summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-02-11rpki: T6034: move SSH authentication keys to PKI subsystemChristian Breunig
2024-02-11pki: T6034: add OpenSSH key supportChristian Breunig
set pki openssh rpki private key ... set pki openssh rpki public key ... set pki openssh rpki public type 'ssh-rsa'
2024-02-10Merge pull request #2983 from c-po/rpki-t6004Christian Breunig
rpki: T6004: add missing startup priority
2024-02-10Merge pull request #2982 from c-po/pki-xmlChristian Breunig
xml: T5738: improve PKI building blocks for CLI
2024-02-10rpki: T6004: add missing startup priorityChristian Breunig
2024-02-10xml: T5738: improve PKI building blocks for CLIChristian Breunig
2024-02-09Merge pull request #2978 from sever-sever/T6028Christian Breunig
T6028: Fix QoS policy shaper wrong class_id_max and default_minor_id
2024-02-09T6028: Fix QoS policy shaper wrong class_id_max and default_minor_idViacheslav Hletenko
The `class_id_max` is wrong due to `tmp.sort` of Strings If we have class 5 and class 10 we get sorted max value 5, expected 10 ``` >>> tmp = ['5', '10'] >>> tmp.sort() >>> tmp ['10', '5'] >>> >>> hex(5+1) '0x6' >>> >>> hex(10+1) '0xb' >>> ``` This way we get wrong default maximum class value: ``` tc qdisc replace dev eth1 root handle 1: htb r2q 444 default 6 ``` Expect: ``` tc qdisc replace dev eth1 root handle 1: htb r2q 444 default b ``` Fix this converting Strings to Integers and get max value.
2024-02-09Merge pull request #2967 from sever-sever/T5703Daniil Baturin
T5703: Fix reapply QoS for connection-oriented interfaces
2024-02-09T5703: Fix reapply QoS for connection-oriented interfacesViacheslav Hletenko
After `disconnect` and `connect` connection-oriented interfaces like PPPoE, QoS policy has to be reapplied
2024-02-09Merge pull request #2975 from c-po/migrator-t5902Christian Breunig
https: T5902: fix migration of virtual-host port
2024-02-09https: T5902: fix migration of virtual-host portChristian Breunig
CLI source node is port and not listen-port.
2024-02-08Merge pull request #2955 from c-po/rpki-T6023Christian Breunig
rpki: T6023: add support for CLI knobs expire-interval and retry-interval
2024-02-08Merge pull request #2968 from natali-rs1985/T5685-currentDaniil Baturin
T5685: Keepalived VRRP prefix is not necessary for the virtual address
2024-02-08T5685: Keepalived VRRP prefix is not necessary for the virtual addressNataliia Solomko
2024-02-08Merge pull request #2950 from aapostoliuk/T5960-circinusDaniil Baturin
T5960: Rewritten authentication node in PPTP to a single view
2024-02-08Merge pull request #2969 from sever-sever/T6026Daniil Baturin
T6026: QoS hide attempts to delete qdisc from devices
2024-02-08Merge pull request #2507 from erkin/image-toolsDaniil Baturin
op-mode: T4038: Python rewrite of image tools
2024-02-08T6026: QoS hide attempts to delete qdisc from devicesViacheslav Hletenko
Hide unexpected output by attempts of deleting `qdisc` from interfaces [ qos ] Error: Cannot find specified qdisc on specified device. Error: Cannot delete qdisc with handle of zero.
2024-02-07Merge pull request #2952 from c-po/vrfChristian Breunig
vrf: T5973: module is now statically compiled into the kernel
2024-02-07Merge pull request #2957 from c-po/bgp-T6024Christian Breunig
bgp: T6024: add additional missing FRR features
2024-02-07Merge pull request #2959 from c-po/init-T2044-rpki-part-2Christian Breunig
init: T2044: only start rpki if cache is configured
2024-02-07Merge pull request #2960 from c-po/currentChristian Breunig
xml: T302: replace references to Quagga with FRRouting
2024-02-07xml: T302: replace references to Quagga with FRRoutingChristian Breunig
2024-02-07init: T2044: only start rpki if cache is configuredChristian Breunig
This extends commit 9199c87cf ("init: T2044: always start/stop rpki during system boot") to check the bootup configuration if an RPKI cache is defined. Only start RPKI if this is the case.
2024-02-07Merge pull request #2944 from HollyGurza/T3843-currentChristian Breunig
vpn: T3843: l2tp configuration not cleared after delete
2024-02-07bgp: T6024: add additional missing FRR featuresChristian Breunig
* set protocols bgp parameters labeled-unicast <explicit-null | ipv4-explicit-null | ipv6-explicit-null> * set protocols bgp parameters allow-martian-nexthop * set protocols bgp parameters no-hard-administrative-reset"
2024-02-07rpki: T6023: add support for CLI knobs expire-interval and retry-intervalChristian Breunig
2024-02-07Merge pull request #2953 from sever-sever/T6021Christian Breunig
T6021: Fix QoS shaper r2q calculation
2024-02-07T5960: Rewritten authentication node in PPTP to a single viewaapostoliuk
Rewritten authentication node in accel-ppp services to a single view. In particular - PPTP authentication.
2024-02-07vrf: T5973: module is now statically compiled into the kernelChristian Breunig
Always enable VRF strict_mode
2024-02-07T6021: Fix QoS shaper r2q calculationViacheslav Hletenko
The current calculation `r2q` is wrong as it uses `Floor division` but expecting `division` This way `math.ceil` calculate wrong value as we expect round a number upward to its nearest integer For example for speed 710 mbits expected value `444` but we get `443` ``` from math import ceil MAXQUANTUM = 200000 speed = 710000000 speed_bps = int(speed) // 8 >>> speed_bps // MAXQUANTUM 443 >>> speed_bps / MAXQUANTUM 443.75 >>> >>> >>> ceil(speed_bps // MAXQUANTUM) 443 >>> ceil(speed_bps / MAXQUANTUM) 444 >>> ```
2024-02-06Merge pull request #2941 from jestabro/cleanup-waitJohn Estabrook
image-tools: T6016: wait for umount in cleanup function
2024-02-06Merge pull request #2946 from sever-sever/T5921Christian Breunig
T5921: Fix OpenConnect verify for local users
2024-02-06T5921: Fix OpenConnect verify for local usersViacheslav Hletenko
Fix verify error for the VPN OpenConnect configuration with local authentication and without any user File "/usr/libexec/vyos/conf_mode/vpn_openconnect.py", line 94, in verify if not ocserv["authentication"]["local_users"]: KeyError: 'local_users'
2024-02-06vpn: T3843: l2tp configuration not cleared after deletekhramshinr
vpn: T5926: IPSEC does not apply after l2tp configuration was changed added dependency between l2tp and ipsec conf added test for apply config to swanctl
2024-02-06Merge pull request #2943 from vyos/mergify/bp/current/pr-2942Daniil Baturin
op-mode:T6015:Fix for charon file generated by ipsec debug script (backport #2942)
2024-02-06op-mode:T6015:Fix the charon file generated by ipsec debug scriptsrividya0208
(cherry picked from commit 0c9c496961dc88110da53943a14dd88086ea920d)
2024-02-05image-tools: T6016: wait for umount in cleanup functionJohn Estabrook
2024-02-06Merge pull request #2936 from c-po/rpki-T6011Daniil Baturin
rpki: T6011: known-hosts-file is no longer supported by FRR
2024-02-06Merge pull request #2935 from c-po/rpkiDaniil Baturin
init: T2044: always start/stop rpki during system boot
2024-02-05Merge pull request #2937 from jestabro/overhead-advisory-updateJohn Estabrook
T6018: adjust smoketest for update to FastAPI web framework
2024-02-05T6018: adjust smoketest for update to FastAPI web frameworkJohn Estabrook
2024-02-03rpki: T6011: known-hosts-file is no longer supported by FRRChristian Breunig
2024-02-03init: T2044: always start/stop rpki during system bootChristian Breunig
2024-02-03Merge pull request #2932 from c-po/ipsec-T5998Christian Breunig
ipsec: T5998: add replay-windows setting
2024-02-03ipsec: T5998: add replay-windows settingChristian Breunig
The replay_window for child SA will always be 32 (hence enabled). Add a CLI node to explicitly change this. * set vpn ipsec site-to-site peer <name> replay-window <0-2040>
2024-02-03Merge pull request #2931 from c-po/configdict-bugfixViacheslav Hletenko
configdict: T5894: preserve old behavior when dealing with PKI
2024-02-02configdict: T5894: preserve old behavior when dealing with PKIChristian Breunig
Commit b152b5202 ("configdict: T5894: add get_config_dict() flag with_pki") added the generic PKI flag but if there was no PKI subsystem available in the configuration, no pki dict key ever manifested in the resulting dictionary requested by the caller. This is different to the old behavior (which each caller implementing the call itself) where there always was a pki key present - even if it was empty. This triggered a bug in the IPSec script Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/vpn_ipsec.py", line 600, in <module> verify(ipsec) File "/usr/libexec/vyos/conf_mode/vpn_ipsec.py", line 372, in verify verify_pki_rsa(ipsec['pki'], rsa) ~~~~~^^^^^^^ KeyError: 'pki' As it wanted to verify keys, but there was no pki dictionary key available. This commit restores the previous behavior.
2024-02-02Merge pull request #2748 from MattKobayashi/t5848Christian Breunig
qos: T5848: Add triple-isolate option to CAKE policy config