Age | Commit message (Collapse) | Author |
|
Remove `service upnp` as it never worked as expected, nft rules do
not integrated and custom patches do not seem like a suitable
solution for now.
Security:
UPnP has been historically associated with security risks due to its automatic
and potentially unauthenticated nature.
UPnP devices might be vulnerable to unauthorized access or exploitation.
|
|
ethernet: T6306: add support for EVPN MH uplink/core tracking
|
|
When all the underlay links go down the PE no longer has access to the VxLAN
+overlay.
To prevent blackholing of traffic the server/ES links are protodowned on the PE.
A link can be setup for uplink tracking via the following configuration:
set interfaces ethernet eth0 evpn uplink
|
|
Bond: T6303: add system mac address on interfaces bond
|
|
|
|
|
|
|
|
|
|
Fix default values for random-detect
Remove dsmakr qdisc from gred cofig because dsmark was deleted from kernel
|
|
bgp: T6189: L3VPN connectivity is broken after re-enabling VRF
|
|
After e7bb65894 ("vrf: T6189: render FRR L3VNI configuration when creating VRF
instance") we need to ensure that the VRF L3VNI configuration is removed in FRR
prior to removing the BGP VRF instance.
The reason is [1] where FRR only allows VRF BGP instance to be removed when
there is NO VNI configured anymore.
1: https://github.com/FRRouting/frr/blob/064c3494527b9e84260410006768ed38e57e1de7/bgpd/bgp_vty.c#L1646-L1650
|
|
When adding and removing VRF instances on the fly it was noticed that the vni
statement under the VRF instance in FRR vanishes. This was caused by a race
condition which was previously designed to fix another bug.
The wierd design of a Python helper below the VRF tree to only generate the
VNI configuration nodes is now gone and all is rendered in the proper place.
|
|
pppoe-server: T6234: PPPoE-server pado-delay refactoring
|
|
We have several config XML definitions that use the same python3
script `system_host-name.py`
https://github.com/vyos/vyos-1x/blob/current/interface-definitions/system_name-server.xml.in
https://github.com/vyos/vyos-1x/blob/current/interface-definitions/system_host-name.xml.in
https://github.com/vyos/vyos-1x/blob/current/interface-definitions/system_static-host-mapping.xml.in
https://github.com/vyos/vyos-1x/blob/current/interface-definitions/system_domain-name.xml.in
https://github.com/vyos/vyos-1x/blob/current/interface-definitions/system_domain-search.xml.in
Any change in these scripts calls to restart the `service snmpd`
The service `snmpd` should be restarted only if `host-name` or
`domain-name` was changed.
It is a good idea to rewrite it to `get_config_dict` in the future.
|
|
T6267: Check interface wireless module before apply config
|
|
Check if the wireless device/modem exists in the system and the
module `ieee802111` was loaded
In cases where we do not have wireless devices, it prevents the
unexpected traceback
```
set interfaces wireless wlan0 address 192.0.2.5/32
commit
Traceback (most recent call last):
File "/usr/libexec/vyos/conf_mode/interfaces_wireless.py", line 269, in <modu>
c = get_config()
^^^^^^^^^^^^
File "/usr/libexec/vyos/conf_mode/interfaces_wireless.py", line 104, in get_cg
tmp = find_other_stations(conf, base, wifi['ifname'])
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/libexec/vyos/conf_mode/interfaces_wireless.py", line 54, in find_os
for phy in os.listdir('/sys/class/ieee80211'):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/sys/class/ieee80211'
```
|
|
Throwing Warning message instead of Error if interface which is
used in pppoe/ipoe does not exist.
|
|
T6263: Groups 224.0.0.0/24 are reserved and cannot be joined
|
|
qos: T4248: Allow to remove the only rule from the qos class
|
|
|
|
The join addresses within the multicast group 224.0.0.0/24 are
reserved and cannot be joined
FRR
```
r4(config)# interface eth2
r4(config-if)# ip igmp join 224.0.0.0 224.0.0.10
% Configuration failed.
Error type: validation
Error description: Groups within 224.0.0.0/24 are reserved and cannot be joined
r4(config-if)#
```
Add verify check
|
|
Not all FRR address-families compatibe with VRF
```
r4# conf t
r4(config)# router bgp 65001 vrf bgp
r4(config-router)#
r4(config-router)# address-family ipv4 flowspec
Only Unicast/Multicast/EVPN SAFIs supported in non-core instances.
r4(config-router)#
r4(config-router)# address-family ipv4 labeled-unicast
Only Unicast/Multicast/EVPN SAFIs supported in non-core instances.
r4(config-router)#
r4(config-router)# address-family ipv4 vpn
Only Unicast/Multicast/EVPN SAFIs supported in non-core instances.
r4(config-router)#
```
Add verify AFI for VRF
|
|
|
|
T6221: Return default ip rule values after deleting VRF
|
|
|
|
Fix for restoring default ip rule values after deleting VRF
Defult values:
```
$ ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
```
After adding and deleting a VRF we get unexpected values:
```
$ ip rule
1000: from all lookup [l3mdev-table]
2000: from all lookup [l3mdev-table] unreachable
32765: from all lookup local
32766: from all lookup main
32767: from all lookup default
```
|
|
T6242: load-balancing reverse-proxy: Ability for ssl backends to not verify server certificates
|
|
|
|
server certificates
|
|
pki: T6241: Fix dependency updates on PKI changes
|
|
T5535: firewall: migrate command <set system ip disable-directed-broadcast> to firewall global-optinos
|
|
|
|
to firewall global-optinos
|
|
Check if DH is configured for OpenVPN but does not exist in the
PKI section
```
set pki dh dh-correct parameters 'xxxx'
set interfaces openvpn vtun10 tls dh-params 'dh-fake'
File "/usr/libexec/vyos/conf_mode/interfaces_openvpn.py", line 208, in verify_pki
pki_dh = pki['dh'][tls['dh_params']]
~~~~~~~~~^^^^^^^^^^^^^^^^^^
KeyError: 'dh-fake'
```
|
|
fails (#3296)
|
|
T5169: Add PoC for generating CGNAT rules rfc6888
|
|
|
|
Add PoC for generating CGNAT rules
https://datatracker.ietf.org/doc/html/rfc6888
Not all requirements are implemented, but some of them.
Implemented:
REQ-2
```
A CGN MUST have a default "IP address pooling" behavior of "Paired"
CGN must use the same external IP
address mapping for all sessions associated with the same internal
IP address, be they TCP, UDP, ICMP, something else, or a mix of
different protocols.
```
REQ-3
```
The CGN function SHOULD NOT have any limitations on the size
or the contiguity of the external address pool
```
REQ-4
```
A CGN MUST support limiting the number of external ports (or,
equivalently, "identifiers" for ICMP) that are assigned per
subscriber
```
CLI:
```
set nat cgnat pool external ext1 external-port-range '1024-65535'
set nat cgnat pool external ext1 per-user-limit port '1000'
set nat cgnat pool external ext1 range 192.0.2.222/32
set nat cgnat pool internal int1 range '100.64.0.0/28'
set nat cgnat rule 10 source pool 'int1'
set nat cgnat rule 10 translation pool 'ext1'
```
|
|
|
|
ethernet: T5862: default MTU is not acceptable in some environments
|
|
login: T5875: fix corner case for KeyError: 'getpwuid(): uid not found: XXXX'
|
|
|
|
'upper'
Commit b30faa43c (container: T6208: rename "cap-add" CLI node to "capability")
added an AttributeError referencing an out of scope variable.
This has been fixed.
|
|
Commit 1b364428f ("login: T5875: restore home directory permissions only when
needed") added logic to chown the users home directory if it's UID changes.
This might happen when a user account is deleted and re-added to the system.
Under rar e circumstances it was possible that the implementation triggered
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
KeyError: 'getpwuid(): uid not found: XXXX'
This has been fixed by re-arranging the code path with an additional try/except
if the PW database information could not be retrieved leading to an implicit
chown() of the home directory to the user beeing added.
|
|
Containers have the ability to add Linux system capabilities to them, this is
done using the "set container name <name> cap-add" command.
The CLI node sounds off and rather should be "set container name <name>
capability" instead as we use and pass a capability to a container and not
add/invent new ones.
|
|
mac node
The problem was introduced in [1] but the config migrator part unfortunately
was added to the wrong version [2]. As IPoE config version 0 was only active
during the 1.3 development cycle and VyOS 1.3.0 was already released with config
version 1 we can safely drop the migrator 0-to-1 and move the code to 1-to-2 to
properly support upgrades from VyOS 1.3 -> 1.4 or newer.
1: https://github.com/vyos/vyos-1x/commit/05df2a5f021f0c7aab7c06db645d210858b6e98d#diff-08291bf77870abe3af8bbe3e8ce4bbf344fd0498b2c5c75a75aa7235d381c88eL168
2: https://github.com/vyos/vyos-1x/commit/05df2a5f021f0c7aab7c06db645d210858b6e98d#diff-b8bb58b75607d3653e74d82eff02442f9f3ab82698f160ba37858f7cdf6c79ccR44-R46
|
|
There are cloud environments available where the maximum supported ethernet
MTU is e.g. 1450 bytes, thus we clamp this to the adapters maximum MTU value
or 1500 bytes - whatever is lower.
|
|
bgp: T5943: BGP Peer-group members must be all internal or all external
|
|
T6068: dhcp-server: add command <set service dhcp-server high-availability mode>
|
|
|