| Age | Commit message (Collapse) | Author |
|---|
|
rpki: T6004: add missing startup priority (backport #2983)
|
|
xml: T5738: improve PKI building blocks for CLI (backport #2982)
|
|
(cherry picked from commit 4c2acb970c62478cf1139fcf66b0de341d46f7fc)
|
|
(cherry picked from commit d4278cde2b153e163fe41e1bc461891397336bc3)
|
|
T6028: Fix QoS policy shaper wrong class_id_max and default_minor_id (backport #2978)
|
|
The `class_id_max` is wrong due to `tmp.sort` of Strings
If we have class 5 and class 10 we get sorted max value 5, expected 10
```
>>> tmp = ['5', '10']
>>> tmp.sort()
>>> tmp
['10', '5']
>>>
>>> hex(5+1)
'0x6'
>>>
>>> hex(10+1)
'0xb'
>>>
```
This way we get wrong default maximum class value:
```
tc qdisc replace dev eth1 root handle 1: htb r2q 444 default 6
```
Expect:
```
tc qdisc replace dev eth1 root handle 1: htb r2q 444 default b
```
Fix this converting Strings to Integers and get max value.
(cherry picked from commit 2e8fa45c7f0663549edd118622b3381e7c428b2e)
|
|
T5703: Fix reapply QoS for connection-oriented interfaces (backport #2967)
|
|
After `disconnect` and `connect` connection-oriented interfaces
like PPPoE, QoS policy has to be reapplied
(cherry picked from commit ffc6dc28780f4d3e8c548f3709c7f3d17babda68)
|
|
T5828: fix grub installation on arm64-efi machines (backport #2643)
|
|
https: T5902: fix migration of virtual-host port (backport #2975)
|
|
CLI source node is port and not listen-port.
(cherry picked from commit 63d53a17274349fd68defdbf9f7ce16be63fc9b1)
|
|
T5960: Rewritten authentication node in PPTP to a single view (backport #2950)
|
|
Since the migration of GRUB handling to vyos-1x, the grub install
sequence has hardcoded references to x86.
Change the GRUB sequence so it can work on arm64 as well.
(cherry picked from commit 37bd574c4e1f49b03f985c4293513ff7107ae82f)
|
|
Rewritten authentication node in accel-ppp services
to a single view. In particular - PPTP authentication.
(cherry picked from commit 018110200c9a82815dd5d0510f0732d7159c0d59)
|
|
rpki: T6023: add support for CLI knobs expire-interval and retry-interval (backport #2955)
|
|
(cherry picked from commit 17894f6f5d97df7d3ac1cf37ce0e1a96b8fa8e8b)
|
|
T5685: Keepalived VRRP prefix is not necessary for the virtual address (backport #2968)
|
|
T6026: QoS hide attempts to delete qdisc from devices (backport #2969)
|
|
Hide unexpected output by attempts of deleting `qdisc` from
interfaces
[ qos ]
Error: Cannot find specified qdisc on specified device.
Error: Cannot delete qdisc with handle of zero.
(cherry picked from commit 6dcb68ba5553ac94eb3a9da4a915999500b00ab2)
|
|
(cherry picked from commit 1cb52f758cec78b9ac19f47448064b8e9e722b67)
|
|
vrf: T5973: module is now statically compiled into the kernel (backport #2952)
|
|
bgp: T6024: add additional missing FRR features (backport #2957)
|
|
init: T2044: only start rpki if cache is configured (backport #2959)
|
|
This extends commit 9199c87cf ("init: T2044: always start/stop rpki during
system boot") to check the bootup configuration if an RPKI cache is defined.
Only start RPKI if this is the case.
(cherry picked from commit 9b8e11e078c42e3ae86ebfa45fec57336f25a0af)
|
|
Always enable VRF strict_mode
(cherry picked from commit 117fbcd6237b59f54f2c1c66986a8ce073808c84)
|
|
* set protocols bgp parameters labeled-unicast <explicit-null | ipv4-explicit-null | ipv6-explicit-null>
* set protocols bgp parameters allow-martian-nexthop
* set protocols bgp parameters no-hard-administrative-reset"
(cherry picked from commit fff6004d46c5b939800fc3e61fe2102224625c0d)
|
|
xml: T302: replace references to Quagga with FRRouting (backport #2960)
|
|
vpn: T3843: l2tp configuration not cleared after delete (backport #2944)
|
|
(cherry picked from commit 1c882769cc0627cfc1ebf5ab7c338c6c474456da)
|
|
vpn: T5926: IPSEC does not apply after l2tp configuration was changed
added dependency between l2tp and ipsec conf
added test for apply config to swanctl
(cherry picked from commit e697ed1e7fd5c33f8082b2f4f96c42fc822ec9a5)
|
|
T6021: Fix QoS shaper r2q calculation (backport #2953)
|
|
The current calculation `r2q` is wrong as it uses `Floor division`
but expecting `division`
This way `math.ceil` calculate wrong value as we expect
round a number upward to its nearest integer
For example for speed 710 mbits expected value `444` but we get `443`
```
from math import ceil
MAXQUANTUM = 200000
speed = 710000000
speed_bps = int(speed) // 8
>>> speed_bps // MAXQUANTUM
443
>>> speed_bps / MAXQUANTUM
443.75
>>>
>>>
>>> ceil(speed_bps // MAXQUANTUM)
443
>>> ceil(speed_bps / MAXQUANTUM)
444
>>>
```
(cherry picked from commit ce1035e1e8642bf740e2a21693a72fe2127b8f72)
|
|
image-tools: T6016: wait for umount in cleanup function (backport #2941)
|
|
T5921: Fix OpenConnect verify for local users (backport #2946)
|
|
(cherry picked from commit d80530c48a78dfeb55293494a257f6234b0ef76d)
|
|
Fix verify error for the VPN OpenConnect configuration with
local authentication and without any user
File "/usr/libexec/vyos/conf_mode/vpn_openconnect.py", line 94, in verify
if not ocserv["authentication"]["local_users"]:
KeyError: 'local_users'
(cherry picked from commit 71644dfed63f6248525db3c3bc9493c059707a2a)
|
|
op-mode:T6015:Fix for charon file generated by ipsec debug script
|
|
|
|
rpki: T6011: known-hosts-file is no longer supported by FRR (backport #2936)
|
|
(cherry picked from commit 586863bf3a9cb1dd1c0d74b628d00096b905740f)
|
|
T6018: adjust smoketest for update to FastAPI web framework (backport #2937)
|
|
(cherry picked from commit e1b63b9b1704a55ccbf75e7131651c85dd318107)
|
|
ipsec: T5998: add replay-windows setting (backport #2932)
|
|
The replay_window for child SA will always be 32 (hence enabled). Add a CLI node
to explicitly change this.
* set vpn ipsec site-to-site peer <name> replay-window <0-2040>
(cherry picked from commit 4d943d8fbf1253154897179b0e3ea2d93b898197)
|
|
configdict: T5894: preserve old behavior when dealing with PKI (backport #2931)
|
|
Commit b152b5202 ("configdict: T5894: add get_config_dict() flag with_pki")
added the generic PKI flag but if there was no PKI subsystem available
in the configuration, no pki dict key ever manifested in the resulting
dictionary requested by the caller.
This is different to the old behavior (which each caller implementing the call
itself) where there always was a pki key present - even if it was empty.
This triggered a bug in the IPSec script
Traceback (most recent call last):
File "/usr/libexec/vyos/conf_mode/vpn_ipsec.py", line 600, in <module>
verify(ipsec)
File "/usr/libexec/vyos/conf_mode/vpn_ipsec.py", line 372, in verify
verify_pki_rsa(ipsec['pki'], rsa)
~~~~~^^^^^^^
KeyError: 'pki'
As it wanted to verify keys, but there was no pki dictionary key available.
This commit restores the previous behavior.
(cherry picked from commit 9b56a86def674886721a367c02371f9da65c3fd3)
|
|
qos: T5848: Add triple-isolate option to CAKE policy config (backport #2748)
|
|
(cherry picked from commit 762be96f45bb1d9705e45ff554ad483c9d4e10ff)
|
|
(cherry picked from commit 61342083d7db8c30d015474fae5cb71f480487d8)
|
|
container: T5955: add uid/gid settings (backport #2927)
|
