Age | Commit message (Collapse) | Author |
|
VyOS is a routing (packet pushing) platform, thus supporting EEE which
potentially causes issues is not a good idea. Some recent Intel drivers enable
EEE by default, thus we will disable this for every NIC supporting EEE.
|
|
configdict: T5837: add support to return added nodes when calling node_changed()
|
|
snmp: 5856: fix service removal error
|
|
When deleting SNMP from CLI the 'delete' key was not honored in the config
dictionary, leading to a false process startup causing the following error:
Job for snmpd.service failed because the control process exited with error code.
See "systemctl status snmpd.service" and "journalctl -xeu snmpd.service" for details.
|
|
In the past, node_changed() suggested it would also return nodes that got added
(function comment) but in reality only deleted keys got accounted for.
This commit changes the signature and adds an argument expand_nodes to specify
the users interest of a node was deleted (default), added (expand_nodes=Diff.ADD)
or even both (expand_nodes=Diff.ADD|Diff.DELETE).
|
|
node_changed() will return a list of changed keys under "path". We are not
always interested what changed, sometimes we are only interested if something
changed at all, that what vyos.configdict.is_node_changed() is for.
|
|
T160: NAT64 add match firewall mark feature
|
|
Match mark allows to use firewall marks of packet to use
a specific pool
Example of instance config /run/jool/instance-100.json
```
...
"pool4": [
{
"protocol": "TCP",
"prefix": "192.0.2.10",
"port range": "1-65535",
"mark": 23
},
...
```
|
|
|
|
xml: T5854: clear empty paths left by embedded override of defaultValue
|
|
|
|
T5840: Add override for systemd kea-ctrl-agent.service
|
|
After update KEA to 2.4.x in the bf04cd8fea44d375fb7d93d75a1f31c220730c88
there is a file that expects ConditionFileNotEmpty=/etc/kea/kea-api-password
It cause the unit `kea-ctrl-agent.service` cannot start
systemd[1]: kea-ctrl-agent.service - Kea Control Agent was skipped because of an unmet condition check (ConditionFileNotEmpty=/etc/kea/kea-api-password)
Override systemd kea-ctrl-agent.service do not check this file
|
|
Updated image_installer.py to try and validate image with all
minisign public keys in /usr/share/vyos/keys/
|
|
srv6: T591: enable SR enabled packet processing on defined interfaces
|
|
T2898: add ndp-proxy service
|
|
dhcp: T5846: Ensure DUID regex range is bound
|
|
The DUID regex was missing a lower bound, which could cause it not to
match when it should.
We have to specify the lower bound explicitly as 0 to keep the regex
behavior similar to that in Python (in Python, omitting the lower bound
is equivalent to specifying 0).
|
|
frr: T4020: re-enable watchfrr in config as it is always running
|
|
dhcp: T5846: Fix include path
|
|
|
|
|
|
dhcp: T5846: Refactor and simplify DUID definition
|
|
Refactor DUID XML definition in conf-mode to be reusable. Additionally, remove
explicit call to a separate validator `ipv6-duid` and inline the regex into the
XML definition.
|
|
VyOS CLI command
set service ndp-proxy interface eth0 prefix 2001:db8::/64 mode 'static'
Will generate the following NDP proxy configuration
$ cat /run/ndppd/ndppd.conf
# autogenerated by service_ndp-proxy.py
# This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route
route-ttl 30000
# This sets up a listener, that will listen for any Neighbor Solicitation
# messages, and respond to them according to a set of rules
proxy eth0 {
# Turn on or off the router flag for Neighbor Advertisements
router no
# Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds)
timeout 500
# Control how long a valid or invalid entry remains in the cache (milliseconds)
ttl 30000
# This is a rule that the target address is to match against. If no netmask
# is provided, /128 is assumed. You may have several rule sections, and the
# addresses may or may not overlap.
rule 2001:db8::/64 {
static
}
}
|
|
The Linux Kernel needs to be told if IPv6 SR enabled packets whether should be
processed or not. This is done using
/proc/sys/net/conf/<iface>/seg6_* variables:
seg6_enabled - BOOL
Accept or drop SR-enabled IPv6 packets on this interface.
Relevant packets are those with SRH present and DA = local.
0 - disabled (default)
not 0 - enabled
Or the VyOS CLI command:
* set protocols segment-routing interface eth0 srv6
|
|
Enable/Disable VRF strict mode, when net.vrf.strict_mode=0 (default) it is
possible to associate multiple VRF devices to the same table. Conversely, when
net.vrf.strict_mode=1 a table can be associated to a single VRF device.
A VRF table can be used by the VyOS CLI only once (ensured by verify()), this
simply adds an additional Kernel safety net, but a requirement for IPv6 segment
routing headers.
|
|
Allow the HTTPS API server to start without any configured keys when GraphQL JWT auth is configured
|
|
and use only PAM auth and JWT
|
|
when no API keys are set
|
|
T5828: fix grub installation on arm64-efi machines
|
|
|
|
|
|
This reverts commit 7036c761e74bcd48e3ba714dec4545208ee0e313.
|
|
configdep: T5836: add boolean check whether script called as dependency
|
|
|
|
image-tools: T5831: show system image reverse ordered by date
|
|
|
|
Since the migration of GRUB handling to vyos-1x, the grub install
sequence has hardcoded references to x86.
Change the GRUB sequence so it can work on arm64 as well.
|
|
|
|
T5249: Add rollback-soft feature
|
|
dhcp: T3316: Adjust dhcp-run script to align with kea hooks
|
|
dhcp: T3316: Kea DHCP and DHCPv6 fixes
|
|
The hook arguments passed to `on-dhcp-event.sh` have changed in Kea.
Adjust the script to align with the new arguments.
Additionally, remove FQDN mangling from the script. No need to extract
the domain name from `LEASE4_HOSTNAME` only to append it again.
See: https://kea.readthedocs.io/en/latest/arm/hooks.html#hooks-run-script
|
|
* Move Kea socket permission change on-demand and speed up conf scripts
* Fix issue with DHCP reservations when no `ip-address` value
|
|
ddclient: T5144,T5791: Fix migration to avoid config name conflict
|
|
ocserv: T5796: add CLI knob "http-security-headers"
|
|
|
|
OCserv manual recommended HTTP headers tobe included in the configuration.
(cherry picked from commit ad65d37ddf92ec8416c84707d7d41e63346b550c)
|
|
Since `service dns dynamic address <address> service <service> ...`
changed to `service dns dynamic name <service> address <address> ...`,
the resulting service and address config flip can result in conflicting
`service` name.
Additionally, since dynamic DNS service name now have name constraint,
we need to normalize the service name to conform with the constraint.
We now migrate the service name to (service|rfc2136)-<service>-<address>
to avoid the conflict and optionally append an index if there is still a
name conflict after normalization.
|