summaryrefslogtreecommitdiff
path: root/data
AgeCommit message (Collapse)Author
2025-08-13haproxy: T7715: Add rule matching on subdomainssarthurdev
2025-08-12Merge pull request #4637 from alexandr-san4ez/T7562-currentDaniil Baturin
ipsec: T7562: Add support for `disable-uniqreqids` option in IPsec configs
2025-08-12ipsec: T7562: Add support for `disable-uniqreqids` option in IPsec configsOleksandr Kuchmystyi
This commit makes `set vpn ipsec disable-uniqreqids` work with the modern StrongSwan backend by setting `unique=never` in swanctl.conf for connections. This restores legacy behavior about multiple connections with the same identity.
2025-08-07T7697: Merge remote-tracking branch 'vpp/current' into vyos-1xViacheslav
2025-08-02conntrack: T7482: Fix custom timeoutsRyan Zuwala
Fix custom conntrack timeout rules and add smoketests
2025-07-31VPP: T7175: Add sFlow conf mode CLI and startup template (#32)KyleM
* VPP: T7175 Added conf mode CLI for VPP sflow plugin and updated VPP template to include plugin. * VPP: T7175: Conf mode CLI and startup template. * T7175: VPP fix sFlow verify use vpp enstead of enable_vpp * T7175: VPP add sFlow smoketest * T7175: VPP remove unused config_changed variable --------- Co-authored-by: Viacheslav <v.gletenko@vyos.io>
2025-07-28isis: T7639: add SRv6 locator supportfett0
2025-07-28Merge pull request #4624 from alexandr-san4ez/T7581-currentViacheslav Hletenko
ipsec: T7581: Fix unsupported 'all' protocol in site-to-site tunnels after upgrade to 1.4.x
2025-07-28ipsec: T7581: Fix unsupported 'all' protocol in site-to-site tunnels after ↵Oleksandr Kuchmystyi
upgrade to 1.4.x Upgrading from VyOS 1.3.8 (strongSwan 5.7.2) to 1.4.x (strongSwan 5.9.11) caused the IPsec service to fail if the configuration contained: ``` set vpn ipsec site-to-site peer <peer> tunnel <id> protocol 'all' ``` In 1.3.8, 'all' was supported in the CLI for protocol and converted internally to '%any' in ipsec.conf traffic selectors, allowing the tunnel to match all protocols. However, in 1.4.x and strongSwan 5.9.11+, the '[all/]' syntax is no longer supported, and use of 'protocol all' produces an invalid traffic selector (e.g., 'x.x.x.0/24[all/]'), causing the strongSwan service to fail on reload. This fix ensures that 'protocol all' is converted to just the subnet notation (e.g., 'x.x.x.0/24') in the generated traffic selector, restoring previous behavior and allowing seamless service startup after upgrade.
2025-07-24T7175: Added VPP optionKyle McClammy
2025-07-24Merge pull request #4609 from giga1699/T5797Daniil Baturin
T5797: Adjust MSS clamping from forward to postrouting hook
2025-07-22Merge pull request #4601 from aapostoliuk/T7504-currentDaniil Baturin
ipsec: T7504: Added IKEv2 retransmission options
2025-07-18ipsec: T7504: Added IKEv2 retransmission optionsaapostoliuk
Added IKEv2 retransmission options (base, tries, timeout).
2025-07-17T5797: Adjust MSS from forward hook to postroutingGiga Murphy
2025-07-13Merge pull request #4586 from nobidev/features/add-support-proxy-for-haproxyViacheslav Hletenko
T7595: Support PROXY protocol for haproxy
2025-07-13T7595: Support PROXY protocol for haproxyNobi
2025-07-02wan-load-balancing: T7584: Default SNAT behaviour fixed to effect load ↵Abhishek Safui
balanced packets only Matched the out iface name in wan load balancer default SNAT rule so that SNAT is performed to load balanced packets only
2025-06-30firewall: T7452: update rule generation for Zone-based firewallDavid Vølker
2025-06-27vrf: T7544: Ensure correct quoting for VRF ifnames in nftablesAndrew Topp
* For VRF create/delete: * Simple dquoting, as before, was parsed away by the shell * Just escaping the double quotes could cause issues with the shell mangling VRF names (however unlikely) * Wrapping original quotes in shell-escaped single quotes is a quick & easy way to guard against both improper shell parsing and string names being taken as nft keywords. * Firewall configuration: * Firewall "interface name" rules support VRF ifnames and used them unquoted, fixed for nft_rule template tags (parse_rule) * Went through and quoted all iif/oifname usage by zones and interface groups. VRF ifnames weren't available for all cases, but there is no harm in completeness. * For this, also created a simple quoted_join template filter to replace any use of |join(',') * PBR calls nft but doesn't mind the "vni" name - table IDs used instead I may have missed some niche nft use-cases that would be exposed to this problem.
2025-06-20T7531: Add FRR no bgp ipv6-auto-ra optionfactor2431
2025-06-19Merge pull request #4558 from natali-rs1985/T6951Daniil Baturin
firewall: T6951: Add a configuration command for ethertypes that bridge firewalls should always accept
2025-06-17firewall: T6951: Add a configuration command for ethertypes that bridge ↵Nataliia Solomko
firewalls should always accept
2025-06-17container: T7473: fix show/monitor container log failed when log-driver is ↵opswill
journald
2025-06-12Merge pull request #4497 from yzguy/T7432Daniil Baturin
T7432: RPKI VRF Support
2025-06-10Merge pull request #4536 from ig0rb/fix/T7510-ospf-nssa-translation-errorDaniil Baturin
T7510: ospfd.frr.j2 ospf nssa translation error - fix template
2025-06-09Merge pull request #4548 from c-po/T7202-conntrackDaniil Baturin
conntrack: T7208: nf_conntrack_buckets defaults and behavior
2025-06-09Merge pull request #4544 from opswill/firewall-featureViacheslav Hletenko
T7523: firewall: Accepting invalid traffic for pppoe discovery and wol
2025-06-08T7510: ospfd.frr.j2 ospf nssa translation error - fix templateig0rb
2025-06-07conntrack: T7208: nf_conntrack_buckets defaults and behaviorChristian Breunig
Previously, we used a lower limit of 1 and a default value of 32768 for the nf_conntrack_buckets (conntrack hash-size) sysctl option. However, the Linux kernel enforces an internal minimum of 1024. A configuration migrator will now adjust the lower limit to 1024 if necessary. The former default value of 32768 was passed as a kernel module option, which only took effect after the second system reboot. This was due to the option being rendered but not applied during the first boot. This behavior has been changed so that the value is now configurable at runtime and takes effect immediately. Additionally, since VyOS 1.4 increased the hardware requirements to 4GB of RAM, we now align the default value of nf_conntrack_buckets with the kernel's default for systems with more than 1GB of RAM to 65536 entries. Previously, we only supported half that amount.
2025-06-05T7524: Fix binary path for gwlbtunViacheslav Hletenko
Fix the gwlbtun binary path ``` r14 (gwlbtun)[8378]: aws-gwlbtun.service: Failed to locate executable /usr/bin/gwlbtun: No such file or directory ``` path ``` vyos@r14# sudo whereis gwlbtun gwlbtun: /usr/sbin/gwlbtun ```
2025-06-05T7523: firewall: Accepting invalid traffic for pppoe discovery and wolopswill
2025-06-01T7512: firewall: Modify accepting invalid traffic for VLAN aware bridgeIndrajit Raychaudhuri
Allow accepting invalid packets for ethernet types `8021q` and `8021ad` in addition to ARP and UDP types so that stateful bridge firewall works for VLAN-aware bridges in addition to regular bridges.
2025-05-29Merge pull request #4266 from takehaya/T6013-trusted-ca-keysChristian Breunig
T6013: Add support for AuthorizedPrincipalsFile to trusted_user_ca_key
2025-05-29zebra: T7349: Added importing routes from non to the kernel routing tableaapostoliuk
* zebra: T7349: Added importing routes from non to the kernel routing table Added importing routes from non to the kernel routing table. --------- Co-authored-by: Christian Breunig <christian@breunig.cc>
2025-05-29ssh: T6013: rename trusted-user-ca-key -> truster-user-caChristian Breunig
The current implementation for SSH CA based authentication uses "set service ssh trusted-user-ca-key ca-certificate <foo>" to define an X.509 certificate from "set pki ca <foo> ..." - fun fact, native OpenSSH does not support X.509 certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys. This commit changes the bahavior to support antive certificates generated using ssh-keygen and loaded to our PKI tree. As the previous implementation did not work at all, no migrations cript is used.
2025-05-29pki: T6013: add proper dependencies for SSH CAChristian Breunig
We need to establish proper dependencies on "system login" and "pki ca" for the SSH subsystem. If the CA is updated or user principal names are modified, we must also ensure that the SSH daemon is restarted accordingly.
2025-05-29ssh: T6013: move principal name to "system login user <name> authentication"Christian Breunig
We already support using per-user SSH public keys for system authentication. Instead of introducing a new CLI path to configure per-user principal names, we should continue using the existing CLI location and store the principal names alongside the corresponding SSH public keys. set system login user <name> principal <principal> The certificate used for SSH authentication contains an embedded principal name, which is defined under this CLI node. Only users with matching principal names are permitted to log in.
2025-05-29ssh: T6013: support SSH AuthorizedPrincipalsFile in use with trusted-user-ca-keyTakeru Hayasaka
Thisc omplements commit e7cab89f9f81 ("T6013: Add support for configuring TrustedUserCAKeys in SSH service with local and remote CA keys"). It introduces a new CLI node per user to support defining the authorized principals used by any given PKI certificate. It is now possible to associate SSH login users with their respective principals. Authored-by: Takeru Hayasaka <hayatake396@gmail.com>
2025-05-28T7395: Add support for renew in REST ServerIDerr
2025-05-28T7488: Make VPP restartableNataliia Solomko
2025-05-27T7432: RPKI VRF SupportAdam Smith
2025-05-21Merge pull request #4501 from c-po/boot-recovery-T1771Daniil Baturin
T1771: automatic reboot of system into previous image
2025-05-20opennhrp: T7462: Removed unused opennhrp files and configurationsaapostoliuk
Removed unused opennhrp files and configurations
2025-05-17T1771: enable "reboot-on-upgrade-failure" for new VyOS installationsChristian Breunig
2025-05-13T7419: VPP ACL implementation (#31)Nataliia S.
CLI: ``` set vpp acl ip tag-name <tag-name> rule <nn> action <permit|deny|permit-reflect> set vpp acl ip tag-name <tag-name> rule <nn> source prefix <prefix> set vpp acl ip tag-name <tag-name> rule <nn> source port <port|range> set vpp acl ip tag-name <tag-name> rule <nn> destination prefix <prefix> set vpp acl ip tag-name <tag-name> rule <nn> destination port <port> set vpp acl ip tag-name <tag-name> rule <nn> protocol <protocol> set vpp acl ip tag-name <tag-name> rule <nn> tcp-flags <fin|syn|rst|psh|ack|urg|ecn|cwr> set vpp acl ip tag-name <tag-name> rule <nn> tcp-flags not <fin|syn|rst|psh|ack|urg|ecn|cwr> set vpp acl ip interface <interface_name> input acl-tag <n> tag-name <tag-name> set vpp acl ip interface <interface_name> output acl-tag <n> tag-name <tag-name> set vpp acl macip tag-name <tag-name> rule <nn> prefix <prefix> set vpp acl macip tag-name <tag-name> rule <nn> mac-address <mac> set vpp acl macip tag-name <tag-name> rule <nn> mac-mask <mac-mask> set vpp acl macip tag-name <tag-name> rule <nn> action <permit|deny> set vpp acl macip interface <interface_name> tag-name <tag-name> ``` OP mode ``` show vpp acl ip tag-name <tag_name> show vpp acl ip interface show vpp acl macip tag-name <tag_name> show vpp acl macip interface ```
2025-05-07T7386: firewall: allow mix of IPv4 and IPv6 addresses/prefixes/ranges in ↵Mark Hayes
remote groups
2025-05-06Merge pull request #4480 from c-po/T7122-pkiDaniil Baturin
T7122: pki: unable to switch from custom cert to ACME when HAProxy service is running with 'redirect-http-to-https' option
2025-05-05pki: T7122: when ACME listen-address is used - check if port is availableChristian Breunig
When instructing certbot to listen on a given address, check if the address is free to use. Also take this into account when spawning certbot behind HAProxy. If the address is not (yet) bound - the request must be done in standalone mode and not via the reverse-proxy.
2025-05-04haproxy: T7122: always reverse-proxy ACL for certbotChristian Breunig
Always enable the ACL entry to reverse-proxy requests to the path "/.well-known/acme-challenge/" when "redirect-http-to-https" is configured for a given HAProxy frontend service. This is an intentional design decision to simplify the implementation and reduce overall code complexity. It poses no risk: a missing path returns a 404, and an unavailable backend yields an error 503. This approach avoids a chicken-and-egg problem where certbot might try to request a certificate via reverse-proxy before the proxy config is actually generated and active. By always routing through HAProxy, we also eliminate downtime as port 80 does not need to be freed for certbot's standalone mode.
2025-05-01T7390: VPP CGNAT implementation (#30)Nataliia S.
CLI: ``` set vpp nat cgnat interface outside <interface> # multi set vpp nat cgnat interface inside <interface> # multi set vpp nat cgnat rule <rule> outside-prefix <prefix> set vpp nat cgnat rule <rule> inside-prefix <prefix> set vpp nat cgnat timeout udp <sec> # default 300 set vpp nat cgnat timeout tcp-established <sec> # default 7440 set vpp nat cgnat timeout tcp-transitory <sec> # default 240 set vpp nat cgnat timeout icmp <sec> # default 60 ``` OP mode: ``` show vpp nat cgnat interfaces show vpp nat cgnat mappings show vpp nat cgnat sessions clear vpp cgnat inside-address <address> port <port> external-address <address> port <port> ```