Age | Commit message (Collapse) | Author |
|
pmacct daemons have one very important specific - they handle control signals in
the same loop as packets. And packets waiting is blocking operation.
Because of this, when systemctl sends SIGTERM to uacctd, this signal has no
effect until uacct receives at least one packet via nflog. In some cases, this
leads to a 90-second timeout, sending SIGKILL, and improperly finished tasks.
As a result, a working folder is not cleaned properly.
This commit contains several changes to fix service issues:
- add a new nftables table for pmacct with a single rule to get the ability to
send a packet to nflog and unlock uacctd
- remove PID file options from the uacctd and a systemd service file. Systemd
can detect proper PID, and PIDfile is created by uacctd too late, which leads
to extra errors in systemd logs
- KillMode changed to mixed. Without this, SIGTERM is sent to all plugins and
the core process exits with status 1 because it loses connection to plugins too
early. As a result, we have errors in logs, and the systemd service is in a
failed state.
- added logging to uacctd
- systemctl service modified to send packets to specific address during a service
stop which unlocks uacctd and allows systemctl to finish its work properly
|
|
firewall, nat, nat66
|
|
|
|
|
|
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process
* T5195: use read_file and write_file implementation from vyos.utils.file
Changed code automatically using:
find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} +
find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} +
* T5195: move chmod* helpers to vyos.utils.permission
* T5195: use colon_separated_to_dict from vyos.utils.dict
* T5195: move is_systemd_service_* to vyos.utils.process
* T5195: fix boot issues with missing imports
* T5195: move dict_search_* helpers to vyos.utils.dict
* T5195: move network helpers to vyos.utils.network
* T5195: move commit_* helpers to vyos.utils.commit
* T5195: move user I/O helpers to vyos.utils.io
|
|
|
|
|
|
|
|
This prevents any stale override files when the system is beeing rebooted,
but the actual configuration was not saved. /run is a tmpfs and thus
always fresh after boot.
|
|
|
|
|
|
|
|
|
|
It should be possible to send the gathered data via a VRF bound interface to
the collector. This is somehow related to T3981 but it's the opposite side of
the netflow process.
set system flow-accounting vrf <name>
|
|
* 'firewall' of https://github.com/sarthurdev/vyos-1x:
zone_policy: T3873: Implement intra-zone-filtering
policy: T2199: Migrate policy route op-mode to XML/Python
policy: T2199: Migrate policy route to XML/Python
zone-policy: T2199: Migrate zone-policy op-mode to XML/Python
zone-policy: T2199: Migrate zone-policy to XML/Python
firewall: T2199: Migrate firewall op-mode to XML/Python
firewall: T2199: Migrate firewall to XML/Python
|
|
|
|
|
|
|
|
The implementation of the "auto" option to specify the sflow/netflow
agent-address is very error prone. The current implementation will determine
the IP address used for the "auto" value as follow:
Get BGP router-id
1) If not found use OSPF router-id
2) If not found use OSPFv3 router-id
3) If not found use "the first IP address found on the system
Well, what is the "first IP address found"? Also this changes if DHCP is in use.
Also another disadvantage is when the BGP/OSPF/OSPFv3 router-id is changed,
the agent-address is not updated upon the next reboot of the system.
This task is about removing the "auto" keyword from the CLI at all and make it
either entirely configurable by the user and hardcode the value in CLI, or not
use this at all.
If "auto" is specified we will query the system in the above order and set the
proper router-id in the CLI. If none can be found the CLI node is removed.
|
|
sFlow uses the source-address CLI node and netflow uses source-ip this is just
confusing and should be synced to the common source-address CLI node.
|
|
|
|
|
|
|
|
error
|
|
(cherry picked from commit 95cc2e4b4c11414cc71749af12abb575e96e5bd4)
|
|
|
|
|
|
airbag must now be explicitly installed.
the patch also allow to fully disables the installation of the logging
code at setup (and not just installing and doing nothing)
|
|
|
|
|
|
|
|
|
|
convert all call to jinja to use template.render
|
|
util: T2226: improvement and fixes
|
|
update all code using the API. Interface.interfaces() could be
used but the code was change to use Section.interfaces() which
make more sense when reading it.
|
|
|
|
The failure are now reported slightly differently using the
cmd "raising" feature which will allow down the line to
intercept the issue and present them better to the user
|
|
|
|
|
|
* fixed improper `process.returncode` invokes
* added check for if an in-memory table is active before using IMT for flows show
* replaced `--nflog-range` to `--nflog-size` in iptables rules, as `--nflog-range` had never works. **WARNING: this change break compatibility with Debian 8!**
|
|
|
|
This patch keep compatibility with old configuration and software, but now it is much easier to add a lot of other useful things
Completely replaces vyatta-netflow package (except some outdated and not available via CLI parts)
|