| Age | Commit message (Collapse) | Author |
|
openvpn: T7633: Add support for `data-ciphers-fallback` in site-to-site tunnels
|
|
|
|
|
|
In FRR 10.5 ip protocols
* connected
* kernel
* local
* table
* table-direct
are removed. First three in fb8e399e4f66d09780f176fbecb99168089e64eb,
table* in 7fd030504be060387694e8a2af7f19ddd7dee39d.
In `ip protocols`, `ipv6 protocols` and `vrf` VyOS supports
* connected
* kernel
* table
Remove these from CLI, add migration scripts, update tests.
|
|
Some NICs as `AWS ENA VF` allow to use 16384 descriptors
|
|
- Introduced new CLI option 'data-ciphers-fallback' for OpenVPN interfaces
(used as fallback cipher in site-to-site mode)
- Adjust migration 1‑to‑2 to skip migrating 'cipher' for site‑to‑site interfaces
|
|
isis: T8158: fix lsp-timers
|
|
T8046: traffic-engineering: support link-params
|
|
There are three configuration values in VyOS isis XML:
* lsp-gen-interval
* lsp-refresh-interval
* max-lsp-lifetime
In FRR they have the following restrictions in yang model:
* refresh-interval, default 900
* maximum-lifetime >= refresh-interval + 300 (350-65535), default 1200
* generation-interval < refresh-interval (1..120), default 30
When setting these values in separate steps we can get error e.g.:
libyang: Must condition ". >= ../refresh-interval + 300" not satisfied.
even when all restrictions are satisfied.
To fix the issue:
1. Write default values in our XML.
2. Check these restrictions in protocol_isis.py
3. Use FRR command `lsp-timers` that sets all these values in one go
|
|
Add 'traffic-engineering' commands under 'protocols'.
set protocols traffic-engineering admin-group ADMINGROUP bit-position 1
set protocols traffic-engineering interface INTERFACE admin-group ADMINGROUP
set protocols traffic-engineering interface INTERFACE max-bandwidth 1280
set protocols traffic-engineering interface INTERFACE max-reservable-bandwidth 1280
Also add
set protocols isis traffic-engineering export
|
|
T7635: OpenConnect Certificate Authentication
|
|
router-advert: T8140: add captive portal support (RFC 8910)
|
|
Add support for captive portal identification in IPv6 router adverts as
defined in RFC 8910. The value is a quoted URL pointing to an RFC
8908-compliant API endpoint.
|
|
Copy the support for NAT66 destination groups (commit f96733dd and
commit 43554efc) over to NAT66 source groups as well.
Change the existing smoketest for NAT66 groups to also cover a source
group use-case example.
|
|
|
|
|
|
|
|
|
|
Follow VyOS CLI best practices for using singular whenever possible to build a
CLI node. As we introduce a new migration 2 -> 3 for SSH we can correct this
minor detail.
|
|
According to an Arch Linux forum discussion, the cipher
rijndael-cbc@lysator.liu.se was removed in OpenSSH 6.7.
References:
- https://bbs.archlinux.org/viewtopic.php?id=188613
- https://www.openssh.org/txt/release-6.7
- https://github.com/openssh/openssh-portable/commit/03e93c753d7c223063a
|
|
firewall: T8089: "geoip country-code" should get a completion helper
|
|
vpp: T7972: Make `nat44 no-forwarding` feature automatically configurable
|
|
There is a CLI constraint for lowercase country codes, but user's do not
see this.
|
|
ipsec: T7594: Rename `respond` connection-type in IPSec peer settings to `trap`
|
|
The previous 'connection-type respond' option in IPsec site-to-site peers
was misleading - instead of passively waiting for peer initiation, it would
initiate negotiation when matching traffic appeared, potentially causing
SA duplication and renegotiation loops.
|
|
If any dynamic rule is configured forwarding should be disabled because each
packet must be processed through the NAT session table to apply proper
translations
|
|
addresses
|
|
syslog: T4251: Rename "permitted-peers" to "permitted-peer" and improve TLS checks
|
|
vpp: T8016: Use "numeric" validator for acl port
|
|
|
|
nat: T8038: remove duplicate XML definitions for <properties>
|
|
|
|
We can remove the XML <properties> because it's the same as already defined
in #include <include/nat-rule.xml.i>
|
|
T8027: vpn: adding config for swanctl "send-cert always"
|
|
firewall: T7739: Default ruleset for firewall zones
|
|
This setting seems to be required for various Apple clients to
connect to the IKEv2 IPSec VPN.
|
|
T7556: VPP add IPFIX collector configuration
|
|
Add VPP IPFIX configuration commands:
```
set vpp ipfix active-timeout '8'
set vpp ipfix collector 192.0.2.2 port '2055'
set vpp ipfix collector 192.0.2.2 source-address '192.0.2.1'
set vpp ipfix flowprobe-record 'l2'
set vpp ipfix flowprobe-record 'l3'
set vpp ipfix flowprobe-record 'l4'
set vpp ipfix inactive-timeout '32'
set vpp ipfix interface eth0
set vpp ipfix interface eth1 direction 'both'
set vpp ipfix interface eth1 flow-variant 'ipv4'
```
|
|
bridge: T6775: The isolation option disappears after reboot
|
|
T7872: VPP XDP with rx-queue-size stuck
|
|
Previously, the bridge definition had priority 310 while ethernet interfaces
used 318. This caused bridges to be built before their member interfaces were
ready, resulting in missing or incomplete bridge configuration at boot.
Increase bridge priority from 310 to 319 to ensure bridges are processed
after base ethernet/VLAN interfaces and before higher‑level subsystems.
|
|
Queue sizes must be a power of two and between VLIB_FRAME_SIZE=256 and 65535
https://github.com/FDio/vpp/blob/d39cc2bd9374f9df7e42ad39bb9fb8e2531d3da8/src/plugins/af_xdp/device.c#L588-L608
|
|
Commit fb9f2f3e950 ("pppoe: T7485: allow explicit request for CPE IPv6 address
via IA_NA") introduced the CLI node definition for address dhcpv6, which at the
time had only a single available option. Because of that, the node wasn't
defined as <multi/> in the XML schema.
However, the generic interface code expects address to be a <multi/> XML node,
which is translated into a list in Python. This mismatch caused an error
referencing the letter d, corresponding to the first character of dhcpv6.
|
|
- Drop "tls enable" node (make "tls" a standalone key).
- Split "tls permitted-peers" list by commas into multiple "tls permitted-peer" entries.
|
|
Allow to use wildcard interfaces for zone-based firewall
It should allow interfaces like ipoe*/pppoe*/l2tp*
|
|
checks
- Renamed `permitted-peers` to `permitted-peer` across templates, schema, and tests.
- Added support for multiple `permitted-peer` entries and trimmed empty values.
- Replaced TLS/UDP warning with ConfigError for strict validation.
- Updated tests to use TCP for TLS and verified new validation logic.
|
|
Allow ipoe*, vpp and pod interfaceds
|
|
T6686: adds container health checks
|
|
T7896: Add frr profile selection
|
|
Co-authored-by: Christian Breunig <christian@breunig.cc>
|