summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-12-24Merge pull request #2677 from sever-sever/T160Christian Breunig
T160: NAT64 add match firewall mark feature
2023-12-24T160: NAT64 add match firewall mark featureViacheslav Hletenko
Match mark allows to use firewall marks of packet to use a specific pool Example of instance config /run/jool/instance-100.json ``` ... "pool4": [ { "protocol": "TCP", "prefix": "192.0.2.10", "port range": "1-65535", "mark": 23 }, ... ```
2023-12-24veth: T5853: fix typo in constraintErrorMessagezero13th
2023-12-24Merge pull request #2679 from jestabro/allow-embedded-overrideChristian Breunig
xml: T5854: clear empty paths left by embedded override of defaultValue
2023-12-23xml: T5854: clear empty paths left by embedded override of defaultValueJohn Estabrook
2023-12-22Merge pull request #2676 from sever-sever/T5840Christian Breunig
T5840: Add override for systemd kea-ctrl-agent.service
2023-12-22T5840: Add override for systemd kea-ctrl-agent.serviceViacheslav Hletenko
After update KEA to 2.4.x in the bf04cd8fea44d375fb7d93d75a1f31c220730c88 there is a file that expects ConditionFileNotEmpty=/etc/kea/kea-api-password It cause the unit `kea-ctrl-agent.service` cannot start systemd[1]: kea-ctrl-agent.service - Kea Control Agent was skipped because of an unmet condition check (ConditionFileNotEmpty=/etc/kea/kea-api-password) Override systemd kea-ctrl-agent.service do not check this file
2023-12-21T5781: use dynamic minisign key listKyleM
Updated image_installer.py to try and validate image with all minisign public keys in /usr/share/vyos/keys/
2023-12-21Merge pull request #2663 from c-po/srv6-part2Christian Breunig
srv6: T591: enable SR enabled packet processing on defined interfaces
2023-12-21Merge pull request #2665 from c-po/ndp-proxyChristian Breunig
T2898: add ndp-proxy service
2023-12-21Merge pull request #2670 from indrajitr/duid-refactor-T5846-3Christian Breunig
dhcp: T5846: Ensure DUID regex range is bound
2023-12-21dhcp: T5846: Ensure DUID regex range is boundIndrajit Raychaudhuri
The DUID regex was missing a lower bound, which could cause it not to match when it should. We have to specify the lower bound explicitly as 0 to keep the regex behavior similar to that in Python (in Python, omitting the lower bound is equivalent to specifying 0).
2023-12-21Merge pull request #2668 from c-po/currentChristian Breunig
frr: T4020: re-enable watchfrr in config as it is always running
2023-12-21Merge pull request #2667 from indrajitr/duid-refactor-T5846-2Christian Breunig
dhcp: T5846: Fix include path
2023-12-21frr: T4020: re-enable watchfrr in config as it is always runningChristian Breunig
2023-12-21dhcp: T5846: Fix include pathIndrajit Raychaudhuri
2023-12-21Merge pull request #2664 from indrajitr/duid-refactor-T5846Christian Breunig
dhcp: T5846: Refactor and simplify DUID definition
2023-12-21dhcp: T5846: Refactor and simplify DUID definitionIndrajit Raychaudhuri
Refactor DUID XML definition in conf-mode to be reusable. Additionally, remove explicit call to a separate validator `ipv6-duid` and inline the regex into the XML definition.
2023-12-20T2898: add ndp-proxy serviceChristian Breunig
VyOS CLI command set service ndp-proxy interface eth0 prefix 2001:db8::/64 mode 'static' Will generate the following NDP proxy configuration $ cat /run/ndppd/ndppd.conf # autogenerated by service_ndp-proxy.py # This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route route-ttl 30000 # This sets up a listener, that will listen for any Neighbor Solicitation # messages, and respond to them according to a set of rules proxy eth0 { # Turn on or off the router flag for Neighbor Advertisements router no # Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds) timeout 500 # Control how long a valid or invalid entry remains in the cache (milliseconds) ttl 30000 # This is a rule that the target address is to match against. If no netmask # is provided, /128 is assumed. You may have several rule sections, and the # addresses may or may not overlap. rule 2001:db8::/64 { static } }
2023-12-20srv6: T591: enable SR enabled packet processing on defined interfacesChristian Breunig
The Linux Kernel needs to be told if IPv6 SR enabled packets whether should be processed or not. This is done using /proc/sys/net/conf/<iface>/seg6_* variables: seg6_enabled - BOOL Accept or drop SR-enabled IPv6 packets on this interface. Relevant packets are those with SRH present and DA = local. 0 - disabled (default) not 0 - enabled Or the VyOS CLI command: * set protocols segment-routing interface eth0 srv6
2023-12-20vrf: T591: define sysctl setting for net.vrf.strict_modeChristian Breunig
Enable/Disable VRF strict mode, when net.vrf.strict_mode=0 (default) it is possible to associate multiple VRF devices to the same table. Conversely, when net.vrf.strict_mode=1 a table can be associated to a single VRF device. A VRF table can be used by the VyOS CLI only once (ensured by verify()), this simply adds an additional Kernel safety net, but a requirement for IPv6 segment routing headers.
2023-12-20Merge pull request #2661 from dmbaturin/T5844Viacheslav Hletenko
Allow the HTTPS API server to start without any configured keys when GraphQL JWT auth is configured
2023-12-20https api: T5844: allow the server to start without API keysDaniil Baturin
and use only PAM auth and JWT
2023-12-20https api: T5844: issue a warning about the classic API unavailabilityDaniil Baturin
when no API keys are set
2023-12-19Merge pull request #2643 from mcbridematt/t5828-grub-arm64-fixDaniil Baturin
T5828: fix grub installation on arm64-efi machines
2023-12-19smoketest: bgp: T4163: use explicit kill to respawn bgpd processChristian Breunig
2023-12-19smoketest: bgp: T4163: add explicit timeout when starting BMPChristian Breunig
2023-12-19Revert "smoketest: bgp: temporary disable BMP test"Christian Breunig
This reverts commit 7036c761e74bcd48e3ba714dec4545208ee0e313.
2023-12-19Merge pull request #2655 from jestabro/called_as_dependentChristian Breunig
configdep: T5836: add boolean check whether script called as dependency
2023-12-18configdep: T5836: add boolean check whether script called as dependencyJohn Estabrook
2023-12-18Merge pull request #2649 from jestabro/image-version-orderDaniil Baturin
image-tools: T5831: show system image reverse ordered by date
2023-12-18image-tools: T5831: show system image reverse ordered by dateJohn Estabrook
2023-12-18T5828: fix grub installation on arm64-efi machinesMathew McBride
Since the migration of GRUB handling to vyos-1x, the grub install sequence has hardcoded references to x86. Change the GRUB sequence so it can work on arm64 as well.
2023-12-17smoketesT: bgp: temporary disable BMP testChristian Breunig
2023-12-17Merge pull request #2596 from sever-sever/T5249Viacheslav Hletenko
T5249: Add rollback-soft feature
2023-12-17Merge pull request #2647 from indrajitr/kea-hook-fixChristian Breunig
dhcp: T3316: Adjust dhcp-run script to align with kea hooks
2023-12-17Merge pull request #2646 from sarthurdev/kea_fixesChristian Breunig
dhcp: T3316: Kea DHCP and DHCPv6 fixes
2023-12-17dhcp: T3316: Adjust dhcp-run script to align with kea hooksIndrajit Raychaudhuri
The hook arguments passed to `on-dhcp-event.sh` have changed in Kea. Adjust the script to align with the new arguments. Additionally, remove FQDN mangling from the script. No need to extract the domain name from `LEASE4_HOSTNAME` only to append it again. See: https://kea.readthedocs.io/en/latest/arm/hooks.html#hooks-run-script
2023-12-17dhcp: T3316: Kea DHCP and DHCPv6 fixessarthurdev
* Move Kea socket permission change on-demand and speed up conf scripts * Fix issue with DHCP reservations when no `ip-address` value
2023-12-16Merge pull request #2617 from indrajitr/ddclient-improvement-round-3-2023-12-11Christian Breunig
ddclient: T5144,T5791: Fix migration to avoid config name conflict
2023-12-16Merge pull request #2644 from c-po/ocserv-T5796Viacheslav Hletenko
ocserv: T5796: add CLI knob "http-security-headers"
2023-12-16ocserv: T5796: add smoketest for new "http-security-headers" featureChristian Breunig
2023-12-16ocserv: T5796: add CLI knob "http-security-headers"fett0
OCserv manual recommended HTTP headers tobe included in the configuration. (cherry picked from commit ad65d37ddf92ec8416c84707d7d41e63346b550c)
2023-12-15ddclient: T5791: Fix migration to normalize config name and avoid configIndrajit Raychaudhuri
Since `service dns dynamic address <address> service <service> ...` changed to `service dns dynamic name <service> address <address> ...`, the resulting service and address config flip can result in conflicting `service` name. Additionally, since dynamic DNS service name now have name constraint, we need to normalize the service name to conform with the constraint. We now migrate the service name to (service|rfc2136)-<service>-<address> to avoid the conflict and optionally append an index if there is still a name conflict after normalization.
2023-12-15Merge pull request #2639 from c-po/frr-t4020Viacheslav Hletenko
frr: T4020: add option to define number of open file descriptors
2023-12-15frr: T4020: add option to define number of open file descriptorsChristian Breunig
This allows the operator to control the number of open file descriptors each daemon is allowed to start with. The current assumed value on most operating systems is 1024. If the operator plans to run bgp with several thousands of peers then this is where we would modify FRR to allow this to happen. set system frr descriptors <n>
2023-12-15firewall: T4502: add ofload to firewall table actionsGurliGebis
2023-12-14Merge pull request #2637 from sever-sever/5823Christian Breunig
T5823: Add recursive_defaults for BGP get_config dictionary
2023-12-14T5823: Add recursive_defaults for BGP get_config dictionaryViacheslav Hletenko
Add recursive_defaults values for BGP "get_config" dictionary.
2023-12-14Merge pull request #2635 from sever-sever/T5749Christian Breunig
T5749: Add a more scrict search for get_vrf method