| Age | Commit message (Collapse) | Author |
|
`advertise-all-vni` is globally active
When `advertise-all-vni` is configured in the global/default BGP instance,
VyOS generated a `vni <id>` sub-block under each VRF BGP `address-family
l2vpn evpn` context. This conflicts with advertise-all-vni: FRR already
owns all kernel VNIs and returns `% Failed to create VNI` when frr-reload.py
attempts to apply the VRF-level vni sub-block. FRR then performs an early
exit from config processing, silently dropping the entire l2vpn evpn
address-family for all subsequent VRF BGP instances.
|
|
bgp: T8223: Prevent `advertise-all-vni` in multiple BGP VRF instances simultaneously
|
|
As salt has been marked deprecated via T8056 and is thus deprecated in VyOS 1.5
and VyOS 1.4 it is time to remove it from the rolling release.
|
|
simultaneously
FRR only allows one BGP instance to hold `advertise-all-vni` at a time
(FRR issue #9405). When a default BGP instance is present it is always
started before named VRF instances, so if a named VRF holds
the flag FRR silently rejects it on every boot (regardless of default
EVPN config), causing the running config to diverge from what is
stored in VyOS.
Enforce the following policy in verify():
- Default BGP instance may always hold `advertise-all-vni`.
- A named VRF may hold it only when no default BGP instance exists.
- Only one BGP instance (default or named VRF) may hold it at a time.
The default BGP verify path additionally scans dependent VRFs so that
adding or modifying the default BGP instance while a named VRF already
holds the flag is caught even when the VRF node is not part of the
current commit.
|
|
strongSwan validation
Previously generated CRLs were missing the Authority Key Identifier and
CRL Number extensions required by strongSwan for certificate revocation
validation. Without these extensions, strongSwan silently ignores the CRL,
allowing revoked certificates to authenticate successfully.
The migration regenerates existing CRLs for all CAs that have a private
key available. CAs with passphrase-protected keys are skipped with a
warning, as the passphrase cannot be provided non-interactively
|
|
Previously, VyOS hardcoded the kernel boot log console to either ttyS0 or
tty0, with no post-install CLI method to change it (manual GRUB edits
were required).
This commit adds a new CLI node:
system console device <name> kernel
When set, the selected serial console is used as the kernel boot console.
When removed, the kernel boot console falls back to tty0.
|
|
(target version 6)
|
|
|
|
This commit changes logging settings naming:
- before: `set vpp settings logging default-log-level <alert>`
- after: `set vpp settings logging default-level <alert>`
|
|
|
|
|
|
- Migration script removes 'driver' and 'xdp-options' nodes.
- XDP logic is commented out in config verification and CLI tests, preserving code for future use.
- The rest of XDP-related code remains untouched
|
|
pppoe-server: T8143: Set 'vpp-cp' option automatically if interface is in VPP
|
|
T7664: support FRR 10.5
|
|
|
|
In FRR 10.5 ip protocols
* connected
* kernel
* local
* table
* table-direct
are removed. First three in fb8e399e4f66d09780f176fbecb99168089e64eb,
table* in 7fd030504be060387694e8a2af7f19ddd7dee39d.
In `ip protocols`, `ipv6 protocols` and `vrf` VyOS supports
* connected
* kernel
* table
Remove these from CLI, add migration scripts, update tests.
|
|
- Introduced new CLI option 'data-ciphers-fallback' for OpenVPN interfaces
(used as fallback cipher in site-to-site mode)
- Adjust migration 1‑to‑2 to skip migrating 'cipher' for site‑to‑site interfaces
|
|
According to an Arch Linux forum discussion, the cipher
rijndael-cbc@lysator.liu.se was removed in OpenSSH 6.7.
References:
- https://bbs.archlinux.org/viewtopic.php?id=188613
- https://www.openssh.org/txt/release-6.7
- https://github.com/openssh/openssh-portable/commit/03e93c753d7c223063a
|
|
vpp: T7972: Make `nat44 no-forwarding` feature automatically configurable
|
|
The previous 'connection-type respond' option in IPsec site-to-site peers
was misleading - instead of passively waiting for peer initiation, it would
initiate negotiation when matching traffic appeared, potentially causing
SA duplication and renegotiation loops.
|
|
If any dynamic rule is configured forwarding should be disabled because each
packet must be processed through the NAT session table to apply proper
translations
|
|
syslog: T4251: Rename "permitted-peers" to "permitted-peer" and improve TLS checks
|
|
- Drop "tls enable" node (make "tls" a standalone key).
- Split "tls permitted-peers" list by commas into multiple "tls permitted-peer" entries.
|
|
Execute commands for vpp sflow with API calls. Use values for polling interval and sampling rate from 'system sflow'. Add op-mode command
|
|
Remove no-syscall-lock from CLI and enable this option if interrupt/adaptive mode is enabled and workers are configured.
Also forbid interrupt mode for ixgbevf driver
|
|
This reverts commit d871fe9c4c65de87232802ed54b263c9b2824391.
|
|
This reverts commit 85fe32f0e1a91a47fe4a6d4a5cdd6ac516dcc3b9.
|
|
bgp: T7760: remove per vrf instance system-as node
|
|
T75: migrate from pmacct to ipt_NETFLOW
|
|
* Change nft to iptables in system_flow-accounting.py as ipt_NETFLOW
is iptales plugin
* Remove specific and non-relevant pmacct options
* Add ipt_NETFLOW options
* Move 'interfaces' to 'netflow' tree
* Support more flexible 'source-address' and 'source-interface' for
each server instead of one source
* Add migration script
* Update op mode command 'show flow-accounting'
* Update op mode command 'restart flow-accounting'
|
|
Commit de44c6aef249 ("interface: T7379: do not request SLAAC default route when
only DHCPv6 is set") introduced a behavioral change while addressing an earlier
issue fixed in e9fb2078d5ea ("interface: T7375: SLAAC assigned address is not
cleared when removing SLAAC").
This change caused unintended connectivity loss after upgrading to VyOS 1.4.3.
The underlying reason is that VyOS now requires explicit configuration to
determine how IPv6 addressing and routing should be handled, rather than making
assumptions: Requesting a DHCPv6 address alone will correctly assign an address.
However, since the IPv6 default route is typically advertised via SLAAC (and not
DHCPv6), SLAAC must also be explicitly enabled to receive the default route.
Historically, this distinction was implicit and did not require additional
configuration.
To preserve backward compatibility, a configuration migrator has been added.
It inspects existing configurations that only request a DHCPv6 address and
automatically appends the required CLI node to also enable SLAAC, ensuring that
the default route is restored after upgrade.
|
|
VyOS 1.5 and onwards will no longer have the following CLI node available:
set vrf name <name> protocols bgp system-as <asn>
|
|
Originating from the bug in T7665. To avoid potential issues down the line - and
given that there's no compelling technical reason to retain the system-as CLI
node under per-VRF BGP configuration, which cannot be achieved through
alternative means - the maintainers have collectively decided to deprecate the
following command:
set vrf name <name> protocols bgp system-as <asn>
Starting with VyOS 1.4.4, this CLI command will be considered deprecated. While
it will still be accepted, it will no longer have any operational effect. A
deprecation warning will be displayed at commit time, indicating that the BGP
ASN from the global BGP configuration is now used instead.
A migration script will handle the transition and perform the following actions:
* Ensure a global BGP configuration exists; if not, initialize one.
* Iterate over all configured VRFs to determine whether a BGP instance exists
* For any insance, update the configuration to use the global system-as
and apply the local-as ASN no-prepend replace-as option on all affected
neighbors to preserve existing behavior.
* If a neighbor is already configured with a local-as directive, that neighbor
will be excluded from the migration process, as it already follows a custom
configuration.
* Add allowas-in per neighbor option. Required to not deny prefix received
updates due to as-path contains our own global ASN.
|
|
Added checks in the verify_rule() function of firewall.py for empty nodes.
Added migration script 19-to-20 to remove empty nodes from the config.
|
|
|
|
firewall: T6951: Add a configuration command for ethertypes that bridge firewalls should always accept
|
|
firewalls should always accept
|
|
journald
|
|
Previously, we used a lower limit of 1 and a default value of 32768 for the
nf_conntrack_buckets (conntrack hash-size) sysctl option. However, the Linux
kernel enforces an internal minimum of 1024. A configuration migrator will now
adjust the lower limit to 1024 if necessary.
The former default value of 32768 was passed as a kernel module option, which
only took effect after the second system reboot. This was due to the option being
rendered but not applied during the first boot. This behavior has been changed so
that the value is now configurable at runtime and takes effect immediately.
Additionally, since VyOS 1.4 increased the hardware requirements to 4GB of RAM,
we now align the default value of nf_conntrack_buckets with the kernel's
default for systems with more than 1GB of RAM to 65536 entries. Previously, we
only supported half that amount.
|
|
VyOS 1.4.1 implemented support for logging facilities for HAProxy. The
facilities got included from the syslog XML definition, which also added
"virtual" or non existing facilities in HAProxy, namely: all, authpriv and mark.
If any of the above facilities is set, HAProxy will not start.
The XML definition for syslog also came with an arbitrary log-level "all" that
is also unsupported in HAProxy.
This commit adds a migration script removing the illegal CLI nodes.
|
|
ids: T7241: remove Fastnetmon from the base system
|
|
It will eventually be moved to an addon
|
|
policy: T7116: Remove unsupported use of BGP community "internet"
|
|
* wlb: T7196: Migrate interface wildcards to nftables format
* wlb: T7196: Fix exclude/interface verify check
* wlb: T7196: Extra sanity check on ipv4 address function
|
|
This has been split into a separate commit in case this is overkill for
the fix. 1.2 and 1.3 installs predate the change to FRR that removed support,
but "internet" is already broken on 1.4.
|
|
LLDP is a stateless protocol which does not necessitate sending to receive
advertisements. There are multiple scenarios such as provider peering links in
which it is advantageous to receive LLDP but not disclose internal information
to the provider.
Add new CLI command:
* set service lldp interface <name> mode [disable|rx-tx|rx|tx]
The default is unchanged and will be rx-tx.
Furthermore if an interface has an explicit LLDP disable configured under
"set service lldp interface <name> disable" this will be migrated to
"set service lldp interface <name> mode disable"
|
|
* set protocols bgp address-family <ipv4-unicast|ipv6-unicast> redistribute
table <n> [metric <n>] [route-map <name>]
|
|
|
|
|
|
|