summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2026-06-26Merge pull request #5297 from alexandr-san4ez/T8865-rollingChristian Breunig
bgp: T8865: Reject `vni` sub-block in VRF l2vpn-evpn when `advertise-all-vni` is globally active
2026-06-26Merge pull request #5282 from sarthurdev/T8987Christian Breunig
geoip: T8987: Support updates via source-address/vrf
2026-06-26bgp: T8865: Reject `vni` sub-block in VRF l2vpn-evpn when ↵Oleksandr Kuchmystyi
`advertise-all-vni` is globally active When `advertise-all-vni` is configured in the global/default BGP instance, VyOS generated a `vni <id>` sub-block under each VRF BGP `address-family l2vpn evpn` context. This conflicts with advertise-all-vni: FRR already owns all kernel VNIs and returns `% Failed to create VNI` when frr-reload.py attempts to apply the VRF-level vni sub-block. FRR then performs an early exit from config processing, silently dropping the entire l2vpn evpn address-family for all subsequent VRF BGP instances.
2026-06-25Merge pull request #5289 from natali-rs1985/T9011Christian Breunig
T9011: enable proxy_ndp sysctl for static IPv6 neighbor proxy
2026-06-25Merge pull request #5272 from natali-rs1985/T5526Christian Breunig
bgp: T5526: Fix BGP neighbor validation not raising when interface does not exist
2026-06-25Merge pull request #5284 from vyos/T8097-strongswan-esnChristian Breunig
T8097: strongswan: add CLI for ESN
2026-06-25Merge pull request #5292 from vyos/asklymenko-patch-1Christian Breunig
T9019: Update GitHub PR templates with AI tool usage policy
2026-06-25Merge pull request #5290 from natali-rs1985/T9013Christian Breunig
bgp: T9013: Add BMP source-interface support
2026-06-25geoip: T8987: Support updates via source-address/vrfsarthurdev
2026-06-25Merge pull request #5294 from jestabro/configtree-thread-safe-initJohn Estabrook
T9015: fix thread safety of configtree read/write_cache
2026-06-25bgp: T9013: Add BMP source-interface supportNataliia Solomko
2026-06-25Merge pull request #5291 from jestabro/reference-tree-thread-safe-initJohn Estabrook
T8993: initialize ReferenceTree module from string not file
2026-06-25Merge pull request #5155 from sarthurdev/geoipViacheslav Hletenko
geoip: T5746: Add GeoIP ASN support
2026-06-25bgp: T5526: Fix BGP neighbor validation not raising when interface does not ↵Nataliia Solomko
exist Validation of interface-based BGP neighbors relied on checking physical interface existence, which silently skipped the check when interface didn't exist yet, letting invalid config reach FRR. Fix by checking whether the neighbor is not an IP address instead, and improve the error messages to show the correct command.
2026-06-24T9015: add nosetestJohn Estabrook
2026-06-24T9015: use file operations on Python side for read/write_cache to fileJohn Estabrook
For thread-safe calls, move file operations to the Python side, leaving only string operations for calls to ctypes bindings.
2026-06-24T9019: Update GitHub PR templates with AI tool usage policyAndrii Klymenko
Add a checkbox for reviewing code produced by GenAI tools in the PR template.
2026-06-24T8993: initialize ReferenceTree module from string not fileJohn Estabrook
Avoid initialization error in threaded applications, for example when calling libvyosconfig functions from FastAPI background tasks. The read_internal function from file relies on the inherently non thread-safe Unix module; read string first and pass to lib read_string.
2026-06-24Merge pull request #5264 from rnavarro/fix/vti-updown-db-flock-raceViacheslav Hletenko
ipsec: T8975: lock vti-up-down state DB to prevent lost updates under concurrent rekey
2026-06-24T9011: enable proxy_ndp sysctl for static IPv6 neighbor proxyNataliia Solomko
2026-06-23ipsec: T8975: add unit tests for vti_updown_db lock wiringRobert Navarro
The module previously had no tests. Cover the DB logic (add/remove, multiple connections per interface, removeAllOtherInterfaces, setPersistentInterfaces, seed-from-file) and assert each open_* helper acquires the serialising lock, exercised with vyos.utils.locking.Lock patched out.
2026-06-23ipsec: T8975: lock vti-up-down state DB to prevent lost updates under ↵Robert Navarro
concurrent rekey The vti-up-down hook and vpn_ipsec.py modify a flat-file DB (/tmp/ipsec_vti_interfaces) through three context managers that do an unlocked read-modify-write. During a coordinated rekey, strongSwan fires the hook for many VTIs concurrently, so the writers lost-update each other: an interface whose up-client add is overwritten is left admin-down while its CHILD_SA stays installed. Serialise all DB access by reusing vyos.utils.locking.Lock. A new _vti_updown_db_lock() context manager wraps the three public context managers, and remove_vti_updown_db() holds the lock across both the DB processing and the os.unlink() to close the create/delete race. Make the helpers absence-safe under the lock so callers no longer compose a separate existence check with a locked operation: open_vti_updown_db_readonly() yields None when the DB does not exist and remove_vti_updown_db() is a no-op when it is absent. Drop the now-redundant unlocked vti_updown_db_exists() pre-checks in vti.py and vpn_ipsec.py and handle the None yield.
2026-06-23Merge pull request #5267 from vyos/T8099-strongswan-6.0John Estabrook
T8099: strongswan: 6.0.6 + Post quantum options
2026-06-23Merge pull request #5283 from natali-rs1985/T8998Viacheslav Hletenko
openvpn: T8998: fix ccd-exclusive without client-config-dir
2026-06-23Merge pull request #5226 from indrajitr/haproxy-websocketViacheslav Hletenko
haproxy: T8931: Improve WebSocket support for HAProxy
2026-06-23Merge pull request #5288 from c-po/mon-log-levelViacheslav Hletenko
T9009: op-mode: extend "monitor log" with filter level
2026-06-23Merge pull request #5252 from natali-rs1985/T8913Daniil Baturin
vpp: T8913: Skip bond teardown for non-structural config changes
2026-06-23Merge pull request #5287 from alexk37/T8990Viacheslav Hletenko
T8990: bgp: fix VPNv4/VPNv6 leaked routes flapping on every commit
2026-06-23Merge pull request #5156 from alexandr-san4ez/T8540-currentViacheslav Hletenko
pseudo-ethernet: T8540: Add anycast-gateway support for EVPN
2026-06-23Merge pull request #5220 from opswill/currentViacheslav Hletenko
qos: T7965: Fix qos fails to reapply on dynamic interfaces after reconnection
2026-06-22vyos-netlink: T7965: only re-apply QoS configuration to individual interfaceChristian Breunig
The previous vyos-netlinkd implementation for QoS policy re-apply was very heavy. It conducted a full CLI validation and re-apply on every interface. Instead we do not only re-apply the QoS configuration to the interface which has had an address change detected by vyos-netlinkd. This can be tested by checking "tc qdisc show" before disconnecting a PPPoE interface and during/after reconnect. There will be no qdisc until the dynamic interface has received an IP address - then the qdisc will be re-applied.
2026-06-22T8099: strongswan: Post quantum optionsKyrylo Yatsenko
Add options for mlkem*
2026-06-22pseudo-ethernet: T8540: Add anycast-gateway support for EVPNOleksandr Kuchmystyi
Introduce 'anycast-gateway' leafNode for pseudo-ethernet interfaces. When set, a local FDB entry is installed on the parent bridge to prevent the shared anycast MAC from leaking over the VXLAN overlay.
2026-06-22Merge pull request #5280 from natali-rs1985/T8603Viacheslav Hletenko
vpp: T8603: Expand ACL support to logical interfaces
2026-06-21remote: T8829: fall back to GET when HEAD is not supportedBrad Kollmyer
HttpC.download() always probed remote URLs with HEAD before GET to discover redirects and Content-Length. Some APIs (e.g. AbuseIPDB) reject HEAD with 405 Method Not Allowed, causing firewall remote-group downloads to fail and leave empty cached list files. Treat HEAD 405/501 as unsupported and proceed with GET using the original URL. When HEAD does not provide Content-Length, read it from the GET response headers instead. Validate available storage after determining file size and before opening the destination file. Log sanitized download errors in vyos-domain-resolver when a remote- group list-file fetch fails. Add unit tests with mock servers that return 405 or 501 on HEAD and 200 on GET.
2026-06-20op-mode: T9009: extend "monitor log" with filter levelChristian Breunig
journalctl captures all syslog priority levels; filtering happens at query time via -p <level>. The existing monitor log command always shows all priorities. A "monitor log filter <priority>" sub-command lets operators tail the journal at a specific minimum severity without having to remember journalctl flags. "journalctl -p <level>" shows messages at that level and above (i.e., lower numeric severity values are always included — warning also shows err, crit, alert, emerg).
2026-06-20op-mode: T9009: remove superfluous bash -c '' from monitor log commandChristian Breunig
2026-06-20op-mode: T9009: use journalctl build-in colorisationChristian Breunig
Drop third party binary grc for showing the log output in fancy colors. Solely rely on what journalctl brings to the table.
2026-06-20vyos-netlink: T7965: re-apply QoS configuration on dynamic interfacesopswill
Re-apply QoS after dynamic interfaces get addresses after connect/disconnect. When PPPoE interfaces re-connect we need to re-do QoS settings.
2026-06-20T8097: strongswan: add ESN testKyrylo Yatsenko
2026-06-20T8990: bgp: fix VPNv4/VPNv6 leaked routes flapping on every commitAlex Kudentsov
VRF route leaking via VPNv4/VPNv6 caused all imported (leaked) routes to be withdrawn and reinstalled on every commit - even commits unrelated to BGP, VRF or routing - briefly blackholing traffic that depends on them. Root cause: the BGP address-family template rendered the route-target using the "route-target vpn ..." alias. FRR accepts that alias on input but its config writer only ever emits the canonical "rt vpn ..." form. frr-reload.py diffs the generated config against FRR's running config line by line and has no normalisation for this, so the route-target lines never matched and were deleted and re-added on every reload. Re-applying the route-target runs FRR's vpn_leak_prechange()/postchange(), a non-atomic withdraw-all then reinstall-all of every leaked route. Emit the canonical "rt vpn" keyword so the rendered config round-trips through frr-reload unchanged. FRR also folds an identical import+export route-target into "both" (an order-sensitive, byte-identical match), so do the same to stay idempotent; reordered or differing lists stay split on both sides. Add test_bgp_33_vpn_route_target_idempotency covering both / identical export+import / asymmetric route-target, reading the generated FRR config (getFRRconfig/vtysh returns FRR's already-canonical form and cannot catch the alias).
2026-06-20T8097: strongswan: update test with ESNKyrylo Yatsenko
By default now for each proposal two proposals are sent: with `-noesn` and without. Update test accordingly.
2026-06-20ifconfig: T9008: refactor vyos.ifconfig to use cmdl() for safer subprocess ↵Christian Breunig
execution Replace all cmd() calls in the vyos.ifconfig library with cmdl(), passing arguments as lists instead of interpolated strings. This eliminates a class of command-injection risks that arise when building shell commands with f-strings or other string formatting.
2026-06-20utils: T9003: remove dead-weight decode argument from cmd()Christian Breunig
The decode argument of cmd() is never changed and thus always pointing to utf-8, remove the code.
2026-06-20utils: T9003: add list-argument variant of cmd() for safer subprocess executionChristian Breunig
A list-argument variant of cmd() for safer subprocess execution named cmdl(). Command must be a list of strings; no shell interpolation is performed, which eliminates a class of command-injection risks present when building commands with f-strings or other string formatting.
2026-06-20utils: T9003: get_wrapper() should return empty list instead of None.Christian Breunig
get_wrapper() now returns [] instead of None. It makes the existing string format usage in cmd() cleaner, as it will show just the command in debug runs rather then "None /[path/to/cmd"
2026-06-20T8097: strongswan: add CLI for ESNKyrylo Yatsenko
Add CLI commands: set vpn ipsec ike-group MyIKEGroup proposal 1 esn ESN-VALUE set vpn ipsec esp-group MyESPGroup proposal 1 esn ESN-VALUE Where ESN-VALUE can be one of: * required: only establish connection using ESN * optional: try using ESN, but if not available, accept non-ESN * disabled (default): don't use ESN StrongSwan 6.0.6 doesn't allow connections between proposal with '-noesn' and without '-esn'/'-noesn'. To make it work as expected, use two proposals for 'optional' and 'disabled': * required: PROPOSAL-esn * optional: PROPOSAL-esn-noesn,PROPOSAL * disabled: PROPOSAL-noesn,PROPOSAL
2026-06-19T8099: update strongswan dependency to 6.0.6Kyrylo Yatsenko
2026-06-19Merge pull request #5075 from vyos/fix/mutable-default-argsJohn Estabrook
config: T8858: fix mutable default argument in config API methods
2026-06-19openvpn: T8998: fix ccd-exclusive without client-config-dirNataliia Solomko
Emit `client-config-dir` when `reject-unconfigured-clients` is set, even without server client entries, so OpenVPN does not crash-loop.