<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/debian/vyos-1x.preinst, branch feature/T9082-codeql-cpp</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=feature%2FT9082-codeql-cpp</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=feature%2FT9082-codeql-cpp'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2026-03-19T21:37:45+00:00</updated>
<entry>
<title>vyos-netlinkd: T8047: replace netplugd</title>
<updated>2026-03-19T21:37:45+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-11-07T21:05:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=b84bdbf8dd25995aa564081632de6251ecf5ad4e'/>
<id>urn:sha1:b84bdbf8dd25995aa564081632de6251ecf5ad4e</id>
<content type='text'>
Implementing a daemon that listens for netlink messages in Python was discussed
for many years. This is a proof-of-concept implementation how we can listen for
netlink messages and process them in Python.

Python 3.10 minimum is required due to the use of case statements which mimics
C-style switch/case instructions.

Add example:

 set interfaces ethernet eth1 vif 21 address dhcp
 set interfaces ethernet eth1 vif 21 address dhcpv6
 commit

If network cable is unplugged:

  vyos-netlinkd[12681]: RTM_NEWLINK -&gt; eth3.10, state=DOWN, mac=00:50:56:b3:9d:8e
  vyos-netlinkd[12681]: Stopping dhclient@eth3.10.service...
  vyos-netlinkd[12681]: Stopping dhcp6c@eth3.10.service...

If cable is plugged back in:

  vyos-netlinkd[12681]: RTM_NEWLINK -&gt; eth3.10, state=DOWN, mac=00:50:56:b3:9d:8e
  vyos-netlinkd[12681]: RTM_NEWLINK -&gt; eth3.10, state=UP, mac=00:50:56:b3:9d:8e
  vyos-netlinkd[12681]: Restarting dhclient@eth3.10.service...
  vyos-netlinkd[12681]: Restarting dhcp6c@eth3.10.service...
</content>
</entry>
<entry>
<title>pki: T7908: certbot.timer must call CLI script to update certificates</title>
<updated>2025-10-10T18:26:34+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-10-10T18:22:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=2aec74e5219325434a73ad01718861169db001ac'/>
<id>urn:sha1:2aec74e5219325434a73ad01718861169db001ac</id>
<content type='text'>
CRON is not used for certbot as pki starts the certbot timer.
</content>
</entry>
<entry>
<title>T7106: Divert sysctl vpp settings (#4325)</title>
<updated>2025-01-30T17:46:03+00:00</updated>
<author>
<name>Viacheslav Hletenko</name>
<email>v.gletenko@vyos.io</email>
</author>
<published>2025-01-30T17:46:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=170541686cab7c2ba3fc0f376353d665c9a3040b'/>
<id>urn:sha1:170541686cab7c2ba3fc0f376353d665c9a3040b</id>
<content type='text'>
</content>
</entry>
<entry>
<title>wireless: T4287: use Debian postinst over preinst when using update-alternatives</title>
<updated>2024-07-04T18:07:08+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2024-07-04T18:07:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=a414190447c32be0775a077cde13cef0cf2b8c54'/>
<id>urn:sha1:a414190447c32be0775a077cde13cef0cf2b8c54</id>
<content type='text'>
This fixes an error during ISO assembly:

update-alternatives: error: no alternatives for regulatory.db
dpkg: error processing archive /tmp/apt-dpkg-install-PJplR3/00-vyos-1x_1.5dev0-1880-gecaa44498_amd64.deb (--unpack):
 new vyos-1x package pre-installation script subprocess returned error exit status 2
</content>
</entry>
<entry>
<title>wireless: T4287: use upstream regulatory database due to kernel signing</title>
<updated>2024-07-03T20:28:26+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2024-07-03T20:28:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=9263965071289b6e51e22669b6d588a8d8fbcc1f'/>
<id>urn:sha1:9263965071289b6e51e22669b6d588a8d8fbcc1f</id>
<content type='text'>
Most likely b/c of our non signed Kernel binary we do not trust the Debian
signed wireless regulatory database. Fallback to the upstream database instead.
</content>
</entry>
<entry>
<title>T1797: Remove vpp packages and mentions</title>
<updated>2023-11-09T17:53:17+00:00</updated>
<author>
<name>Viacheslav Hletenko</name>
<email>v.gletenko@vyos.io</email>
</author>
<published>2023-11-09T17:53:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=e10cf9f42514799d10b9c495d585bb9f41fd2330'/>
<id>urn:sha1:e10cf9f42514799d10b9c495d585bb9f41fd2330</id>
<content type='text'>
</content>
</entry>
<entry>
<title>T5706: Add custom systemd udev rules to exclude dynamic interfaces</title>
<updated>2023-11-04T12:15:38+00:00</updated>
<author>
<name>Viacheslav Hletenko</name>
<email>v.gletenko@vyos.io</email>
</author>
<published>2023-11-04T12:15:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=ca9cc86233520eb495c17602bf7a110094c1d8e7'/>
<id>urn:sha1:ca9cc86233520eb495c17602bf7a110094c1d8e7</id>
<content type='text'>
Add custom systemd udev rules to exclude some regular and dynamic
interfaces from "systemd-sysctl" calls.
It fixes high CPU utilization (100%) as we have a lot of calls per
interface for dynamic interfaces like ppp|ipoe|sstp etc.

/lib/systemd/systemd-udevd should not be called for those interfaces
</content>
</entry>
<entry>
<title>Merge pull request #2256 from zdc/T5577-circinus</title>
<updated>2023-09-29T05:26:31+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2023-09-29T05:26:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=400df973d3518e9f18cb84b52ca89e08a399e461'/>
<id>urn:sha1:400df973d3518e9f18cb84b52ca89e08a399e461</id>
<content type='text'>
T5577: Optimized PAM configs for RADIUS/TACACS+</content>
</entry>
<entry>
<title>TACACS: T5577: Added `mandatory` and `optional` modes for TACACS+</title>
<updated>2023-09-13T18:02:32+00:00</updated>
<author>
<name>zsdc</name>
<email>taras@vyos.io</email>
</author>
<published>2023-09-13T10:16:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=1c804685d05ad639bcb1a9ebce68a7a14268500f'/>
<id>urn:sha1:1c804685d05ad639bcb1a9ebce68a7a14268500f</id>
<content type='text'>
In CLI we can choose authentication logic:

  - `mandatory` - if TACACS+ answered with `REJECT`, authentication must be
  stopped and access denied immediately.
  - `optional` (default) - if TACACS+ answers with `REJECT`, authentication
  continues using the next module.

In `mandatory` mode authentication will be stopped only if TACACS+ clearly
answered that access should be denied (no user in TACACS+ database, wrong
password, etc.). If TACACS+ is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
</content>
</entry>
<entry>
<title>RADIUS: T5577: Added `mandatory` and `optional` modes for RADIUS</title>
<updated>2023-09-13T17:41:43+00:00</updated>
<author>
<name>zsdc</name>
<email>taras@vyos.io</email>
</author>
<published>2023-09-13T09:41:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=5181ab60bb6d936505967d6667adc12c5ecb9b64'/>
<id>urn:sha1:5181ab60bb6d936505967d6667adc12c5ecb9b64</id>
<content type='text'>
In CLI we can choose authentication logic:

  - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must
  be stopped and access denied immediately.
  - `optional` (default) - if RADIUS answers with `Access-Reject`,
  authentication continues using the next module.

In `mandatory` mode authentication will be stopped only if RADIUS clearly
answered that access should be denied (no user in RADIUS database, wrong
password, etc.). If RADIUS is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
</content>
</entry>
</feed>
