| Age | Commit message (Collapse) | Author |
|---|
|
(cherry picked from commit 2f52106dc160f217d6e27da45674c0231a93382a)
|
|
This fixes the error message:
Can not use both blackhole and reject for prefix "{prefix}"!
Added in commit bb78f3a9ad28 ("static: T4283: support "reject" routes - emit an
ICMP unreachable when matched")
(cherry picked from commit 490ee3ec5ba7ea28002890841eab8e46f775a129)
|
|
syslog: T5367: add format option to include timezone in message (backport #4061)
|
|
Add CLI option to include the systems timezone in the syslog message sent to
a collector. This can be enabled using:
set system syslog host <hostname> format include-timezone
(cherry picked from commit 042be39ccabb43a766e04a447207610ff017bd7d)
|
|
(cherry picked from commit c196c6d9207ef112e478f44923b2d0bc8a15b3c9)
|
|
policy: T6676: Invalid route-map caused bgpd to crash (backport #4047)
|
|
Add ability to set the container network with a disable-dns setting to disable
the DNS plugin that is on be default.
set container network <network> no-name-server
(cherry picked from commit 1d5625d572cc25a9d53247b7c41177f17845b052)
Co-authored-by: Dave Vogel <dave.vogel@fullpower.com>
|
|
(cherry picked from commit 595f35bbdda732883ce0b8b0721061bb3a40a715)
|
|
(cherry picked from commit 0162a27952d2166583a9e6aee2cd77b9c693062b)
|
|
(cherry picked from commit d5ae708581d453e2205ad4cf8576503f42e262b6)
|
|
(cherry picked from commit 4acad3eb8d9be173b76fecafc32b0c70eae9b192)
|
|
Fix for system option ssh-client source-interface
For the `verify_source_interface` the key `ifname` if required
(cherry picked from commit f453b33a6056de8fc5145ca9e680361fbce68348)
|
|
(cherry picked from commit 8500e8658ff10f52739143fd7814cf60c9195f16)
|
|
(cherry picked from commit 9979afa15650bd609399030da1751488baaac70b)
|
|
configverify: T6642: verify_interface_exists requires config_dict arg (backport #3961)
|
|
T6619: Remove the remaining uses of per-protocol FRR configs (backport #3916)
|
|
The function verify_interface_exists requires a reference to the ambient
config_dict rather than creating an instance. As access is required to
the 'interfaces' path, provide as attribute of class ConfigDict, so as
not to confuse path searches of script-specific config_dict instances.
(cherry picked from commit 5f23b7275564cfaa7c178d320868b5f5e86ae606)
|
|
(cherry picked from commit ed63c9d1896a218715e13e1799fc059f4561f75e)
|
|
(cherry picked from commit f2256ad338fc3fbaa9a5de2c0615603cd23e0f94)
|
|
console: T3334: remove unused directories imported from vyos.defaults (backport #3923)
|
|
vrf: T6603: conntrack ct_iface_map must only contain one entry for iifname/oifname (backport #3883)
|
|
(cherry picked from commit 4055090a8d4fd64288eab7ae41aa9440f5de4ece)
|
|
ports
* Created op-mode command "restart serial console"
* Relocated service control to vyos.utils.serial helpers, used by conf- and
op-mode serial console handling
* Checking for logged-in serial sessions that may be affected by getty reconfig
* Warning the user when changes are committed and serial sessions are active,
otherwise restart services as normal. No prompts issued during commit,
all config gen/commit steps still occur except for the service restarts
(everything remains consistent)
* To apply committed changes, user will need to run "restart serial console"
to complete the process or reboot the whole router
* Added additional flags and target filtering for generic use of helpers.
(cherry picked from commit bc9049ebd76576d727fa87b10b96d1616950237c)
|
|
(cherry picked from commit 31acb42ecdf4ecf0f636f831f42a845b8a00d367)
|
|
iifname/oifname
When any of the following features NAT, NAT66 or Firewall is enabled, for every
VRF on the CLI we install one rule into nftables for conntrack:
chain vrf_zones_ct_in {
type filter hook prerouting priority raw; policy accept;
counter packets 3113 bytes 32227 ct original zone set iifname map @ct_iface_map
counter packets 8550 bytes 80739 ct original zone set iifname map @ct_iface_map
counter packets 5644 bytes 67697 ct original zone set iifname map @ct_iface_map
}
This is superfluous.
(cherry picked from commit d6e9824f1612bd8c876437c071f31a1a0f44af5d)
|
|
system_option: T5552: Apply IPv4 and IPv6 options after reapplying sysctls by TuneD (backport #3853)
|
|
(cherry picked from commit 115e99630a317cab62c6f99e0461f6ce2c1edaf3)
|
|
T6599: ipsec: support disabling rekey of CHILD_SA, converge and fix defaults (backport #3841)
|
|
by TuneD
(cherry picked from commit 7b82e4005724683c6311fab22358746f2cca4c1b)
|
|
Only some (e.g. ethernet or wireguard) interfaces validate if the supplied VRF
actually exists. If this is not validated, one can pass an invalid VRF to the
system which generates an OSError exception.
To reproduce
set interfaces vxlan vxlan1 vni 1000
set interfaces vxlan vxlan1 remote 1.2.3.4
set interfaces vxlan vxlan1 vrf smoketest
results in
OSError: [Errno 255] failed to run command: ip link set dev vxlan1 master smoketest_mgmt
This commit adds the missing verify_vrf() call to the missing interface types
and an appropriate smoketest for all interfaces supporting VRF assignment.
(cherry picked from commit dd0ebffa33728e452ac6e11737c2283f0e390359)
|
|
This was found during smoketesting as thoase started to repeadingly fail in the last weeks
File "/usr/libexec/vyos/tests/smoke/cli/test_interfaces_wireless.py", line 534, in test_wireless_security_station_address
self.assertTrue(process_named_running('hostapd'))
AssertionError: None is not true
Digging into this revealed that this is NOT related to the smoketest coding but
to hostapd/systemd instead. With a configured WIFI interface and calling:
"sudo systemctl reload-or-restart hostapd@wlan1" multiple times in a short
period caused systemd to report:
"Jul 18 16:15:32 systemd[1]: hostapd@wlan1.service: Deactivated successfully."
According to the internal systemd logic used in our version this is explained by:
/* If there's a stop job queued before we enter the DEAD state, we shouldn't act on Restart=, in order to not
* undo what has already been enqueued. */
if (unit_stop_pending(UNIT(s)))
allow_restart = false;
if (s->result == SERVICE_SUCCESS)
s->result = f;
if (s->result == SERVICE_SUCCESS) {
unit_log_success(UNIT(s));
end_state = SERVICE_DEAD;`
Where unit_log_success() generates the log message in question.
Improve the restart login in the wireless interface script and an upgrade to
hostapd solved the issue.
(cherry picked from commit a67f49d99eda00998c425f9a663e138dbd0f7755)
|
|
Authored-By: Alain Lamar <alain_lamar@yahoo.de>
(cherry picked from commit d5e988ba2d0fa0189feff22374c9b46eb49e2e79)
|
|
Commit e3c71af1466 ("remove secrets file if the tunnel is deleted and fix
opmode commands") added a code path into verify() which removed files on the
system if TOTP was not defined.
This commit moves the code path to the appropriate generate() function.
(cherry picked from commit 40c835992db9217f48e54dbbf15a7fbf1dcba482)
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
(cherry picked from commit 23a3419d512139650cfe3dc76759b370b0c0c3d6)
|
|
Remove unused import (left over) from commit 36f3791e0 ("utils: migrate to new
get_vrf_tableid() helper")
(cherry picked from commit b551f542c5c906c901e3be37ad3fd68c8248473d)
|
|
Commit 452068ce7 ("interfaces: T6592: moving an interface between VRF instances
failed") introduced a new helper to retrieve the VRF table ID from the Kernel.
This commit migrates the old code path where the individual fields got queried
to the new helper vyos.utils.network.get_vrf_tableid().
(cherry picked from commit 36f3791e0c15267483d59a3bb74465811d08df88)
|
|
If a firewall is not configured there is no reason to get and
execute telegraf firewall custom scripts as there are no nft
chain in the firewall nftables configuration
(cherry picked from commit ebff0c481907ac0c2c0be9981c3c3d87caf3003b)
|
|
Add Loki plugin to telegraf
set service monitoring telegraf loki url xxx
(cherry picked from commit 3365eb7ab99fa9a259fe440eb51e82fc0a0a4dc6)
|
|
(cherry picked from commit 9495f904fcc157521ca001ee21cf31be28a6b3a0)
|
|
(cherry picked from commit d818788932e3c57d020cca9236df7275da452fce)
|
|
T5949: Add option to disable USB autosuspend (backport #3677)
|
|
openconnect: T6500: add support for multiple ca-certificates (backport #3682)
|
|
Commit 9f9891a2099 ("pki: T6241: Fix dependency updates on PKI changes") added
a print() statement which notified the users about the subsystems which got
supplied with an updated certificate.
Example:
> PKI: Updating config: interfaces openvpn vtun0 tls certificate openvpn_vtun0
> PKI: Updating config: interfaces openvpn vtun0 tls ca_certificate openvpn_vtun0_1
This is an informational message which should maybe (if needed) be sent to
syslog. But the main issue is that CLI paths are mangled (- to _) which makes
the about print output wrong and could potentially confuse users.
Statement has been commented to be re-enabled for debugging.
(cherry picked from commit a4d49a96918c0f0dac3d17f9cf3a5b8f3a9505c0)
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
(cherry picked from commit c0b2693cebc3429e1974a9cec5946fa88ffc0205)
|
|
Add possibility to provide a full CA chain to the openconnect server.
* Support multiple CA certificates
* For every CA certificate specified, always determine the full certificate
chain in the background and add the necessary SSL certificates
(cherry picked from commit 973f06c00b902c43dfea34bdf01bdec7c599c452)
|
|
(cherry picked from commit f29caa824c02c833a3978b9236391e4277c1a6ba)
|
|
* container: T6219: Add support for container sysctl / kernel parameters
(cherry picked from commit 717ea64e4c54a8be619ffc29c16c6203b29319dd)
* T6219: align with system sysctl and limit parameters to supported
(cherry picked from commit f030464952168b553b5b3e29b461d437c2642a9b)
---------
Co-authored-by: Ben Pilgrim <ben@pilgrim.me.uk>
Co-authored-by: Nicolas Vollmar <nvollmar@gmail.com>
|
|
The intention of vyos.utils package is to have a common ground for repeating
actions/helpers. This is also true for number of CPUs and their respective
core count.
Move vyos.cpu to vyos.utils.cpu
(cherry picked from commit e318eb33446de47835480d4b8f1646b39fb5c388)
|
|
The haproxy reverse proxy was not reloaded/restarted with the new SSL
certificate(s) after a change in the PKI subsystem. This was due to missing
dependencies.
(cherry picked from commit 6ce8efdc8dafef67541bed89fc7dc7cd83335bf4)
|
|
(cherry picked from commit 60d7c0ecaff49ec62f4600a460f5fbe7b26a0d9c)
|
