| Age | Commit message (Collapse) | Author |
|
|
|
ipsec: T7562: Add support for `disable-uniqreqids` option in IPsec configs
|
|
This commit makes `set vpn ipsec disable-uniqreqids` work with the modern
StrongSwan backend by setting `unique=never` in swanctl.conf for connections.
This restores legacy behavior about multiple connections with the same identity.
|
|
|
|
Fix custom conntrack timeout rules and add smoketests
|
|
* VPP: T7175
Added conf mode CLI for VPP sflow plugin and updated VPP template to include plugin.
* VPP: T7175: Conf mode CLI and startup template.
* T7175: VPP fix sFlow verify use vpp enstead of enable_vpp
* T7175: VPP add sFlow smoketest
* T7175: VPP remove unused config_changed variable
---------
Co-authored-by: Viacheslav <v.gletenko@vyos.io>
|
|
|
|
ipsec: T7581: Fix unsupported 'all' protocol in site-to-site tunnels after upgrade to 1.4.x
|
|
upgrade to 1.4.x
Upgrading from VyOS 1.3.8 (strongSwan 5.7.2) to 1.4.x (strongSwan 5.9.11) caused
the IPsec service to fail if the configuration contained:
```
set vpn ipsec site-to-site peer <peer> tunnel <id> protocol 'all'
```
In 1.3.8, 'all' was supported in the CLI for protocol and converted internally to '%any'
in ipsec.conf traffic selectors, allowing the tunnel to match all protocols. However, in
1.4.x and strongSwan 5.9.11+, the '[all/]' syntax is no longer supported, and use of
'protocol all' produces an invalid traffic selector (e.g., 'x.x.x.0/24[all/]'), causing
the strongSwan service to fail on reload.
This fix ensures that 'protocol all' is converted to just the subnet notation (e.g.,
'x.x.x.0/24') in the generated traffic selector, restoring previous behavior and allowing
seamless service startup after upgrade.
|
|
|
|
T5797: Adjust MSS clamping from forward to postrouting hook
|
|
ipsec: T7504: Added IKEv2 retransmission options
|
|
Added IKEv2 retransmission options (base, tries, timeout).
|
|
|
|
T7595: Support PROXY protocol for haproxy
|
|
|
|
balanced packets only
Matched the out iface name in wan load balancer default SNAT rule
so that SNAT is performed to load balanced packets only
|
|
|
|
* For VRF create/delete:
* Simple dquoting, as before, was parsed away by the shell
* Just escaping the double quotes could cause issues with the shell mangling
VRF names (however unlikely)
* Wrapping original quotes in shell-escaped single quotes is a quick & easy
way to guard against both improper shell parsing and string names being
taken as nft keywords.
* Firewall configuration:
* Firewall "interface name" rules support VRF ifnames and used them unquoted,
fixed for nft_rule template tags (parse_rule)
* Went through and quoted all iif/oifname usage by zones and interface
groups. VRF ifnames weren't available for all cases, but there is
no harm in completeness.
* For this, also created a simple quoted_join template filter to replace
any use of |join(',')
* PBR calls nft but doesn't mind the "vni" name - table IDs used instead
I may have missed some niche nft use-cases that would be exposed to this problem.
|
|
|
|
firewall: T6951: Add a configuration command for ethertypes that bridge firewalls should always accept
|
|
firewalls should always accept
|
|
journald
|
|
T7432: RPKI VRF Support
|
|
T7510: ospfd.frr.j2 ospf nssa translation error - fix template
|
|
conntrack: T7208: nf_conntrack_buckets defaults and behavior
|
|
T7523: firewall: Accepting invalid traffic for pppoe discovery and wol
|
|
|
|
Previously, we used a lower limit of 1 and a default value of 32768 for the
nf_conntrack_buckets (conntrack hash-size) sysctl option. However, the Linux
kernel enforces an internal minimum of 1024. A configuration migrator will now
adjust the lower limit to 1024 if necessary.
The former default value of 32768 was passed as a kernel module option, which
only took effect after the second system reboot. This was due to the option being
rendered but not applied during the first boot. This behavior has been changed so
that the value is now configurable at runtime and takes effect immediately.
Additionally, since VyOS 1.4 increased the hardware requirements to 4GB of RAM,
we now align the default value of nf_conntrack_buckets with the kernel's
default for systems with more than 1GB of RAM to 65536 entries. Previously, we
only supported half that amount.
|
|
Fix the gwlbtun binary path
```
r14 (gwlbtun)[8378]: aws-gwlbtun.service: Failed to locate executable /usr/bin/gwlbtun: No such file or directory
```
path
```
vyos@r14# sudo whereis gwlbtun
gwlbtun: /usr/sbin/gwlbtun
```
|
|
|
|
Allow accepting invalid packets for ethernet types `8021q` and `8021ad`
in addition to ARP and UDP types so that stateful bridge firewall works
for VLAN-aware bridges in addition to regular bridges.
|
|
T6013: Add support for AuthorizedPrincipalsFile to trusted_user_ca_key
|
|
* zebra: T7349: Added importing routes from non to the kernel routing table
Added importing routes from non to the kernel routing table.
---------
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
The current implementation for SSH CA based authentication uses "set service
ssh trusted-user-ca-key ca-certificate <foo>" to define an X.509 certificate
from "set pki ca <foo> ..." - fun fact, native OpenSSH does not support X.509
certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys.
This commit changes the bahavior to support antive certificates generated using
ssh-keygen and loaded to our PKI tree. As the previous implementation
did not work at all, no migrations cript is used.
|
|
We need to establish proper dependencies on "system login" and "pki ca" for
the SSH subsystem. If the CA is updated or user principal names are modified,
we must also ensure that the SSH daemon is restarted accordingly.
|
|
We already support using per-user SSH public keys for system authentication.
Instead of introducing a new CLI path to configure per-user principal names,
we should continue using the existing CLI location and store the principal
names alongside the corresponding SSH public keys.
set system login user <name> principal <principal>
The certificate used for SSH authentication contains an embedded principal
name, which is defined under this CLI node. Only users with matching principal
names are permitted to log in.
|
|
Thisc omplements commit e7cab89f9f81 ("T6013: Add support for configuring
TrustedUserCAKeys in SSH service with local and remote CA keys"). It introduces
a new CLI node per user to support defining the authorized principals used by
any given PKI certificate. It is now possible to associate SSH login users with
their respective principals.
Authored-by: Takeru Hayasaka <hayatake396@gmail.com>
|
|
|
|
|
|
|
|
T1771: automatic reboot of system into previous image
|
|
Removed unused opennhrp files and configurations
|
|
|
|
CLI:
```
set vpp acl ip tag-name <tag-name> rule <nn> action <permit|deny|permit-reflect>
set vpp acl ip tag-name <tag-name> rule <nn> source prefix <prefix>
set vpp acl ip tag-name <tag-name> rule <nn> source port <port|range>
set vpp acl ip tag-name <tag-name> rule <nn> destination prefix <prefix>
set vpp acl ip tag-name <tag-name> rule <nn> destination port <port>
set vpp acl ip tag-name <tag-name> rule <nn> protocol <protocol>
set vpp acl ip tag-name <tag-name> rule <nn> tcp-flags <fin|syn|rst|psh|ack|urg|ecn|cwr>
set vpp acl ip tag-name <tag-name> rule <nn> tcp-flags not <fin|syn|rst|psh|ack|urg|ecn|cwr>
set vpp acl ip interface <interface_name> input acl-tag <n> tag-name <tag-name>
set vpp acl ip interface <interface_name> output acl-tag <n> tag-name <tag-name>
set vpp acl macip tag-name <tag-name> rule <nn> prefix <prefix>
set vpp acl macip tag-name <tag-name> rule <nn> mac-address <mac>
set vpp acl macip tag-name <tag-name> rule <nn> mac-mask <mac-mask>
set vpp acl macip tag-name <tag-name> rule <nn> action <permit|deny>
set vpp acl macip interface <interface_name> tag-name <tag-name>
```
OP mode
```
show vpp acl ip tag-name <tag_name>
show vpp acl ip interface
show vpp acl macip tag-name <tag_name>
show vpp acl macip interface
```
|
|
remote groups
|
|
T7122: pki: unable to switch from custom cert to ACME when HAProxy service is running with 'redirect-http-to-https' option
|
|
When instructing certbot to listen on a given address, check if the address is
free to use. Also take this into account when spawning certbot behind HAProxy.
If the address is not (yet) bound - the request must be done in standalone mode
and not via the reverse-proxy.
|
|
Always enable the ACL entry to reverse-proxy requests to the path
"/.well-known/acme-challenge/" when "redirect-http-to-https" is configured for
a given HAProxy frontend service.
This is an intentional design decision to simplify the implementation and reduce
overall code complexity. It poses no risk: a missing path returns a 404, and an
unavailable backend yields an error 503.
This approach avoids a chicken-and-egg problem where certbot might try to
request a certificate via reverse-proxy before the proxy config is actually
generated and active.
By always routing through HAProxy, we also eliminate downtime as port 80 does
not need to be freed for certbot's standalone mode.
|
|
CLI:
```
set vpp nat cgnat interface outside <interface> # multi
set vpp nat cgnat interface inside <interface> # multi
set vpp nat cgnat rule <rule> outside-prefix <prefix>
set vpp nat cgnat rule <rule> inside-prefix <prefix>
set vpp nat cgnat timeout udp <sec> # default 300
set vpp nat cgnat timeout tcp-established <sec> # default 7440
set vpp nat cgnat timeout tcp-transitory <sec> # default 240
set vpp nat cgnat timeout icmp <sec> # default 60
```
OP mode:
```
show vpp nat cgnat interfaces
show vpp nat cgnat mappings
show vpp nat cgnat sessions
clear vpp cgnat inside-address <address> port <port> external-address <address> port <port>
```
|