summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-10-14Merge pull request #2361 from zdc/T5232-circinusChristian Breunig
pmacct: T5232: Fixed pmacct service control via systemctl
2023-10-12pmacct: T5232: Fixed pmacct service control via systemctlzsdc
pmacct daemons have one very important specific - they handle control signals in the same loop as packets. And packets waiting is blocking operation. Because of this, when systemctl sends SIGTERM to uacctd, this signal has no effect until uacct receives at least one packet via nflog. In some cases, this leads to a 90-second timeout, sending SIGKILL, and improperly finished tasks. As a result, a working folder is not cleaned properly. This commit contains several changes to fix service issues: - add a new nftables table for pmacct with a single rule to get the ability to send a packet to nflog and unlock uacctd - remove PID file options from the uacctd and a systemd service file. Systemd can detect proper PID, and PIDfile is created by uacctd too late, which leads to extra errors in systemd logs - KillMode changed to mixed. Without this, SIGTERM is sent to all plugins and the core process exits with status 1 because it loses connection to plugins too early. As a result, we have errors in logs, and the systemd service is in a failed state. - added logging to uacctd - systemctl service modified to send packets to specific address during a service stop which unlocks uacctd and allows systemctl to finish its work properly
2023-10-12Merge pull request #2357 from devon-mar/ldpd-template-errorsChristian Breunig
ldpd: T5648: Fix ldpd template errors
2023-10-12Merge pull request #2358 from jestabro/schema-checkChristian Breunig
xml: T5649: catch errors from schema validation before generating cache
2023-10-12xml: T5649: catch errors from schema validation before generating cacheJohn Estabrook
2023-10-12openvpn: T5634: fix permissions on migration fileJohn Estabrook
2023-10-12Merge pull request #2277 from aapostoliuk/T5254-1-sagittaDaniil Baturin
bonding: T5254: Fixed changing ethernet when it is a bond member
2023-10-12openvpn: T5634: fix typoJohn Estabrook
2023-10-11ldpd: T5648: Fix ldpd template errorsDevon Mar
Bug introduced in https://github.com/vyos/vyos-1x/commit/8fb6e715d32e7eff77e413d8577059dd55b24c0a
2023-10-11Merge pull request #2353 from dmbaturin/T5634-no-more-blowfishJohn Estabrook
openvpn: T5634: Remove support for insecure DES and Blowfish ciphers
2023-10-12openvpn: T5634: Remove support for insecure DES and Blowfish ciphersDaniil Baturin
2023-10-11Merge pull request #2342 from sever-sever/T5165Viacheslav Hletenko
T5165: Implement policy local-route source and destination port
2023-10-10Merge pull request #2352 from jestabro/api-self-configDaniil Baturin
http-api: T2612: correct the response message and add reload for api self-configuration
2023-10-09conf-mode: T5412: remove refs to vyos module for use by addon packagesJohn Estabrook
2023-10-09http-api: T2612: reload server within configsession for api self-configJohn Estabrook
2023-10-09http-api: T2612: send response before reconfiguring api serverJohn Estabrook
2023-10-08Merge pull request #2349 from Apachez-/T5489Christian Breunig
T5489: Change default qdisc from 'fq' to 'fq_codel'
2023-10-08Change to BBR as TCP congestion control, or at least make it an config optionApachez
2023-10-08Merge pull request #2263 from Cheeze-It/currentViacheslav Hletenko
T5530: isis: Adding loop free alternate feature
2023-10-08Merge pull request #2345 from dmbaturin/T5639-group-depsChristian Breunig
debian: T5639: group dependencies and add comments
2023-10-07Merge pull request #2335 from c-po/t5630-pppoe-mruDaniil Baturin
pppoe: T5630: allow to specify MRU in addition to already configurable MTU
2023-10-07debian: T5639: group dependencies and add commentsDaniil Baturin
2023-10-06Merge pull request #2343 from erkin/raidDaniil Baturin
op-mode: T5608: Fix help message for `delete raid`
2023-10-06op-mode: T5608: Fix help message for `delete raid`erkin
2023-10-06T5165: Implement policy local-route source and destination portViacheslav Hletenko
Add `policy local-route` source and destination port set policy local-route rule 23 destination port '222' set policy local-route rule 23 protocol 'tcp' set policy local-route rule 23 set table '123' set policy local-route rule 23 source port '8888' % ip rule show prio 23 23: from all ipproto tcp sport 8888 dport 222 lookup 123
2023-10-06T5530: isis: Adding loop free alternate featureCheeze_It
2023-10-05Merge pull request #2339 from jestabro/save-json-on-commitChristian Breunig
config: T5631: save copy of config in JSON format on commit
2023-10-05Merge pull request #2338 from jestabro/legacy-versionsChristian Breunig
T4320: remove references to obsoleted legacy version files
2023-10-05config: T5631: save copy of config in JSON format on commitJohn Estabrook
2023-10-04T4320: remove references to obsoleted legacy version filesJohn Estabrook
2023-10-04Merge pull request #2336 from c-po/t5521-home-dirChristian Breunig
login: T5521: do not call system-login.py in vyos-router init
2023-10-04login: T5521: do not call system-login.py in vyos-router initChristian Breunig
Calling system-login.py with no mounted VyOS config has the negative effect that the script will not detect any local useraccounts and thus assumes they all need to be removed from the password backend. As soon as the VyOS configuration is mounted and the CLI content is processed, system-login.py get's invoked and re-creates the before deleted user accounts. As the account names are sorted in alphabetical order, the name <-> UID mapping can get mixed up during system reboot. The intention behind calling system-login.py from vyos-router init was to reset system services (PAM, NSS) back to sane defaults with the defaults provided via system-login.py. As PAM is already reset in vyos-router startup script, /etc/nsswitch.conf was the only candidate left. This is now accomplished by simply creating a standard NSS configuration file tailored for local system accounts. This is the second revision after the first change via commit 64d32329958 ("login: T5521: home directory owner changed during reboot") got reverted.
2023-10-04Revert "login: T5521: home directory owner changed during reboot"Christian Breunig
This reverts commit 64d323299586da646ca847e78255ff2cd8464578.
2023-10-03pppoe: T5630: verify MRU is less or equal then MTUChristian Breunig
2023-10-03pppoe: T5630: allow to specify MRU in addition to already configurable MTUChristian Breunig
Set the MRU (Maximum Receive Unit) value to n. PPPd will ask the peer to send packets of no more than n bytes. The value of n must be between 128 and 16384, the default was always 1492 to match PPPoE MTU. A value of 296 works well on very slow links (40 bytes for TCP/IP header + 256 bytes of data). Note that for the IPv6 protocol, the MRU must be at least 1280. CLI: set interfaces pppoe pppoe0 mru 1280
2023-10-03Merge pull request #2330 from c-po/init-T5577Christian Breunig
init: T5577: clear mandatory and optional RADIUS/TACACS PAM settings
2023-10-03Merge pull request #2331 from c-po/login-T5521Christian Breunig
login: T5521: home directory owner changed during reboot
2023-10-03Merge pull request #2326 from Apachez-/T5436Daniil Baturin
T5436: Add missing preconfig-script
2023-10-03login: T5521: home directory owner changed during rebootChristian Breunig
During system startup the system-login.py script is invoked by vyos-router systemd service. As there is no complete configuration available at this point in time - and the sole purpose of this call is to reset/re-render the system NSS/PAM configs back to default - it accidently also deleted the local useraccounts. Once the VyOS configuration got mounted, users got recreated in alphabetical order and thus UIDs flipped and the /home suddenely belonged to a different account. This commit prevents any mangling with the local userdatabase during VyOS bootup phase.
2023-10-03init: T5577: clear mandatory and optional RADIUS/TACACS PAM settingsChristian Breunig
This complements commit 5181ab60bb ("RADIUS: T5577: Added 'mandatory' and 'optional' modes for RADIUS") and commit 1c804685d0 ("TACACS: T5577: Added 'mandatory' and 'optional' modes for TACACS+"). As those new services should also be cleaned during system boot.
2023-10-03Merge pull request #2328 from c-po/t5628-loginChristian Breunig
login: T5628: fix spwd deprecation warning
2023-10-03bonding: T5254: Fixed changing ethernet when it is a bond memberaapostoliuk
If ethernet interface is a bond memeber: 1. Allow for changing only specific parameters which are specified in EthernetIf.get_bond_member_allowed_options function. 2. Added inheritable parameters from bond interface to ethernet interface which are scpecified in BondIf.get_inherit_bond_options. Users can change inheritable options under ethernet interface but in commit it will be copied from bond interface. 3. All other parameters are denied for changing. Added migration script. It deletes all denied parameters under ethernet interface if it is a bond member.
2023-10-02login: T5628: fix spwd deprecation warningChristian Breunig
vyos@vyos:~$ show system login users Username Type Locked Tty From Last login ---------- ------ -------- ----- ------------- ------------------------ vyos vyos False pts/0 172.16.33.139 Mon Oct 2 20:42:24 2023
2023-10-02smoketests: T5626: verify Kernel options required for containersChristian Breunig
2023-09-30T5436: Add missing preconfig-scriptApachez
2023-09-30vrf: netns: T3829: T31: priority needs to be after netnsChristian Breunig
A network namespace can have VRFs assigned, thus we need to get the priorities right. This lowers both priorities in general as a VRF or NETNS needs to be available very early as services can run on top of them.
2023-09-30Merge pull request #2269 from indrajitr/ddclient-wait-timeChristian Breunig
ddclient: T5574: Support per-service cache management for providers
2023-09-30Merge pull request #2300 from nicolas-fort/T5600Christian Breunig
T5600: firewall: change constraints for inbound|outbound interface-name
2023-09-30ddclient: T5574: Support per-service cache management for servicesIndrajit Raychaudhuri
Add support for per-service cache management for ddclient providers via `wait-time` and `expiry-time` options. This allows for finer-grained control over how often a service is updated and how long the hostname will be cached before being marked expired in ddclient's cache. More specifically, `wait-time` controls how often ddclient will attempt to check for a change in the hostname's IP address, and `expiry-time` controls how often ddclient to a forced update of the hostname's IP address. These options intentionally don't have any default values because they are provider-specific. They get treated similar to the other provider- specific options in that they are only used if defined.
2023-09-30Merge pull request #2325 from sever-sever/T5165Christian Breunig
T5165: Migrate policy local-route rule x destination to address