Age | Commit message (Collapse) | Author |
|
cli: T6740: add a converter from set commands to config
|
|
Signed-off-by: Daniil Baturin <daniil@baturin.org>
|
|
pbr: T6430: Local IP rules targeting VRFs by name as well as route table IDs
|
|
* This is the `policy local-route*` part of T6430, manipulating ip rules,
another PR covers firewall-backed `policy route*` for similar functionality
* Local PBR (policy local-route*) can only target table IDs up to 200 and
the previous PR to extend the range was rejected
* PBR with this PR can now also target VRFs directly by name, working around
targeting problems for VRF table IDs outside the overlapping 100-200 range
* Validation ensures rules can't target both a table ID and a VRF name
(internally they are handled the same)
* Relocated TestPolicyRoute.verify_rules() into VyOSUnitTestSHIM.TestCase,
extended to allow lookups in other address families (IPv6 in the new tests).
verify_rules() is used by original pbr and new lpbr smoketests in this PR.
|
|
pki: T6481: auto import ACME certificate chain into CLI
|
|
When using an ACME based certificate with VyOS we provide the necessary PEM
files opaque in the background when using the internal tools. This however will
not properly work with the CA chain portion, as the system is based on the
"pki certificate <name> acme" CLI node of a certificate but CA chains reside
under "pki ca".
This adds support for importing the PEM data of a CA chain issued via ACME into
the "pki ca AUTOCHAIN_<name> certificate" subsystem so it can be queried by
other daemons. Importing the chain only happens, when the chain was not already
added manually by the user.
ACME certificate chains that are automatically added to the CLI are all prefixed
using AUTOCHAIN_certname so they can be consumed by any daemon. This also adds
a safeguard when the intermediate CA changes, the referenced name on the CLI
stays consitent for any pending daemon updates.
|
|
static: T4283: fix missing f'ormat string
|
|
|
|
This fixes the error message:
Can not use both blackhole and reject for prefix "{prefix}"!
Added in commit bb78f3a9ad28 ("static: T4283: support "reject" routes - emit an
ICMP unreachable when matched")
|
|
http-api: T6736: move REST API to a node distinct from GraphQL API
|
|
ipsec: T6101: Add validation for proposal option used in IKE group
|
|
T973: add basic node_exporter implementation
|
|
|
|
|
|
|
|
|
|
|
|
|
|
validators: T6743: use native ipaddrcheck validator options for ranges
|
|
T6687: add fqdn support to nat rules.
|
|
|
|
|
|
Avoid duplicate entries in the list of routes when adding/deleting
endpoints.
|
|
The GraphQL API was implemented as an addition to the existing REST API.
As there is no necessary dependency, separate the initialization of the
respective endpoints. Factor out the REST Pydantic models and FastAPI
routes for symmetry and clarity.
|
|
|
|
|
|
to avoid ipaddrcheck syntax errors when values include whitespace
|
|
|
|
|
|
configd: T6608: report uncaught config script exceptions as commit error
|
|
|
|
bridge: T6675: VXLAN Interface configuration lost due to improper bridge detachment
|
|
In the case of config mode script exceptions other than ConfigError,
vyos-configd would previously trigger the shim to re-run the script in
the CLI context. The use of config dependencies require this case to
return a commit error. A traceback is returned as output, consistent
with running without vyos-configd support.
|
|
|
|
|
|
op-mode: T4833: Include wireguard peer name in interface summary report
|
|
Configuration error output is not returned in full to the http-api when
running under vyos-configd, due to an early implementation 'workaround'
of vyos-configd writing directly to the session tty. This is corrected
to return all ambient stdout (notably vyos.base.Warning) and error
messages directly to the originating caller, which may be from a session
tty or a ConfigSession instance. As the http-api runs in the latter
case, the full output is returned.
|
|
|
|
detachment
|
|
syslog: T5367: add format option to include timezone in message
|
|
|
|
Remove the lines of code that checked if the kernel had offloading
enabled and was then forcing the config to set it to "on." The
behavior now mirrors the config and offloading will only be enabled
if the config is explicitly set to enabled.
Note: the code is still present to disable the offloading, in the
config, if the kernel doesn't support it.
Note(2): Allow the previous behavior where the offload settings get set,
based on the Kernel, if the boot is a live boot.
|
|
T861: op-mode: initial parts for UEFI secure boot CLI
|
|
Support getting current system secure boot state.
In addition add optional suppor tto list all enrolled MOK (Machine Owner Keys)
in the UEFI variable store.
|
|
vyos@vyos:~$ show ver
...
Architecture: x86_64
Boot via: installed image
System type: KVM guest
Secure Boot: enabled
...
|
|
|
|
bond: T6709: add EAPoL support
|
|
op-mode: T6682: Fix for show vpn ike sa peer that always shows all SAs
|
|
|
|
Instead of having EAPoL (Extensible Authentication Protocol over Local Area
Network) support only available for ethernet interfaces, move this to common
ground at vyos.ifconfig.interface making it available for all sorts of
interfaces by simply including the XML portion
#include <include/interface/eapol.xml.i>
|