| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
firewall: T6951: Add a configuration command for ethertypes that bridge firewalls should always accept
|
|
firewalls should always accept
|
|
journald
|
|
T7432: RPKI VRF Support
|
|
conntrack: T7208: nf_conntrack_buckets defaults and behavior
|
|
Previously, we used a lower limit of 1 and a default value of 32768 for the
nf_conntrack_buckets (conntrack hash-size) sysctl option. However, the Linux
kernel enforces an internal minimum of 1024. A configuration migrator will now
adjust the lower limit to 1024 if necessary.
The former default value of 32768 was passed as a kernel module option, which
only took effect after the second system reboot. This was due to the option being
rendered but not applied during the first boot. This behavior has been changed so
that the value is now configurable at runtime and takes effect immediately.
Additionally, since VyOS 1.4 increased the hardware requirements to 4GB of RAM,
we now align the default value of nf_conntrack_buckets with the kernel's
default for systems with more than 1GB of RAM to 65536 entries. Previously, we
only supported half that amount.
|
|
|
|
Allow accepting invalid packets for ethernet types `8021q` and `8021ad`
in addition to ARP and UDP types so that stateful bridge firewall works
for VLAN-aware bridges in addition to regular bridges.
|
|
T6013: Add support for AuthorizedPrincipalsFile to trusted_user_ca_key
|
|
* zebra: T7349: Added importing routes from non to the kernel routing table
Added importing routes from non to the kernel routing table.
---------
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
The current implementation for SSH CA based authentication uses "set service
ssh trusted-user-ca-key ca-certificate <foo>" to define an X.509 certificate
from "set pki ca <foo> ..." - fun fact, native OpenSSH does not support X.509
certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys.
This commit changes the bahavior to support antive certificates generated using
ssh-keygen and loaded to our PKI tree. As the previous implementation
did not work at all, no migrations cript is used.
|
|
We already support using per-user SSH public keys for system authentication.
Instead of introducing a new CLI path to configure per-user principal names,
we should continue using the existing CLI location and store the principal
names alongside the corresponding SSH public keys.
set system login user <name> principal <principal>
The certificate used for SSH authentication contains an embedded principal
name, which is defined under this CLI node. Only users with matching principal
names are permitted to log in.
|
|
Thisc omplements commit e7cab89f9f81 ("T6013: Add support for configuring
TrustedUserCAKeys in SSH service with local and remote CA keys"). It introduces
a new CLI node per user to support defining the authorized principals used by
any given PKI certificate. It is now possible to associate SSH login users with
their respective principals.
Authored-by: Takeru Hayasaka <hayatake396@gmail.com>
|
|
|
|
accel-ppp: T7471: Changed CoA port completion help to standard template
|
|
Bridge: T7430: Add BPDU Guard and Root Guard support
|
|
Changed CoA port completion help to standard template.
|
|
T1771: automatic reboot of system into previous image
|
|
T7348: Add config CPU thread-count for accel-ppp services
|
|
T7335: Fix typo for HAproxy help redirect-location path
|
|
since the validation utility adds them implicitly
|
|
snmp: T7464: fix the community string validation regex for compatibility with PCRE2
|
|
|
|
for compatibility with PCRE2
|
|
If any part of the system boot fails, we set overall_status=1 in the vyos-router
startup script. When an error during the image upgrade is detected, the system
will automatically revert the default boot image to the previously used version,
if the CLI option "system option reboot-on-upgrade-failure" is set.
The user is informed via console messages:
Booting failed, reverting to previous image
Automatic reboot in 5 minutes
Use "reboot cancel" to cancel
The user has time to log in and run reboot cancel to remain in the faulty image
for troubleshooting. Reboot timeout is defined by CLI: "system option
reboot-on-upgrade-failure"
Once the system boots into the previous image, the MOTD will display a
persistent warning message - cleared during next reboot.
WARNING: Image update to "VyOS 1.5.xxxx" failed
Please check the logs:
/usr/lib/live/mount/persistence/boot/NAME/rw/var/log
Message is cleared on next reboot!
Upgrade failure can be synthetically injected by booting with Kernel command
line option: vyos-fail-migration
|
|
Accel-ppp services should not use all CPU cores to process requests.
At the moment accel-ppp services use all available CPU cores
to process requests from the subscribers (establish/update session/etc).
During mass connection of sessions, this can lead to the fact that it
utilizes all CPU, and for other services like FRR, there is not enough
CPU time to process their own stable work.
services:
- L2TP
- SSTP
- PPPoE
- IPoE
- PPtP
Add this option configurable and use all cores if not set:
```
set service pppoe-server thread-count < all | half | x >
```
The defaultValue `all`
|
|
|
|
T7386: firewall: Allow IPv6 member in firewall remote-groups
|
|
haproxy: T7429: remove unsupported logging facility and log level
|
|
T7423: Add kernel boot options isolcpus, hugepages, numa_balancing
|
|
VyOS 1.4.1 implemented support for logging facilities for HAProxy. The
facilities got included from the syslog XML definition, which also added
"virtual" or non existing facilities in HAProxy, namely: all, authpriv and mark.
If any of the above facilities is set, HAProxy will not start.
The XML definition for syslog also came with an arbitrary log-level "all" that
is also unsupported in HAProxy.
This commit adds a migration script removing the illegal CLI nodes.
|
|
Add kernel options which apply during the boot:
- isolcpus
- nohz_full
- rcu_nocbs
- default_hugepagesz
- hugepages
- hugepagesz
- numa_balancing
- hpet
- mce
- nosoftlockup
- nmi_watchdog
CLI:
```
set system option kernel cpu disable-nmi-watchdog
set system option kernel cpu isolate-cpus '1,2,4-5'
set system option kernel cpu nohz-full '1,2,4-5'
set system option kernel cpu rcu-no-cbs '1,2,4-5'
set system option kernel disable-hpet
set system option kernel disable-mce
set system option kernel disable-softlockup
set system option kernel memory default-hugepage-size '2M'
set system option kernel memory disable-numa-balancing
set system option kernel memory hugepage-size 1G hugepage-count '2'
set system option kernel memory hugepage-size 2M hugepage-count '512'
```
|
|
nat66: T7051: snat group as destination
|
|
remote groups
|
|
T7122: pki: unable to switch from custom cert to ACME when HAProxy service is running with 'redirect-http-to-https' option
|
|
This will add support for BPDU Guard and Root Guard to the bridge interface.
Verification will come from:
show log spanning-tree
|
|
|
|
T7412: Allow privileged containers
|
|
Add CLI config node for "group" when configuring NAT66 source
Ensure there is only one group in NAT66 source rule config
Add smoketest to cover new group usage in source NAT66 rules
|
|
T7382: adds podman log driver configuration option
|
|
|
|
Add option to limit the number of messages that are displayed on the console
during the boot process and to persist this setting with image upgrades.
set system option kernel quiet
|
|
firewall: T7358: add offload option to global state policy
|
|
advertisements (#4463)
|
|
Turns out commit b124f0b3b ("interface: T4627: support IPv6 Interface
Identifier (token) for SLAAC") uncovered a wrong assumption in VyOS that every
interface type in use always supports SLAAC and IPv6-ND (neighbor discovery).
This is not true for WireGuard, Tunnel and VTI interfaces, thus do not provide
that CLI option. In addition SLAAC support should be removed for those interface
types in a future PR.
|
|
geoip: T5636: Add geoip for policy route/route6
|
|
interface: T4627: support setting of IPv6 Interface Identifier(Token)
|
|
|
