| Age | Commit message (Collapse) | Author |
|---|
|
* For VRF create/delete:
* Simple dquoting, as before, was parsed away by the shell
* Just escaping the double quotes could cause issues with the shell mangling
VRF names (however unlikely)
* Wrapping original quotes in shell-escaped single quotes is a quick & easy
way to guard against both improper shell parsing and string names being
taken as nft keywords.
* Firewall configuration:
* Firewall "interface name" rules support VRF ifnames and used them unquoted,
fixed for nft_rule template tags (parse_rule)
* Went through and quoted all iif/oifname usage by zones and interface
groups. VRF ifnames weren't available for all cases, but there is
no harm in completeness.
* For this, also created a simple quoted_join template filter to replace
any use of |join(',')
* PBR calls nft but doesn't mind the "vni" name - table IDs used instead
I may have missed some niche nft use-cases that would be exposed to this problem.
|
|
mode cache generator
|
|
|
|
wan-load-balancing: T7567: Write health-status on first run
|
|
for cases when commands need both fixed and variable arguments
|
|
Write the health-status on the very first run of the script,
without waiting for any change in status, to show the current
state to the show command. In show command use the same api
to get the now timestamp as used in state change timestamp.
|
|
T7561: simplify op-mode-definitions XML cache generation
|
|
T7570: add missing list of scripts to be committed, needed for configdep
|
|
pki: T7574: add optional force argument to renew certbot-issued certificates
|
|
pki: T7573: fix TypeError when HAProxy is not in use
|
|
|
|
T7531: Add FRR no bgp ipv6-auto-ra option
|
|
Commit 59d86826a2f ("haproxy: T7122: add ACME/certbot bootstrap support")
introduced a regression where a None value was inadvertently iterated over.
This patch prevents the invalid access by verifying that all required keys are
present in the dictionary before proceeding.
|
|
Certbot renewal command in op-mode "renew certbot" only works if any of the
certificates is up for renewal. There is no CLI option to forcefully renew a
certificate. This is about adding a force option to the CLI and with this
addition move the entire certbot renew handling to new-style op-mode commands.
vyos@vyos:~$ renew certbot force
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /config/auth/letsencrypt/renewal/vyos.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for vyos.io
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
/config/auth/letsencrypt/live/vyos/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hook 'post-hook' ran with output:
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
|
|
T7355: periodical cleanup of unused Python3 import statements
|
|
|
|
|
|
installer: T6144: require at least 2GB of free space for image upgrade
|
|
|
|
|
|
|
|
|
|
The original implementation of the op-mode XML cache generation resulted
in a structure that was difficult to use, for example, in documentation
generation. The source of complication is that, unlike the XML of
interface-definitions, path names are not unique: the same path may
occur as both a regular node and as a tag node. Here we simplify the
underlying structure by enriching path names with type information, thus
disambiguating paths. An interface to the cache is provided by explicit
generator and lookup functions.
|
|
|
|
|
|
T7564: added darker ruff lint workflow
|
|
|
|
op-mode: T7541: convert duplicate nodes and tag nodes to standalone tag nodes
|
|
op-mode: T7543: move "clear interfaces <type> [name] counters" to "clear interfaces counters [type] [name]"
|
|
op-mode: T7542: add support for "standalone" behavior of operational mode tag nodes
|
|
T7554: fix wireguard fwmark parsing
|
|
T7564: GitHub: remove ruff linter PR check - should be an automated review
|
|
Consensus amongst the developers was to rather move the hard PR check to
a soft check in form of an automated review by a Bot using GitHub actions.
|
|
firewall: T6951: Add a configuration command for ethertypes that bridge firewalls should always accept
|
|
migration: T6968: check for ip address as next-hop-interface
|
|
1.3.x did not disallow an ip address as value of:
protocols static route addr next-hop-interface
Consequently, the case should be checked and handled during migration.
|
|
|
|
firewalls should always accept
|
|
journald
|
|
vrf: T7506: Do not use default table 254 for VRF
|
|
|
|
vyos-1x-vmware: T3681: Remove extra -x flag from Python bytecompile
|
|
T7488: add utility for automatic rollback of section on apply stage error
|
|
T7432: RPKI VRF Support
|
|
openvpn: T7056: Raise error if non-TAP device is bridged
|
|
smoketest: T7539: improve Kernel option check for WWAN
|
|
where it is possible without changing the command syntax
|
|
interfaces counters [type] [name]"
|
|
|
|
|
