| Age | Commit message (Collapse) | Author |
|---|
|
xml: T7467: remove ^/$ wrapping from validation regexes
|
|
policy: T5069: large-community-list regex validator disallows whitespace
|
|
openconnect: T7287: VPN Openconnect does not check dictionary key se…
|
|
since the validation utility adds them implicitly
|
|
snmp: T7464: fix the community string validation regex for compatibility with PCRE2
|
|
bonding: T7466: fix the 802.3ad regex
|
|
|
|
for compatibility with PCRE2
|
|
T7458: Fix VPN IPsec unexpected passthrough logic bug
|
|
T7414: Fix conntrack ignore rules for using several ports
|
|
with authentication mode RADIUS
|
|
If we use several port for the `conntrack ignore` there
have to be used curly braces for nftables
Incorrect format: dport 500,4500
Correct format: dport { 500, 4500 }
|
|
VPN IPsec unexpected passthrough logic bug was introduced in this
commit https://github.com/vyos/vyos-1x/commit/f480346bb8e934b1ce2e0fc3be23f7168273bba1
The correct behaviour of the `cidr_fit` was replaced with the
incorrect `overlap`
This way, the passthrough option is used every time when networks overlap.
```
>>> from ipaddress import ip_network
>>>
>>> a = ip_network('192.0.2.0/24')
>>> b = ip_network('192.0.2.100/30')
>>>
>>> a.overlaps(b)
True
>>>
>>> b.overlaps(a)
True
>>>
```
But there should be `subnet_of`:
```
>>> a.subnet_of(b)
False
>>>
>>> b.subnet_of(a)
True
>>>
```
In configuration it looks like
```
set vpn ipsec site-to-site peer RIGHT tunnel 0 local prefix '192.0.2.0/24'
set vpn ipsec site-to-site peer RIGHT tunnel 0 remote prefix '192.0.2.100/30'
```
The StrongSwan unexpected configuration:
```
RIGHT-tunnel-0-passthrough {
local_ts = 192.0.2.0/24
remote_ts = 192.0.2.0/24
start_action = trap
mode = pass
}
```
So all outcoming traffic to the 192.0.2.0/24 pass through the main routing
table instead of out SA
Use `subnet_of` to fix this
|
|
T7450: update commit hash for Use PCRE2 instead of PCRE
|
|
|
|
T7443: Un-restricting non-root logins after scheduled reboot/shutdown via pam_nologin
|
|
T7157: bgp: Added verification of the route-map existence in vrf import
|
|
T7386: firewall: Allow IPv6 member in firewall remote-groups
|
|
Added verification of the route-map existence in the vrf
route-leaking.
|
|
frr: T7411: preserve FRR config on service restart if it exists
|
|
haproxy: T7429: remove unsupported logging facility and log level
|
|
pam_nologin
When using reboot in, reboot at, or shutdown in, non-root users are prevented
from logging in via SSH or console starting 5 minutes before the scheduled
shutdown or reboot time.
This behavior is intended by pam_nologin.so, which is included in the SSH and
login PAM stack (default on Debian). While expected, it may be inconvenient
and could be reconsidered.
|
|
T7423: Add kernel boot options isolcpus, hugepages, numa_balancing
|
|
* Re-introduce the whitespace/pattern matches ' ' and '_' as allowed
* Perform a general Python regex validity check (not 100% 1003.2, but in combination
with allowedChars, pretty close)
* Introduce a warning against potentially malformed or over-complex patterns,
but leave it up to the user to resolve - there are plenty of useful
expressions we cannot validate easily
|
|
VyOS 1.4.1 implemented support for logging facilities for HAProxy. The
facilities got included from the syslog XML definition, which also added
"virtual" or non existing facilities in HAProxy, namely: all, authpriv and mark.
If any of the above facilities is set, HAProxy will not start.
The XML definition for syslog also came with an arbitrary log-level "all" that
is also unsupported in HAProxy.
This commit adds a migration script removing the illegal CLI nodes.
|
|
|
|
Add kernel options which apply during the boot:
- isolcpus
- nohz_full
- rcu_nocbs
- default_hugepagesz
- hugepages
- hugepagesz
- numa_balancing
- hpet
- mce
- nosoftlockup
- nmi_watchdog
CLI:
```
set system option kernel cpu disable-nmi-watchdog
set system option kernel cpu isolate-cpus '1,2,4-5'
set system option kernel cpu nohz-full '1,2,4-5'
set system option kernel cpu rcu-no-cbs '1,2,4-5'
set system option kernel disable-hpet
set system option kernel disable-mce
set system option kernel disable-softlockup
set system option kernel memory default-hugepage-size '2M'
set system option kernel memory disable-numa-balancing
set system option kernel memory hugepage-size 1G hugepage-count '2'
set system option kernel memory hugepage-size 2M hugepage-count '512'
```
|
|
nat66: T7051: snat group as destination
|
|
utils: T7095: make `vrf` and `netns` arguments aware of the shell
|
|
large output
|
|
remote groups
|
|
T7417: check existence of paths before set_tag/return_value in migration scripts vrf/1-to-2; vrf/2-to-3
|
|
frr: T7431: missing logging options after rewrite to frrender class
|
|
interfaces: T7268: Add op-mode command for show all interfaces on system
|
|
installer: T7049: Fix GRUB boot with RAID1
|
|
T7122: pki: unable to switch from custom cert to ACME when HAProxy service is running with 'redirect-http-to-https' option
|
|
In src/etc/systemd/system/frr.service.d/override.conf#L6-L11 the log entry is
added on restart - but not during normal operation of frrender.py
Logging should be added persistent when rendering the FRR configuration
using FRRender class.
|
|
Migration from 1.3.x may not contain table entries, later required.
The migration script should not fail with error, leaving enforcement to
config scripts.
|
|
The migration script assumed the existence of path
['vrf', 'name', tag-val-name, 'protocols', 'static', 'route']
ignoring sole entries for [..., 'route6'].
Check existence of each path before calling set_tag.
|
|
When instructing certbot to listen on a given address, check if the address is
free to use. Also take this into account when spawning certbot behind HAProxy.
If the address is not (yet) bound - the request must be done in standalone mode
and not via the reverse-proxy.
|
|
When both the CLI PKI node for an ACME-issued certificate and HAProxy are
configured during initial setup, the certbot challenge cannot be served via the
reverse proxy because HAProxy has not yet been configured at all.
This commit introduces a special case to handle this bootstrap scenario,
ensuring that the certbot challenge can still be served correctly in standalone
mode on port 80 despite initial config dependencies/priorities between PKI
and HAProxy.
|
|
Some VyOS CLI nodes support defining multiple certificates. The previous check
when removing a certificate from the CLI only performed a string comparison,
which failed in cases where the underlying data was a list (CLI <multi/> node).
This update extends the check to handle both cases:
- If the datum is a string, perform a string comparison.
- If the datum is a list, check whether the target certificate is part of the
list.
This ensures proper removal behavior regardless of the data type used in the
CLI node.
|
|
This will wrap the messages at 72 characters in the same way as Warning() and
DeprecationWarning() would do. We now have simple wrappers for it!
Example:
vyos@vyos# commit
[ pki ]
Updating configuration: "load-balancing haproxy service frontend ssl
certificate LE_cloud"
Add/replace automatically imported CA certificate for "LE_cloud"
|
|
Revert "vyos-router: T7356: unset ANSI bold control character during boot"
|
|
bgp: T7157: Fixed error with the unknown key in the verification
|
|
This reverts commit ddca20df57008bd85b1363e089152e0ebf014f73.
|
|
Always enable the ACL entry to reverse-proxy requests to the path
"/.well-known/acme-challenge/" when "redirect-http-to-https" is configured for
a given HAProxy frontend service.
This is an intentional design decision to simplify the implementation and reduce
overall code complexity. It poses no risk: a missing path returns a 404, and an
unavailable backend yields an error 503.
This approach avoids a chicken-and-egg problem where certbot might try to
request a certificate via reverse-proxy before the proxy config is actually
generated and active.
By always routing through HAProxy, we also eliminate downtime as port 80 does
not need to be freed for certbot's standalone mode.
|
|
T7408: add mokutil in arm64
|
|
Add a new category if Jinja2 operands. We already have filters and tests, but
sometimes we would like to call a Python function without and data "|" piped
to it - that's what they call a clever-function.
{{ get_default_port(NAME) }} can be used to retrieve the value from
vyos.defaults.internal_ports[NAME] within Jinja2. We no longer need to extend
the dictionary with arbitrary data retrieved from vyos.defaults, we can now
simply register another clever-function to the Jinja2 backend.
|
|
|
