summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2023-11-06T5541: firewall: fix ZBF template and ruleset generation for loca-zone rules.Nicolas Fort
2023-11-03Merge pull request #2429 from vyos/mergify/bp/sagitta/pr-2423Viacheslav Hletenko
T4726: Remove accel-ppp RADIUS vendor validators (backport #2423)
2023-11-03Merge pull request #2432 from nicolas-fort/T5513-fwall-show-sagittaDaniil Baturin
T5513: firewall - op-mode command backport
2023-11-03wireguard: T5707: remove previously deconfigured peerChristian Breunig
Changing the public key of a peer (updating the key material) left the old WireGuard peer in place, as the key removal command used the new key. WireGuard only supports peer removal based on the configured public-key, by deleting the entire interface this is the shortcut instead of parsing out all peers and removing them one by one. Peer reconfiguration will always come with a short downtime while the WireGuard interface is recreated. (cherry picked from commit 2fc8738bc9c2fb6364a22d86079e8635cee91949)
2023-11-02T5513: opmode command show firewall - Manual backportNicolas Fort
2023-11-02T4726: Remove accel-ppp RADIUS vendor validatorsViacheslav Hletenko
The vendor name could contain Uppercase or lowercase symbols and not rely on the dictionary name but on dictionary value / # cat /usr/share/freeradius/dictionary.cisco | grep -i vendor VENDOR Cisco 9 Another example VENDOR Alcatel-IPD 6527 This way if we use `vendor=cisco` instead of `vendor=Cisco` it will not work at all Delete vendor validators (cherry picked from commit bbc7cabc6be0d5f8629724e9b0025e425168e1a8)
2023-11-01T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher ↵Nicolas Fort
firewal, nat and nat66. (cherry picked from commit 51abbc0f1b2ccf4785cf7f29f1fe6f4af6007ee6)
2023-10-31vxlan: T5668: add CLI knob to enable ARP/ND suppressionChristian Breunig
In order to minimize the flooding of ARP and ND messages in the VXLAN network, EVPN includes provisions [1] that allow participating VTEPs to suppress such messages in case they know the MAC-IP binding and can reply on behalf of the remote host. In Linux, the above is implemented in the bridge driver using a per-port option called "neigh_suppress" that was added in kernel version 4.15. [1] https://www.rfc-editor.org/rfc/rfc7432#section-10 (cherry picked from commit ec9a95502daa88b9632af12524e7cefebf86bab6)
2023-10-30vxlan: T5699: migrate "external" CLI know to "parameters external"Christian Breunig
As we have a bunch of options under "paramteres" already and "external" is clearly one of them it should be migrated under that node as well. (cherry picked from commit cc7ba8824a5e9ec818f0bbe7fb85e1713a591527)
2023-10-30Merge pull request #2400 from vyos/mergify/bp/sagitta/pr-2355Viacheslav Hletenko
T5643: nat: add interface-groups to nat. Use same cli structure for i… (backport #2355)
2023-10-29op-mode: T5661: remove call to sudo in ssh.py and move it to XML definitionChristian Breunig
Try to have as few calls to sudo in the op-mode scripts as possible. The XML definitions can deal with it. (cherry picked from commit 428dee29d36cc3629990ec41afef887821886834)
2023-10-28T5661: Add show ssh dynamic-protection and show log ssh dynamic-protectionJeffWDH
2023-10-28T5653: Command to display SSH server fingerprintJeffWDH
2023-10-25T5683: Fix reverse-proxy PKI filenames mismatchViacheslav Hletenko
The current named for certificates are hardcoded in generated config to: - ca.pem - cert.pem.key - cert.pem It cause a generated config certificates and certificates itself are different (test-cert-1.pem and ca.pem) bind :::8080 v4v6 ssl crt /run/haproxy/test-cert-1.pem /run/haproxy/ca.pem It is a bug of initial impelemtation. Fix required correct names from PKI certificates (cherry picked from commit 0431f1b32c1fc90de82adea5a7e63dad1416c340)
2023-10-25T5497: Add ability to resequence rule numbers for firewallJeffWDH
Updated spacing. (cherry picked from commit f39a35338ac967381356f8b9b499ec1d730653fc)
2023-10-25T5497: Add ability to resequence rule numbers for firewallJeffWDH
(cherry picked from commit 5180622cd6c928812a644f427d65acae763c37cc)
2023-10-24T5643: nat: add interface-groups to nat. Use same cli structure for ↵Nicolas Fort
interface-name|interface-group as in firewall. (cherry picked from commit 2f2c3fa22478c7ba2e116486d655e07df878cdf4)
2023-10-23T5677: lldp shows empty platform if descr not in lldpctl outputAdam Smith
(cherry picked from commit fca8cce1c114f28cf2db8a0fe2ed7f8b37ea010c)
2023-10-22Merge branch 'sagitta' into mergify/bp/sagitta/pr-2386Christian Breunig
2023-10-22bonding: T5254: Fixed changing ethernet when it is a bond memberaapostoliuk
If ethernet interface is a bond memeber: 1. Allow for changing only specific parameters which are specified in EthernetIf.get_bond_member_allowed_options function. 2. Added inheritable parameters from bond interface to ethernet interface which are scpecified in BondIf.get_inherit_bond_options. Users can change inheritable options under ethernet interface but in commit it will be copied from bond interface. 3. All other parameters are denied for changing. Added migration script. It deletes all denied parameters under ethernet interface if it is a bond member. (cherry picked from commit aa0282ceb379df1ab3cc93e4bd019134d37f0d89)
2023-10-22vxlan: T5671: warn about changed default port numberChristian Breunig
(cherry picked from commit 719a3622f35a0596ffd8a0bd28c071fdaf930153)
2023-10-22vxlan: T5671: change port to IANA assigned default portChristian Breunig
Currently VyOS VXLAN implementation uses the Linux assigned port 8472 that predates the IANA assignment. As Most other vendors use the IANA assigned port, follow this guideline and use the new default port 4789. Existing configuration not defining an explicit port number will be migrated to the old default port number of 8472, keeping existing configurations work! (cherry picked from commit 6db8d3ded19f652b99231be0d705d76b598ac72a) # Conflicts: # interface-definitions/include/version/interfaces-version.xml.i
2023-10-21Merge pull request #2388 from nicolas-fort/T5541-sagittaChristian Breunig
T5541: firewall: re-add zone-based firewall.
2023-10-20T5541: firewall: re-add zone-based firewall.Nicolas Fort
2023-10-20T5642: op-cmd: correction of generated file namesrividya0208
(cherry picked from commit cd54195d070e49aa084c325b83a71621a4011c97)
2023-10-20Merge pull request #2376 from vyos/mergify/bp/sagitta/pr-2373Daniil Baturin
T4913: migrate wireless scripts to new op-mode style (backport #2373)
2023-10-19cluster: T2897: add a migration script for converting cluster to VRRPDaniil Baturin
(cherry picked from commit 4c4c2b1f8a58398798f20c252bde80461320d330)
2023-10-18T4913: migrate wireless scripts to new op-mode styleChristian Breunig
(cherry picked from commit ed29faeea1354dc2bec544c63e55c1c666e0d900)
2023-10-18pmacct: T5232: Fixed socket parameters for trigger-packetszsdc
This fixes sending packets to uacctd using a socket. (cherry picked from commit 7a0af0d00bae9179c89155e4b2e6ce94abb29c05)
2023-10-16op-mode: T5642: 'generate tech-support archive' moved to vyos-1xaapostoliuk
'generate tech-support archive' moved to vyos-1x. Output of 'show tech-support report' command is added to archive. The default location of the archive is moved to '/tmp'. The script is rewritten to Python. (cherry picked from commit 65911b17340a7894aba973113d83ab43964bbf99)
2023-10-15Merge pull request #2356 from vyos/mergify/bp/sagitta/pr-2342Viacheslav Hletenko
T5165: Implement policy local-route source and destination port (backport #2342)
2023-10-14pmacct: T5232: Fixed pmacct service control via systemctlzsdc
pmacct daemons have one very important specific - they handle control signals in the same loop as packets. And packets waiting is blocking operation. Because of this, when systemctl sends SIGTERM to uacctd, this signal has no effect until uacct receives at least one packet via nflog. In some cases, this leads to a 90-second timeout, sending SIGKILL, and improperly finished tasks. As a result, a working folder is not cleaned properly. This commit contains several changes to fix service issues: - add a new nftables table for pmacct with a single rule to get the ability to send a packet to nflog and unlock uacctd - remove PID file options from the uacctd and a systemd service file. Systemd can detect proper PID, and PIDfile is created by uacctd too late, which leads to extra errors in systemd logs - KillMode changed to mixed. Without this, SIGTERM is sent to all plugins and the core process exits with status 1 because it loses connection to plugins too early. As a result, we have errors in logs, and the systemd service is in a failed state. - added logging to uacctd - systemctl service modified to send packets to specific address during a service stop which unlocks uacctd and allows systemctl to finish its work properly (cherry picked from commit e364e9813b6833f6b108e7177ef7ea2d9e7bac33)
2023-10-13Merge pull request #2350 from vyos/mergify/bp/sagitta/pr-2349Christian Breunig
T5489: Change default qdisc from 'fq' to 'fq_codel' (backport #2349)
2023-10-11T5165: Implement policy local-route source and destination portViacheslav Hletenko
Add `policy local-route` source and destination port set policy local-route rule 23 destination port '222' set policy local-route rule 23 protocol 'tcp' set policy local-route rule 23 set table '123' set policy local-route rule 23 source port '8888' % ip rule show prio 23 23: from all ipproto tcp sport 8888 dport 222 lookup 123 (cherry picked from commit ff43733074675b94ce4ead83fe63870b6cf953c5)
2023-10-10http-api: T2612: reload server within configsession for api self-configJohn Estabrook
(cherry picked from commit 93d2ea7d635c7aa5acf3000654393ea48b7c6405)
2023-10-10http-api: T2612: send response before reconfiguring api serverJohn Estabrook
(cherry picked from commit 7d597a6dca15cb592230b349ef7ef565f258cf43)
2023-10-08Change to BBR as TCP congestion control, or at least make it an config optionApachez
(cherry picked from commit ac1bd7c2f69e058f54084decbfe6b6d329df6462)
2023-10-07pppoe: T5630: verify MRU is less or equal then MTUChristian Breunig
(cherry picked from commit e357258e645cf85de0035d4ecfbf99db4dd90f7e)
2023-10-05config: T5631: save copy of config in JSON format on commitJohn Estabrook
(cherry picked from commit 27605426a4ad613f45d36e7db5b1664dc3192981)
2023-10-04login: T5521: do not call system-login.py in vyos-router initChristian Breunig
Calling system-login.py with no mounted VyOS config has the negative effect that the script will not detect any local useraccounts and thus assumes they all need to be removed from the password backend. As soon as the VyOS configuration is mounted and the CLI content is processed, system-login.py get's invoked and re-creates the before deleted user accounts. As the account names are sorted in alphabetical order, the name <-> UID mapping can get mixed up during system reboot. The intention behind calling system-login.py from vyos-router init was to reset system services (PAM, NSS) back to sane defaults with the defaults provided via system-login.py. As PAM is already reset in vyos-router startup script, /etc/nsswitch.conf was the only candidate left. This is now accomplished by simply creating a standard NSS configuration file tailored for local system accounts. This is the second revision after the first change via commit 64d32329958 ("login: T5521: home directory owner changed during reboot") got reverted. (cherry picked from commit 12069d5653034b46a47430353c3867b3678c196f)
2023-10-04Revert "login: T5521: home directory owner changed during reboot"Christian Breunig
This reverts commit 074870dad33d80e78128736f9e89bdfa1a0e08fd.
2023-10-03login: T5521: home directory owner changed during rebootChristian Breunig
During system startup the system-login.py script is invoked by vyos-router systemd service. As there is no complete configuration available at this point in time - and the sole purpose of this call is to reset/re-render the system NSS/PAM configs back to default - it accidently also deleted the local useraccounts. Once the VyOS configuration got mounted, users got recreated in alphabetical order and thus UIDs flipped and the /home suddenely belonged to a different account. This commit prevents any mangling with the local userdatabase during VyOS bootup phase. (cherry picked from commit 64d323299586da646ca847e78255ff2cd8464578)
2023-10-03T5436: Add missing preconfig-scriptApachez
(cherry picked from commit 646f08fc5a302e08aad90af3fa0ee32e138ee585)
2023-10-03login: T5628: fix spwd deprecation warningChristian Breunig
vyos@vyos:~$ show system login users Username Type Locked Tty From Last login ---------- ------ -------- ----- ------------- ------------------------ vyos vyos False pts/0 172.16.33.139 Mon Oct 2 20:42:24 2023 (cherry picked from commit 80f08af76db0ccee4d6dc1a99b6d8d90884fa33f)
2023-10-02T5165: Migrate policy local-route rule x destination to addressViacheslav Hletenko
Migrate policy local-route <destination|source> to node address replace 'policy local-route{v6} rule <tag> destination|source <x.x.x.x>' => 'policy local-route{v6} rule <tag> destination|source address <x.x.x.x>' (cherry picked from commit 9f7a5f79200782f7849cab72f55a39dedf45f214)
2023-09-28mdns: T5615: Rename avahi-daemon config fileIndrajit Raychaudhuri
Rename avahi-daemon config file to avahi-daemon.conf.j2 to match the convention used by other config files. (cherry picked from commit 3a3123485f2ea7b253caa1c49f19c82a0eaa0b37)
2023-09-28mdns: T5615: Allow controlling IP version to use for mDNS repeaterIndrajit Raychaudhuri
This commit adds a new configuration option to the mDNS repeater service to allow controlling which IP version to use for mDNS repeater. Additionally, publishing AAAA record over IPv4 and A record over IPv6 is disabled as suggested. See: - https://github.com/lathiat/avahi/issues/117#issuecomment-1651475104 - https://bugzilla.redhat.com/show_bug.cgi?id=669627#c2 (cherry picked from commit e66f7075ee12ae3107d29efaf683442c3535e8b9)
2023-09-28T5165: Add option protocol for policy local-routeViacheslav Hletenko
Add option `protocol` for policy local-route set policy local-route rule 100 destination '192.0.2.12' set policy local-route rule 100 protocol 'tcp' set policy local-route rule 100 set table '100' (cherry picked from commit 96b8b38a3c17aa08fa964eef9141cf89f1c1d442)
2023-09-28ipsec: T5606: Add support for whole CA chainssarthurdev
Also includes an update to smoketest to verify (cherry picked from commit 1ac230548c86d3308ff5b479b79b0e64b75a0e8a)
2023-09-27conf-mode: T5412: move dependency check from smoketest to nosetestJohn Estabrook
(cherry picked from commit 12440ea1af8e60482a6a91c1cb04dcb86d7f4a68)