summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2025-12-17vpp: T7954: Add op-mode commands to show LACPNataliia Solomko
2025-12-17ssh: T8098: migrate "rijndael-cbc@lysator.liu.se" to "aes256-cbc" cipherChristian Breunig
According to [1] rijndael-cbc@lysator.liu.se is an alias for aes256-cbc which was standardized in RFC4253 (2006). This changes the migrator implementation to not only delete the old "rijndael-cbc@lysator.liu.se" cipher from the CLI and set the new, standardized aes256-cbc SSH cipher. 1: https://github.com/openssh/openssh-portable/commit/03e93c753d7c223063a
2025-12-17Fix help text for WWAN interface informationGrant
2025-12-16Merge pull request #4901 from jestabro/vyos-op-run-when-rootJohn Estabrook
T8103: add root to those allowed to call op-run commands directly
2025-12-15Merge pull request #4896 from c-po/ssh-config-testDaniil Baturin
ssh: T8090: T8098: add support for config test mode (sshd -t)
2025-12-15T8103: add root to those allowed to call op-run commands directlyJohn Estabrook
2025-12-15Merge pull request #4900 from kumvijaya/currentVijayakumar A
T8100: Update pull_request_target branch filters for GitHub Actions policy change
2025-12-15T8100: updated pullrequest_target trigger branch filters updatedkumvijaya
2025-12-15T8100: updated pullrequest_target trigger branch filters updatedkumvijaya
2025-12-14T8026: Fixed missing session commit for the generate routerxTITUSMAXIMUSX
2025-12-14ssh: T8098: rename "ciphers" CLI node to "cipher"Christian Breunig
Follow VyOS CLI best practices for using singular whenever possible to build a CLI node. As we introduce a new migration 2 -> 3 for SSH we can correct this minor detail.
2025-12-14ssh: T8098: remove support for deprecated "rijndael-cbc@lysator.liu.se" cipherChristian Breunig
According to an Arch Linux forum discussion, the cipher rijndael-cbc@lysator.liu.se was removed in OpenSSH 6.7. References: - https://bbs.archlinux.org/viewtopic.php?id=188613 - https://www.openssh.org/txt/release-6.7 - https://github.com/openssh/openssh-portable/commit/03e93c753d7c223063a
2025-12-14ssh: T8090: add support for config test mode (sshd -t)Christian Breunig
Add a safety-net for development to check if the rendered sshd(8) configuration can be applied at all. If it can't be applied - throw an error. From https://linux.die.net/man/8/sshd: -t Test mode. Only check the validity of the configuration file and sanity of the keys. This is useful for updating sshd reliably as configuration options may change. Explicitly forcing a broken config now results in: vyos@vyos# commit [ service ssh ] Unexpected error with SSH configuration! /run/sshd/sshd_config line 21: X11DisplayOffset integer value invalid. [[service ssh]] failed Commit failed
2025-12-14Merge pull request #4898 from c-po/isis-fixViacheslav Hletenko
isis: T8094: bugfix config migration from 1.3.0-rc1 -> 1.4
2025-12-13Merge pull request #4897 from ↵Christian Breunig
dmbaturin/T8096-fix-capital-letter-op-mode-commands op-mode: T8096: fix command names that contain capital letters
2025-12-12isis: T8094: bugfix config migration from 1.3.0-rc1 -> 1.4Christian Breunig
While producing all configtest assert files for VyOS 1.4 it was noted that the the isis-small testcase from fails. This config fragment is not properly migrated when updating from VyOS 1.3.0-rc1 -> 1.4 and using IS-IS. protocols { isis FOO { interface eth1 { bfd } net 49.0001.1921.6800.1002.00 redistribute { ipv4 { connected { level-2 { route-map EXPORT-ISIS } } } } } } and results in loosing IS-IS connectivity. This is due the fact that config.rename() does not work when only using the base tagNode.
2025-12-12op-mode: T8096: fix command names that contain capital lettersDaniil Baturin
2025-12-11Merge pull request #4894 from c-po/xml-geo-ipDaniil Baturin
firewall: T8089: "geoip country-code" should get a completion helper
2025-12-11Merge pull request #4893 from c-po/configtestsChristian Breunig
smoketest: T8087: reorganize folderstructure for embedded configttests
2025-12-11T8082: VPP fails to start with buffers page-size 1GNataliia Solomko
2025-12-11Merge pull request #4880 from natali-rs1985/T7972Viacheslav Hletenko
vpp: T7972: Make `nat44 no-forwarding` feature automatically configurable
2025-12-11Merge pull request #4889 from cpcowart/cc/fix-dhcpv6-renew-gateViacheslav Hletenko
T8078: dhcpv6: allow lease renew for pd & parameters
2025-12-10firewall: T8089: "geoip country-code" should get a completion helperChristian Breunig
There is a CLI constraint for lowercase country codes, but user's do not see this.
2025-12-10smoketest: T8087: reorganize folderstructure for embedded configttestsChristian Breunig
Configuration files for config tests gathered from lab installations, customers or our own networks were placed in multiple directories - all related to the same thing. We have had config-tests, configs and config.no-load. This commit re-arranges all the files and places a proper README for the users.
2025-12-10Merge pull request #4857 from sever-sever/T7819Viacheslav Hletenko
vpp: T7819: do not override driver if it is already done
2025-12-10T7819: VPP do not override driver if it is already doneViacheslav Hletenko
The upstream VPP code already writes the ena device ID to new_id So we can remove `ena` from `override_driver()` The kernel does not provide a reliable way to check whether an ID has already been registered, so we simply attempt the write and ignore the FileExistsError. Any other failure is treated as a warning. Fixes this case: Traceback (most recent call last): File "/usr/libexec/vyos/services/vyos-configd", line 156, in run_script script.apply(c) File "/usr/libexec/vyos/conf_mode/vpp.py", line 613, in apply control_host.override_driver( File "/usr/lib/python3/dist-packages/vyos/vpp/control_host.py", line 138, in override_driver Path('/sys/module/vfio_pci/drivers/pci:vfio-pci/new_id').write_text( File "/usr/lib/python3.11/pathlib.py", line 1079, in write_text with self.open(mode='w', encoding=encoding, errors=errors, newline=newline) as f: FileExistsError: [Errno 17] File exists
2025-12-09T8078: dhcpv6: allow lease renew for pd & parametersChris Cowart
The renew command will refuse to restart the dhcp6c process for an interface unless it is configured to request an address, but the client may also be running to manage parameters and/or prefix delegations.
2025-12-09Merge pull request #4882 from sever-sever/T8011Viacheslav Hletenko
T8011: VPP fix log duplication in systemd journal
2025-12-08Merge pull request #4891 from alexandr-san4ez/T7134-currentChristian Breunig
tech-support: T7134: add topology snapshot generation using `hwloc` package
2025-12-08tech-support: T7134: add topology snapshot generation using `hwloc` packageOleksandr Kuchmystyi
This enhances diagnostic capabilities by providing hardware topology visuals within support archives.
2025-12-07Merge pull request #4885 from dmbaturin/T8056-deprecate-salt-minionChristian Breunig
salt: T8056: add a deprecation warning
2025-12-05Merge pull request #4888 from dmbaturin/T7810-fix-pppoe-resetViacheslav Hletenko
op-mode: T7810: fix broken 'reset connection' command
2025-12-05Merge pull request #47 from dmbaturin/T7901-root-op-mode-fixViacheslav Hletenko
vyos-op-run: T7901: skip permission checks if the user is root
2025-12-05Merge pull request #4826 from nvollmar/T7982Viacheslav Hletenko
T7982: container: generate run arguments once
2025-12-04Merge pull request #4878 from alexandr-san4ez/T8001-currentDaniil Baturin
ipsec: T8001: Commit fails removing VTI interface in IPsec config
2025-12-04Merge pull request #4881 from alexandr-san4ez/T7594-currentDaniil Baturin
ipsec: T7594: Rename `respond` connection-type in IPSec peer settings to `trap`
2025-12-04Merge pull request #4886 from dmbaturin/T8059-migrate-syslog-portsDaniil Baturin
syslog: T8059: migrate host:port node names to the new syntax with a dedicated port option
2025-12-04ipsec: T7594: Rename `respond` connection-type in IPSec peer settings to `trap`Oleksandr Kuchmystyi
The previous 'connection-type respond' option in IPsec site-to-site peers was misleading - instead of passively waiting for peer initiation, it would initiate negotiation when matching traffic appeared, potentially causing SA duplication and renegotiation loops.
2025-12-04vpp: T7972: Make `nat44 no-forwarding` feature automatically configurableNataliia Solomko
If any dynamic rule is configured forwarding should be disabled because each packet must be processed through the NAT session table to apply proper translations
2025-12-04vyos-op-run: T7901: skip permission checks if the user is rootDaniil Baturin
2025-12-04op-mode: T7810: fix broken 'reset connection' commandDaniil Baturin
2025-12-04Merge pull request #4884 from c-po/openvpn-t7738-migrationDaniil Baturin
openvpn: T7738: avoid duplicate certs during 1.3 -> 1.4 migration
2025-12-04salt: T8056: add a deprecation warningDaniil Baturin
2025-12-04syslog: T8059: migrate host:port node names to the new syntaxDaniil Baturin
with a dedicated port option
2025-12-02Merge pull request #4867 from jestabro/vyconf-session-unsavedJohn Estabrook
T8032: add analogue of cli-shell-api sessionUnsaved
2025-12-02smoketest: T7738: provide OpenVPN test certificates for migration testsChristian Breunig
This adds necessary embedded certificates to validate the migration logic added in commit 63cc76fa236 ("openvpn: T7738: avoid duplicate certs during 1.3 -> 1.4 migration"). The CA used was generated using EasyRSA as described in our documentation: https://docs.vyos.io/en/1.3/configuration/interfaces/openvpn.html#generate-x-509-certificate-and-keys
2025-12-02T8032: update commit hashes for analogue of sessionUnsavedJohn Estabrook
2025-12-02Merge pull request #4866 from natali-rs1985/T8030Nataliia S.
T8030: VPP: Check support for changed driver too
2025-12-02Merge pull request #4883 from dmbaturin/T8054-use-interface-validatorViacheslav Hletenko
interfaces: T8054: use --is-valid-intf-address for validating interface addresses
2025-12-02openvpn: T7738: avoid duplicate certs during 1.3 -> 1.4 migrationChristian Breunig
When migrating from VyOS 1.3 to 1.4, OpenVPN interfaces sharing the same certificate (chain) end up getting duplicated certificate entries, one per interface — instead of reusing a single cert if applicable. This change makes the migration logic detect shared certificates and reuse a single CA and server certificate objects, preventing redundant certificate entries in the config.