| Age | Commit message (Collapse) | Author |
|
vpp: T8125: Enable ip4-dhcp-client-detect feature if interface address is configured as DHCP
|
|
vpp: T8143: Incorrect mapping in IPFIX for bond interfaces
|
|
T7664: support FRR 10.5
|
|
configured as DHCP
DHCP address cannot be assigned on VPP interfaces without enabling the 'ip4-dhcp-client-detect' feature
|
|
* Move core logic to separate vyos.geoip module
* Use a sqlite database for storing and querying address ranges by country
* Remove downloaded geoip ranges once loaded into sqlite db
* No longer rebuild geoip sets on each commit unless necessary
* Allows for extensibility using other geoip data vendors
|
|
ssh: T7483: Add fido2 PubkeyAuthOptions
|
|
|
|
T7101: Add hardware watchdog support via systemd
|
|
|
|
|
|
- Introduced new CLI option 'data-ciphers-fallback' for OpenVPN interfaces
(used as fallback cipher in site-to-site mode)
- Adjust migration 1‑to‑2 to skip migrating 'cipher' for site‑to‑site interfaces
|
|
isis: T8158: fix lsp-timers
|
|
T8046: traffic-engineering: support link-params
|
|
There are three configuration values in VyOS isis XML:
* lsp-gen-interval
* lsp-refresh-interval
* max-lsp-lifetime
In FRR they have the following restrictions in yang model:
* refresh-interval, default 900
* maximum-lifetime >= refresh-interval + 300 (350-65535), default 1200
* generation-interval < refresh-interval (1..120), default 30
When setting these values in separate steps we can get error e.g.:
libyang: Must condition ". >= ../refresh-interval + 300" not satisfied.
even when all restrictions are satisfied.
To fix the issue:
1. Write default values in our XML.
2. Check these restrictions in protocol_isis.py
3. Use FRR command `lsp-timers` that sets all these values in one go
|
|
Add 'traffic-engineering' commands under 'protocols'.
set protocols traffic-engineering admin-group ADMINGROUP bit-position 1
set protocols traffic-engineering interface INTERFACE admin-group ADMINGROUP
set protocols traffic-engineering interface INTERFACE max-bandwidth 1280
set protocols traffic-engineering interface INTERFACE max-reservable-bandwidth 1280
Also add
set protocols isis traffic-engineering export
|
|
T7635: OpenConnect Certificate Authentication
|
|
router-advert: T8140: add captive portal support (RFC 8910)
|
|
Add support for captive portal identification in IPv6 router adverts as
defined in RFC 8910. The value is a quoted URL pointing to an RFC
8908-compliant API endpoint.
|
|
Add nat66 as a dependency of firewall groups, because nat66 may
reference firewall groups via source-destination-group-ipv6.xml.i. The
dependency is necessary to ensure a fresh nft ruleset is built when
dependent groups are updated, so that the changes actually take effect
in nat66 on commit.
Add a smoketest to cover nft rulesets failing to update as a result of
changes to dependent firewall groups.
Original commit adding support for groups in nat66 is commit f96733dd.
|
|
|
|
In FRR 10.5 'bgp reject-as-sets' became default
(https://frrouting.org/release/10.5.0/):
> BGP rejects AS_SET by default
> Until 10.5.0, it was disabled by default, and since RFC 9774 was
> published, we switched this on by default (to reject).
Add 'no bgp reject-as-sets' when VyOS option reject_as_sets is not set.
|
|
|
|
Signed-off-by: Andrii Melnychenko <a.melnychenko@vyos.io>
|
|
T8082: VPP fails to start with buffers page-size 1G
|
|
Follow VyOS CLI best practices for using singular whenever possible to build a
CLI node. As we introduce a new migration 2 -> 3 for SSH we can correct this
minor detail.
|
|
|
|
T8011: VPP fix log duplication in systemd journal
|
|
The previous 'connection-type respond' option in IPsec site-to-site peers
was misleading - instead of passively waiting for peer initiation, it would
initiate negotiation when matching traffic appeared, potentially causing
SA duplication and renegotiation loops.
|
|
Set the standard output/error to null to avoid log duplication.
Starting the service as "nodaemon" seems cause of this behavior.
|
|
syslog: T4251: Rename "permitted-peers" to "permitted-peer" and improve TLS checks
|
|
The generated Net-SNMP configuration for SNMPv3 trap-targets was fundamentally
broken. Not only was the auth/priv type not written in uppercase letters, but
also the ordering of transport protocol, IP(v6) address and port was wrong.
To complete the issues above - IPv6 addresses did not get wrapped into
mandatory [] brackets.
|
|
T8027: vpn: adding config for swanctl "send-cert always"
|
|
kea: T7913: Fixes for ping-check handling
|
|
firewall: T7739: Default ruleset for firewall zones
|
|
This setting seems to be required for various Apple clients to
connect to the IKEv2 IPSec VPN.
|
|
- Kea docs state multi-threaded mode is required for ping checking.
- Parent scope needs enabling if shared-network/subnet has ping-check enabled.
|
|
T7970: VPP use systemd-notify to start the service
|
|
This allows systemd to properly track VPP startup and manage service
dependencies using Type=notify service configuration.
|
|
Add VPP IPFIX configuration commands:
```
set vpp ipfix active-timeout '8'
set vpp ipfix collector 192.0.2.2 port '2055'
set vpp ipfix collector 192.0.2.2 source-address '192.0.2.1'
set vpp ipfix flowprobe-record 'l2'
set vpp ipfix flowprobe-record 'l3'
set vpp ipfix flowprobe-record 'l4'
set vpp ipfix inactive-timeout '32'
set vpp ipfix interface eth0
set vpp ipfix interface eth1 direction 'both'
set vpp ipfix interface eth1 flow-variant 'ipv4'
```
|
|
|
|
T7949: VPP add the ability to configure bond subinterfaces for NAT
|
|
checks
- Renamed `permitted-peers` to `permitted-peer` across templates, schema, and tests.
- Added support for multiple `permitted-peer` entries and trimmed empty values.
- Replaced TLS/UDP warning with ConfigError for strict validation.
- Updated tests to use TCP for TLS and verified new validation logic.
|
|
T7896: Add frr profile selection
|
|
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
* dhcp-server: T3936: Added support for DHCP Option 82
This commit adds support in both the CLI and the underlying code for
DHCP Option 82 to be used to filter/route DHCP address assignments.
The primary use case for this is to support enterprise switches which
can "tag" DHCP requests with physical real world informaiton such as
which switch first saw the request and which port it originated from
(known in this context as remote-id and circuit-id). Once
client-classes have been defined they can be assigned to subnets or
ranges so that only certain addresses get assigned to specific
requests.
There is also a corresponding documentation update which pairs with
this code change.
(cherry picked from commit 326b5e713cb363a2b9f69e2204c4ee2ccd9939bb)
* Update src/conf_mode/service_dhcp-server.py
Co-authored-by: Nataliia S. <81954790+natali-rs1985@users.noreply.github.com>
* Update src/conf_mode/service_dhcp-server.py
Co-authored-by: Nataliia S. <81954790+natali-rs1985@users.noreply.github.com>
* Update interface-definitions/include/dhcp/dhcp-server-common-config.xml.i
Co-authored-by: Nataliia S. <81954790+natali-rs1985@users.noreply.github.com>
---------
Co-authored-by: Daniil Baturin <daniil@baturin.org>
Co-authored-by: Nataliia S. <81954790+natali-rs1985@users.noreply.github.com>
|
|
T7938: VPP: Rewrite sFlow implementation
|
|
haproxy: T7906: Probing of a port other than the one to which normal traffic is sent
|
|
is sent
Add support for specifying a custom health check port for HAProxy backend servers.
This allows health probes to target a dedicated endpoint - such as port 8080 - separate
from normal traffic ports (e.g., 80 or 443).
|
|
|
|
|