.service failed because the control process exited with error code. See "systemctl status snmpd.service" and "journalctl -xeu snmpd.service" for details.
2023-12-24T5837: cleanup use of calls to vyos.configdict.node_changed()Christian Breunig
node_changed() will return a list of changed keys under "path". We are not always interested what changed, sometimes we are only interested if something changed at all, that what vyos.configdict.is_node_changed() is for.
2023-12-24T160: NAT64 add match firewall mark featureViacheslav Hletenko
Match mark allows to use firewall marks of packet to use a specific pool Example of instance config /run/jool/instance-100.json ``` ... "pool4": [ { "protocol": "TCP", "prefix": "192.0.2.10", "port range": "1-65535", "mark": 23 }, ... ```
2023-12-22T5840: Add override for systemd kea-ctrl-agent.serviceViacheslav Hletenko
After update KEA to 2.4.x in the bf04cd8fea44d375fb7d93d75a1f31c220730c88 there is a file that expects ConditionFileNotEmpty=/etc/kea/kea-api-password It cause the unit `kea-ctrl-agent.service` cannot start systemd[1]: kea-ctrl-agent.service - Kea Control Agent was skipped because of an unmet condition check (ConditionFileNotEmpty=/etc/kea/kea-api-password) Override systemd kea-ctrl-agent.service do not check this file
2023-12-21dhcp: T3316: Apply migration for valid hostname, and identifier (DUID)Indrajit Raychaudhuri
2023-12-21dhcp: T3316: Support hostname, DUID and MAC address in reservationIndrajit Raychaudhuri
Reinstate support for hostname in DHCP reservation. Having `hostname` in allows for server-side assignment of hostname. This is useful for static lookup of hostname. Ensure that hostname is a valid FQDN (doesn't have underscore, etc.) Additionally, support using either of DUID or MAC address for reservation. While MAC address is typically used for IPv4, and DUID is typically used for IPv6, either of them can be used in IPv4 and IPv6 reservations in Kea.
2023-12-21T5781: use dynamic minisign key listKyleM
Updated image_installer.py to try and validate image with all minisign public keys in /usr/share/vyos/keys/
2023-12-21Merge pull request #2663 from c-po/srv6-part2Christian Breunig
srv6: T591: enable SR enabled packet processing on defined interfaces
2023-12-21Merge pull request #2665 from c-po/ndp-proxyChristian Breunig
T2898: add ndp-proxy service
2023-12-21dhcp: T5846: Refactor and simplify DUID definitionIndrajit Raychaudhuri
Refactor DUID XML definition in conf-mode to be reusable. Additionally, remove explicit call to a separate validator `ipv6-duid` and inline the regex into the XML definition.
2023-12-20T2898: add ndp-proxy serviceChristian Breunig
VyOS CLI command set service ndp-proxy interface eth0 prefix 2001:db8::/64 mode 'static' Will generate the following NDP proxy configuration $ cat /run/ndppd/ndppd.conf # autogenerated by service_ndp-proxy.py # This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route route-ttl 30000 # This sets up a listener, that will listen for any Neighbor Solicitation # messages, and respond to them according to a set of rules proxy eth0 { # Turn on or off the router flag for Neighbor Advertisements router no # Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds) timeout 500 # Control how long a valid or invalid entry remains in the cache (milliseconds) ttl 30000 # This is a rule that the target address is to match against. If no netmask # is provided, /128 is assumed. You may have several rule sections, and the # addresses may or may not overlap. rule 2001:db8::/64 { static } }
2023-12-20srv6: T591: enable SR enabled packet processing on defined interfacesChristian Breunig
The Linux Kernel needs to be told if IPv6 SR enabled packets whether should be processed or not. This is done using /proc/sys/net/conf/<iface>/seg6_* variables: seg6_enabled - BOOL Accept or drop SR-enabled IPv6 packets on this interface. Relevant packets are those with SRH present and DA = local. 0 - disabled (default) not 0 - enabled Or the VyOS CLI command: * set protocols segment-routing interface eth0 srv6
2023-12-20vrf: T591: define sysctl setting for net.vrf.strict_modeChristian Breunig
Enable/Disable VRF strict mode, when net.vrf.strict_mode=0 (default) it is possible to associate multiple VRF devices to the same table. Conversely, when net.vrf.strict_mode=1 a table can be associated to a single VRF device. A VRF table can be used by the VyOS CLI only once (ensured by verify()), this simply adds an additional Kernel safety net, but a requirement for IPv6 segment routing headers.
2023-12-20https api: T5844: allow the server to start without API keysDaniil Baturin
and use only PAM auth and JWT
2023-12-20https api: T5844: issue a warning about the classic API unavailabilityDaniil Baturin
when no API keys are set
2023-12-20T5801: Rewritten L2TP to get_config_dictaapostoliuk
Rewritten L2TP to get_config_dict Rewritten L2TP xml to accel-ppp patterns Migrated 'idle' to 'ppp-options.lcp-echo-timeout' Migrated 'authentication.mppe' to 'ppp-options.mppe' Migrated 'authentication.radius.dae-server' to 'authentication.radius.dynamic-author' Migrated 'authentication.require' to 'authentication.protocol' Added 'authentication.radius.acct-interim-jitter' Added 'authentication.radius.preallocate-vif' Added 'authentication.radius.server.<IP>.acct-port' Added 'ppp-options.ipv4' Added smoke-tests Fixed 'preallocate-vif' in SSTP
2023-12-17Merge pull request #2647 from indrajitr/kea-hook-fixChristian Breunig
dhcp: T3316: Adjust dhcp-run script to align with kea hooks
2023-12-17dhcp: T3316: Adjust dhcp-run script to align with kea hooksIndrajit Raychaudhuri
The hook arguments passed to `on-dhcp-event.sh` have changed in Kea. Adjust the script to align with the new arguments. Additionally, remove FQDN mangling from the script. No need to extract the domain name from `LEASE4_HOSTNAME` only to append it again. See: https://kea.readthedocs.io/en/latest/arm/hooks.html#hooks-run-script
2023-12-17dhcp: T3316: Kea DHCP and DHCPv6 fixessarthurdev
* Move Kea socket permission change on-demand and speed up conf scripts * Fix issue with DHCP reservations when no `ip-address` value
2023-12-16Merge pull request #2617 from indrajitr/ddclient-improvement-round-3-2023-12-11Christian Breunig
ddclient: T5144,T5791: Fix migration to avoid config name conflict
2023-12-15ddclient: T5791: Fix migration to normalize config name and avoid configIndrajit Raychaudhuri
Since `service dns dynamic address <address> service <service> ...` changed to `service dns dynamic name <service> address <address> ...`, the resulting service and address config flip can result in conflicting `service` name. Additionally, since dynamic DNS service name now have name constraint, we need to normalize the service name to conform with the constraint. We now migrate the service name to (service|rfc2136)-<service>-<address> to avoid the conflict and optionally append an index if there is still a name conflict after normalization.
2023-12-15Merge pull request #2639 from c-po/frr-t4020Viacheslav Hletenko
frr: T4020: add option to define number of open file descriptors
2023-12-15frr: T4020: add option to define number of open file descriptorsChristian Breunig
This allows the operator to control the number of open file descriptors each daemon is allowed to start with. The current assumed value on most operating systems is 1024. If the operator plans to run bgp with several thousands of peers then this is where we would modify FRR to allow this to happen. set system frr descriptors <n>
2023-12-14T5823: Add recursive_defaults for BGP get_config dictionaryViacheslav Hletenko
Add recursive_defaults values for BGP "get_config" dictionary.
2023-12-14Merge pull request #2627 from sever-sever/T4163Christian Breunig
T4163: Add BGP Monitoring Protocol BMP feature
2023-12-14Merge pull request #2590 from sever-sever/T5798Christian Breunig
T5798: load-balancing revese-proxy add multiple SSL certificates
2023-12-14T4163: Add BGP Monitoring Protocol BMP featureViacheslav Hletenko
Add BMP feature. BMP (BGP Monitoring Protocol, RFC 7854) is used to send monitoring data from BGP routers to network management entities https://docs.frrouting.org/en/latest/bmp.html Example: set system frr bmp commit run restart bgp set protocols bgp system-as '65001' set protocols bgp neighbor 192.0.2.11 address-family ipv4-unicast set protocols bgp neighbor 192.0.2.11 remote-as '65001' set protocols bgp bmp mirror-buffer-limit '256000000' set protocols bgp bmp target foo address '127.0.0.1' set protocols bgp bmp target foo port '5000' set protocols bgp bmp target foo min-retry '1000' set protocols bgp bmp target foo max-retry '2000' set protocols bgp bmp target foo mirror set protocols bgp bmp target foo monitor ipv4-unicast post-policy set protocols bgp bmp target foo monitor ipv4-unicast pre-policy set protocols bgp bmp target foo monitor ipv6-unicast post-policy set protocols bgp bmp target foo monitor ipv6-unicast pre-policy
2023-12-14image-tools: T5825: restore authentication for add system imageJohn Estabrook
2023-12-14Merge pull request #2624 from jestabro/vrf-aware-add-imageChristian Breunig
image-tools: T5821: restore vrf-aware add system image