| Age | Commit message (Collapse) | Author |
|---|
|
Containers have the ability to add Linux system capabilities to them, this is
done using the "set container name <name> cap-add" command.
The CLI node sounds off and rather should be "set container name <name>
capability" instead as we use and pass a capability to a container and not
add/invent new ones.
(cherry picked from commit b30faa43c28b592febd83a7fd3a58247de6b27bc)
|
|
T6203: remove obsoleted xml lib (backport #3255)
|
|
T6188: add description to show firewall (backport #3219)
|
|
For readability in console sessions, moved the description column to only be shown in the detail view.
Changed wrapping in the detail view for description to 65 characters to prevent full line wrapping in console sessions.
(cherry picked from commit 4dba82c7517f4a93b9727d22104e4a339bad127a)
|
|
- modified: src/op_mode/firewall.py
Changed behavior of "show firewall" for specific rule to only show rule and not also default-action
(cherry picked from commit a7c5205ab12e767c6c60887033694c597e01f21b)
|
|
- Added show firewall <sections> detail paths
modified: src/op_mode/firewall.py
- Added Description as a header to normal "show firewall" commands
- Added 'detail' view which shows the output in a list key-pair format
Description column was added for these commands and their subsections:
show firewall statistics
show firewall groups
show firewall <family>
Detail view was added for these commands:
show firewall bridge forward filter detail
show firewall bridge forward filter rule <rule#> detail
show firewall bridge name <chain> detail
show firewall bridge name <chain> rule <rule#> detail
show firewall ipv4 forward filter detail
show firewall ipv4 forward filter rule <rule#> detail
show firewall ipv4 input filter detail
show firewall ipv4 input filter rule <rule#> detail
show firewall ipv4 output filter detail
show firewall ipv4 output filter rule <rule#> detail
show firewall ipv4 name <chain> detail
show firewall ipv4 name <chain> rule <rule#> detail
show firewall ipv6 forward filter detail
show firewall ipv6 forward filter rule <rule#> detail
show firewall ipv6 input filter detail
show firewall ipv6 input filter rule <rule#> detail
show firewall ipv6 output filter detail
show firewall ipv6 output filter rule <rule#> detail
show firewall ipv6 name <chain> detail
show firewall ipv6 name <chain> rule <rule#> detail
show firewall group detail
show firewall group <group> detail
(cherry picked from commit 025438ccacc654274efbd3bea8b13fcc73ae08b6)
|
|
(cherry picked from commit b2ced47bdc547ada59b37e6617422188e150282c)
|
|
(cherry picked from commit 489e6fababa60d9c0fbfdb421305cbe563432499)
# Conflicts:
# src/migration-scripts/dhcp-server/9-to-10
# src/migration-scripts/dhcpv6-server/3-to-4
|
|
(cherry picked from commit aa1fb0733f18dfb0ccdfb37df36839c6a358d8ee)
|
|
The option "passive-interface default" was set even if it was not present in
the previous version we are migrating from. Fix migration script to handle this
with a conditional path.
(cherry picked from commit ef8d9a73335bc685084e3ff97238836e452dfa8c)
|
|
(cherry picked from commit 9b4a3bc54ec6d2ff8e435add5e2de995a54dfc6a)
|
|
(cherry picked from commit d403117cdb5e7718c8590cfeb79a336cb5b67aac)
|
|
T6199: spring cleaning - drop unused Python imports (backport #3240)
|
|
found using "git ls-files *.py | xargs pylint | grep W0611"
(cherry picked from commit 274b2da242acd1f1f64ff1dee471e34295137c5f)
|
|
* Use interface_exists() outside of verify()
* Use verify_interface_exists() in verify() to drop common error message
(cherry picked from commit 4c7c168fe970b807750a05ceb66b70c0d8652535)
|
|
<high-availability>. Also, add <mode> parameter in order to configure active-active or active-passive behavior for HA.
|
|
T6192: allow binding SSH to multiple VRF instances (backport #3229)
|
|
The next evolutional step after adding get_config_dict(..., with_pki=True) is
to add a common verification function for the recurring task of validating SSL
certificate existance in e.g. EAPoL, OpenConnect, SSTP or HTTPS.
(cherry picked from commit 3b758d870449e92fece9e29c791b950b332e6e65)
|
|
Currently VyOS only supports binding a service to one individual VRF. It might
become handy to have the services (initially it will be VRF, NTP and SNMP) be
bound to multiple VRFs.
Changed VRF from leafNode to multi leafNode with defaultValue: default - which
is the name of the default VRF.
(cherry picked from commit e5af1f0905991103b12302892e6f0070bbb7b770)
|
|
(cherry picked from commit 5bb27f0c6220fd940b63cdd37a60c312c0ac3efd)
|
|
(cherry picked from commit 0529371bc587e2fcdd8794061e9bb9d60c792c43)
|
|
(cherry picked from commit f1c51884fb62d3917e92af51d4219e291c7a8e74)
|
|
(cherry picked from commit 462ba67cf2e193883e33b4ce655b2b0cd1aab80f)
|
|
(cherry picked from commit f92ef7f3c86ca09775b536ca2bd9813f95cc7d3f)
|
|
(cherry picked from commit a33946630348371518247ff13ce918c208ef50d1)
|
|
(cherry picked from commit e257155aea09b906d8784cb6143d3ab27578c4a8)
|
|
(cherry picked from commit 09ac2851f89f2b7d94a21c3506e46f380e961fba)
|
|
(cherry picked from commit 6e0fdbcbba39691461f791c7a68a2c6c5091d2c1)
|
|
system: T6193: invalid warning "is not a DHCP interface but uses DHCP name-server option" (backport #3223)
|
|
name-server option"
This fixes an invalid warning when using a DHCP VLAN interface to retrieve the
system nameserver to be used. VLAN CLI config is not properly expanded
leading to a false warning:
[ system name-server eth1.10 ]
WARNING: "eth1.10" is not a DHCP interface but uses DHCP name-server option!
(cherry picked from commit 61e70c5500ad5b0a9d25bdee28d982644bad6461)
|
|
After migrating from ISC DHCLIENT for IPv6 to wide-dhcp-client the logic which
was present to update /etc/resolv.conf with the DHCP specified nameservers and
also the search domain list was no longer present.
This commit adds a per interface rendered script to inform vyos-hostsd about
the received IPv6 nameservers and search domains.
(cherry picked from commit ece425f0191762638b7c967097accd8739e9103d)
|
|
(cherry picked from commit 320fe827b4842b0c0da1ec5fee3d41a5730334d5)
|
|
bgp: T6106: Valid commit error for route-reflector-client option defined in peer-group (backport #3213)
|
|
(cherry picked from commit 1f0c33c00118c42fc2796d99aff94c428f434d4a)
|
|
peer-group
changed exception condition
Improved route_reflector_client test
(cherry picked from commit 84f05b1dd41bea5de16d707aa77a467f8d499323)
|
|
dhcp-server: T4718: Listen-address is not commited if the IP address is on the interface with a VRF
|
|
for every client connection
Don't show duplicate info of vtunx
show header when clints is not connected but server is configured
(cherry picked from commit 66a009f367f8bf274eac9a4d4e1f4f8911c85872)
|
|
T5872: ipsec remote access VPN: support dhcp-interface. (backport #2965)
|
|
This changes behaviour from fetching CA chain in PKI, to the user manually setting CA certificates.
Prevents unwanted parent CAs existing in PKI from being auto-included as may not be desired/intended.
(cherry picked from commit 952b1656f5164f6cfc601e040b48384859e7a222)
|
|
(cherry picked from commit 679b78356cbda4de15f96a7f22d4a98037dbeea4)
|
|
(cherry picked from commit 92012a0b3db8e93b10db4137414073f0371ed8cc)
|
|
(cherry picked from commit cd8ef21f280f726955f537132e3fab2bcb3c286f)
|
|
(cherry picked from commit f7834324d3d9edd7e161e7f2f3868452997c9c81)
|
|
The current op-mode script simply calls sudo systemctl restart "dhclient@$4.service"
with no additional information about a client interface at all.
This results in useless dhclient processes
root 47812 4.7 0.0 5848 3584 ? Ss 00:30 0:00 /sbin/dhclient -4 -d
root 48121 0.0 0.0 4188 3072 ? S 00:30 0:00 \_ /bin/sh /sbin/dhclient-script
root 48148 50.0 0.2 18776 11264 ? R 00:30 0:00 \_ python3 -
Which also assign client leases to all local interfaces, if we receive one
valid DHCPOFFER
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address MAC VRF MTU S/L Description
----------- ----------------- ----------------- ------- ----- ----- -------------
eth0 - 00:50:56:bf:c5:6d default 1500 u/u
eth0.10 172.16.33.102/24 00:50:56:bf:c5:6d default 1500 u/u
eth1 172.16.33.131/24 00:50:56:b3:38:c5 default 1500 u/u
172.16.33.102/24 and 172.16.33.131/24 are stray DHCP addresses.
This commit moved the renew command to the DHCP op-mode script to properly
validate if the interface we request a renew for, has actually a dhcp address
configured. In additional this exposes the renew feature to the API.
(cherry picked from commit 7dbaa25a199a781aaa9f269741547e576410cb11)
|
|
interface with vrf
|
|
(cherry picked from commit 2ba435fa4bc8a5c9b2285fb9215ebc582bfb5fdf)
|
|
(cherry picked from commit 50e9364575481335520f50dac834c74ef02ccfab)
|
|
Users can not (FRR fails) commit the same network belonging to different OSPF
areas. Add verify() check to prevent this.
(cherry picked from commit c6d8d9c012da1a7566eec2dff70385457f073e64)
|
|
The PCEngines APU2 systems with mSATA disks tend to be very slow. This results
in a service startup error:
$ systemctl status vyos-grub-update
× vyos-grub-update.service - Update GRUB loader configuration structure
Loaded: loaded (/lib/systemd/system/vyos-grub-update.service; enabled; preset: enabled)
Active: failed (Result: timeout) since Sun 2024-03-24 08:48:10 UTC; 14min ago
Main PID: 779 (code=killed, signal=TERM)
CPU: 869ms
Mar 24 08:48:05 LR4.wue3 systemd[1]: Starting vyos-grub-update.service - Update GRUB loader configuration structure...
Mar 24 08:48:10 LR4.wue3 systemd[1]: vyos-grub-update.service: start operation timed out. Terminating.
Mar 24 08:48:10 LR4.wue3 systemd[1]: vyos-grub-update.service: Main process exited, code=killed, status=15/TERM
Mar 24 08:48:10 LR4.wue3 systemd[1]: vyos-grub-update.service: Failed with result 'timeout'.
Mar 24 08:48:10 LR4.wue3 systemd[1]: Failed to start vyos-grub-update.service - Update GRUB loader configuration structure.
Measunring on an APU2 system after boot and memory is "hot", it still needs
almost 17 seconds to complete the job
cpo@LR4.wue3:~$ time sudo /usr/libexec/vyos/system/grub_update.py
real 0m16.803s
user 0m0.018s
sys 0m0.028s
(cherry picked from commit 5a12645cb25fb23f2195db1e2e977a69d0788d01)
|
|
vti: T6085: bring VTI interfaces up only when the IPsec tunnel is up (backport #3157)
|
