| Age | Commit message (Collapse) | Author |
|
This is needed for debugging the concatenated XML include blocks, otherwise two
XML comments will show up on one line due to the missing newline which is
annoying.
|
|
Add input-queue-limit and output-queue-limit CLI nodes to expose global FRR
"bgp input-queue-limit" and "bgp output-queue-limit" commands via our CLI.
Parameters control the maximum number of queued messages for all BGP peers
during message parsing. FRR default is 10000 which we honor.
Note that this is a global option and can only be set for the global/default
BGP instance.
|
|
bgp: T8865: Reject `vni` sub-block in VRF l2vpn-evpn when `advertise-all-vni` is globally active
|
|
geoip: T8987: Support updates via source-address/vrf
|
|
`advertise-all-vni` is globally active
When `advertise-all-vni` is configured in the global/default BGP instance,
VyOS generated a `vni <id>` sub-block under each VRF BGP `address-family
l2vpn evpn` context. This conflicts with advertise-all-vni: FRR already
owns all kernel VNIs and returns `% Failed to create VNI` when frr-reload.py
attempts to apply the VRF-level vni sub-block. FRR then performs an early
exit from config processing, silently dropping the entire l2vpn evpn
address-family for all subsequent VRF BGP instances.
|
|
T8097: strongswan: add CLI for ESN
|
|
|
|
|
|
geoip: T5746: Add GeoIP ASN support
|
|
T8099: strongswan: 6.0.6 + Post quantum options
|
|
haproxy: T8931: Improve WebSocket support for HAProxy
|
|
Add options for mlkem*
|
|
Introduce 'anycast-gateway' leafNode for pseudo-ethernet interfaces.
When set, a local FDB entry is installed on the parent bridge to
prevent the shared anycast MAC from leaking over the VXLAN overlay.
|
|
Add CLI commands:
set vpn ipsec ike-group MyIKEGroup proposal 1 esn ESN-VALUE
set vpn ipsec esp-group MyESPGroup proposal 1 esn ESN-VALUE
Where ESN-VALUE can be one of:
* required: only establish connection using ESN
* optional: try using ESN, but if not available, accept non-ESN
* disabled (default): don't use ESN
StrongSwan 6.0.6 doesn't allow connections between proposal with
'-noesn' and without '-esn'/'-noesn'. To make it work as expected, use
two proposals for 'optional' and 'disabled':
* required: PROPOSAL-esn
* optional: PROPOSAL-esn-noesn,PROPOSAL
* disabled: PROPOSAL-noesn,PROPOSAL
|
|
|
|
|
|
Add refresh-on-ttl-perc, nothing-below-nxdomain, and minimum-ttl-override
under service dns forwarding with recursor template and smoketest coverage.
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Daniil Baturin <daniil@baturin.org>
|
|
bgp: T8223: Prevent `advertise-all-vni` in multiple BGP VRF instances simultaneously
|
|
Replace two-word "can not" / "Can not" with "cannot" across comments,
ConfigError messages, CLI help text, and op-mode output.
Standard SNMP MIB files under mibs/ are left unchanged.
|
|
As salt has been marked deprecated via T8056 and is thus deprecated in VyOS 1.5
and VyOS 1.4 it is time to remove it from the rolling release.
|
|
simultaneously
FRR only allows one BGP instance to hold `advertise-all-vni` at a time
(FRR issue #9405). When a default BGP instance is present it is always
started before named VRF instances, so if a named VRF holds
the flag FRR silently rejects it on every boot (regardless of default
EVPN config), causing the running config to diverge from what is
stored in VyOS.
Enforce the following policy in verify():
- Default BGP instance may always hold `advertise-all-vni`.
- A named VRF may hold it only when no default BGP instance exists.
- Only one BGP instance (default or named VRF) may hold it at a time.
The default BGP verify path additionally scans dependent VRFs so that
adding or modifying the default BGP instance while a named VRF already
holds the flag is caught even when the VRF node is not part of the
current commit.
|
|
T8492: CRL generated by VyOS PKI lacks X.509 extensions required for strongSwan validation
|
|
|
|
When setting 'vpn ipsec logging log-level 0', DPD informational
messages (log level 1) were still appearing in the system journal.
The root cause is that charon-systemd reads both `charon-systemd.conf`
and `charon-logging.conf` and applies the higher of the two log levels
to the journal. The VyOS only managed `charon-systemd.conf`, leaving
`charon-logging.conf` at its default level of 1, which silently overrode
the user-configured level.
Fix this by rendering `charon-logging.conf` on every commit with
syslog backend set to -1 (silent), making `charon-systemd.conf`
the sole authoritative source for journal log verbosity.
This also eliminates duplicate log entries in the journal that occurred
when both backends were active and writing to the same destination.
|
|
ipsec: T7555: Implement `ikev2-reauth` for site-to-site peers
|
|
wan: T8480: add suppress_prefixlength ip rules for internal routing
|
|
T8910: ipoe-server: expose accel-ppp idle-timeout option
|
|
openconnect: T7654: OpenConnect Script Execution
|
|
Add a CLI knob to terminate idle IPoE sessions after a configurable
timeout:
set service ipoe-server idle-timeout <0-86400>
Today there is no way to age out stale IPoE sessions: clients that go
silent (powered off, link down) leave a session record on the router
indefinitely. accel-ppp natively supports idle-timeout in its [ipoe]
section but VyOS did not expose it.
The option is added as a shared accel-ppp include so it can be reused
by other accel-ppp services in follow-up PRs.
|
|
dhcpv6: T8862: Allow multiple addresses and prefixes for reservations
|
|
|
|
|
|
|
|
IKEv2 reauthentication was configurable via CLI but never translated
into `swanctl.conf`. Add `reauth_time` to the peer connection template,
driven by the `ikev2-reauth` flag on the ike-group and the per-peer
override (yes/no/inherit).
|
|
virtual-server (#5205)
|
|
Add support for allowing DHCPv6 to assign reservations for multiple
addresses and prefixes to a single client simultaneously.
|
|
* dhcpv6: T8849: Add time-zone support for Kea DHCPv6
Add DHCPv6 option support for time zone (RFC4833 options
41 and 42). This includes both the POSIX-style TZ string
(`new-posix-timezone`) and the IANA time zone name
(`new-tzdb-timezone`).
* dhcpv6: T8849: Refactor per code-review suggestion
* dhcpv6: T8849: Reformat for compliance
|
|
strongSwan validation
Previously generated CRLs were missing the Authority Key Identifier and
CRL Number extensions required by strongSwan for certificate revocation
validation. Without these extensions, strongSwan silently ignores the CRL,
allowing revoked certificates to authenticate successfully.
The migration regenerates existing CRLs for all CAs that have a private
key available. CAs with passphrase-protected keys are skipped with a
warning, as the passphrase cannot be provided non-interactively
|
|
|
|
|
|
|
|
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
|
|
This duplication did not cause any harm, but was found in the general
clean up related to element 'properties' collisions.
|
|
The include is unnecessary, as the element is fully defined in the
subsequent lines. As node.def files are only populated on the first
instance, this leads to loss of the proper value help entries hence
completions.
Without these changes, for example:
vyos@vyos# set system conntrack ignore ipv4 rule 137 protocol
will not list 'all', 'tcp_udp', etc. as intended.
|
|
FRR (#4994)
* sr-te: T6750: Adding Segment Routing Traffic Engineering portion of FRR
---------
Co-authored-by: Cheeze_It <none@none.com>
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
T8587: fix XML data type from u32 to u64 where range exceeds uint32 max
|
|
bgp: T8589: Add ead, es and [1-5] to route-map match evpn route-type
|
|
T8293: Add ability to set timeout for high-availability health-check
|
|
Setting a timeout allows VRRP health-check scripts to run longer than the set interval.
Without timeout, keepalived considers the script as failed after interval seconds.
With timeout set higher than interval, the script has more time to complete
before being marked as failed and transitioning VRRP to FAULT state.
|