| Age | Commit message (Collapse) | Author |
|---|
|
T6362: Create conntrack logger daemon
|
|
OpenVPN CLI-option: T6571: rename ncp-ciphers with data-ciphers
|
|
This patch on #3616 will only attempt to fix ipsec matches in rules if the
firewall config tree passed to migrate_chain() has rules attached.
|
|
Strongswan does not initiate session after termination via vici.
Added an CHILD SAs initialization on the initiator side
of the tunnel.
|
|
(#3616)
* Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for
fw rules
* Add ipsec match-ipsec-out and match-none-out
* Change all the points where the match-ipsec.xml.i include was used
before, making sure the new includes (match-ipsec-in/out.xml.i) are
used appropriately. There were a handful of spots where match-ipsec.xml.i
had snuck back in for output hooked chains already
(the common-rule-* includes)
* Add the -out generators to rendered templates
* Heavy modification to firewall config validators:
* I needed to check for ipsec-in matches no matter how deeply nested
under an output-hook chain(via jump-target) - this always generates
an error.
* Ended up retrofitting the jump-targets validator from root chains
and for named custom chains. It checks for recursive loops and improper
IPsec matches.
* Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation"
smoketests
|
|
|
|
|
|
|
|
iifname/oifname
When any of the following features NAT, NAT66 or Firewall is enabled, for every
VRF on the CLI we install one rule into nftables for conntrack:
chain vrf_zones_ct_in {
type filter hook prerouting priority raw; policy accept;
counter packets 3113 bytes 32227 ct original zone set iifname map @ct_iface_map
counter packets 8550 bytes 80739 ct original zone set iifname map @ct_iface_map
counter packets 5644 bytes 67697 ct original zone set iifname map @ct_iface_map
}
This is superfluous.
|
|
|
|
|
|
|
|
vrf: T6602: verify supplied VRF name on all interface types
|
|
op_mode: T6596: pppoe operation command failed
|
|
system_option: T5552: Apply IPv4 and IPv6 options after reapplying sysctls by TuneD
|
|
|
|
Only some (e.g. ethernet or wireguard) interfaces validate if the supplied VRF
actually exists. If this is not validated, one can pass an invalid VRF to the
system which generates an OSError exception.
To reproduce
set interfaces vxlan vxlan1 vni 1000
set interfaces vxlan vxlan1 remote 1.2.3.4
set interfaces vxlan vxlan1 vrf smoketest
results in
OSError: [Errno 255] failed to run command: ip link set dev vxlan1 master smoketest_mgmt
This commit adds the missing verify_vrf() call to the missing interface types
and an appropriate smoketest for all interfaces supporting VRF assignment.
|
|
by TuneD
|
|
T6589: Return a dict when querying information about a single interface
|
|
T6525: Add default dir for ext-scripts without absolute path
|
|
|
|
openvpn: T3834: verify() is not allowed to change anything on the system
|
|
vrf: T6592: remove unused import get_interface_config
|
|
interfaces that don't exist
|
|
Commit e3c71af1466 ("remove secrets file if the tunnel is deleted and fix
opmode commands") added a code path into verify() which removed files on the
system if TOTP was not defined.
This commit moves the code path to the appropriate generate() function.
|
|
wireless: T6597: improve hostapd startup and corresponding smoketests
|
|
|
|
|
|
Remove unused import (left over) from commit 36f3791e0 ("utils: migrate to new
get_vrf_tableid() helper")
|
|
Commit 452068ce7 ("interfaces: T6592: moving an interface between VRF instances
failed") introduced a new helper to retrieve the VRF table ID from the Kernel.
This commit migrates the old code path where the individual fields got queried
to the new helper vyos.utils.network.get_vrf_tableid().
|
|
This was found during smoketesting as thoase started to repeadingly fail in the last weeks
File "/usr/libexec/vyos/tests/smoke/cli/test_interfaces_wireless.py", line 534, in test_wireless_security_station_address
self.assertTrue(process_named_running('hostapd'))
AssertionError: None is not true
Digging into this revealed that this is NOT related to the smoketest coding but
to hostapd/systemd instead. With a configured WIFI interface and calling:
"sudo systemctl reload-or-restart hostapd@wlan1" multiple times in a short
period caused systemd to report:
"Jul 18 16:15:32 systemd[1]: hostapd@wlan1.service: Deactivated successfully."
According to the internal systemd logic used in our version this is explained by:
/* If there's a stop job queued before we enter the DEAD state, we shouldn't act on Restart=, in order to not
* undo what has already been enqueued. */
if (unit_stop_pending(UNIT(s)))
allow_restart = false;
if (s->result == SERVICE_SUCCESS)
s->result = f;
if (s->result == SERVICE_SUCCESS) {
unit_log_success(UNIT(s));
end_state = SERVICE_DEAD;`
Where unit_log_success() generates the log message in question.
Improve the restart login in the wireless interface script and an upgrade to
hostapd solved the issue.
|
|
|
|
T6578: Fix unhandled exception in "show openconnect-server sessions"
|
|
|
|
|
|
op-mode: T6586: add a distinct exception for unconfigured objects (as opposed to entire subsystems)
|
|
|
|
op-mode: T6577: create generic service restart helper to work with the API
|
|
as opposed to entire subsystems
|
|
Right now we have multiple restart helpers (e.g. dhcp server, ssh, ntp) that
all do the same (more or less):
* Check if service is configured on CLI
* Restart if configured
* Error out if unconfigured
This is not available via the op-mode API. Create a new restart.py op-mode
helper that takes the service name and possible VRF as argument so it's also
exposed via API.
|
|
|
|
|
|
|
|
op-mode: T6537: remove unused cmd imported from vyos.utils.process
|
|
Commit dc60fe99350 ("op-mode: T6537: include hostname in the reboot/shutdown
warning message") added a more local import of vyos.utils.process.cmd() that
made the fglobal import obsolete and trigger a linter warning.
$ make unused-imports
--------------------------------------------------------------------
Your code has been rated at 10.00/10 (previous run: 10.00/10, +0.00)
|
|
fix: attempt to fix indentation on `wpa_supplicant.conf.j2`
fix: attempt to fix indentation on `wpa_supplicant.conf.j2`
fix: incorrect bssid mapping
fix: use the correct jinja templating (I think)
fix: “remote blank space
fix: attempt to fix the formatting in j2
fix: attempt to fix the formatting in j2
feat: rename enterprise username and password + add checks in conf mode.
fix: move around `bssid` config option on `wpa_supplicant.conf.j2` and fix the security config part
fix: fix indentation on `wpa_supplicant.conf.j2`
|
|
op-mode: T6371: fix output of NAT rules with single port range
|
|
vyos_net_name: T6544: Updated the `vyos_net_name` script
|
|
|
|
Improvements in the `vyos_net_name`:
- Used a new locking system, to be sure that multiple running scripts will not
try to perform operations at the same time.
- Replace logging from a file to syslog. This is common with all the rest logs,
and additionally gives a better view of actions done during a boot.
- Small bug fix in `get_configfile_interfaces()`: exit with an error in case a
config file cannot be parsed. This resolves potentially an unbound `config` object.
- Minor formatting fixes to follow our requirements.
|
