| Age | Commit message (Collapse) | Author |
|
T8993: initialize ReferenceTree module from string not file
|
|
geoip: T5746: Add GeoIP ASN support
|
|
Avoid initialization error in threaded applications, for example when
calling libvyosconfig functions from FastAPI background tasks.
The read_internal function from file relies on the inherently non
thread-safe Unix module; read string first and pass to lib read_string.
|
|
concurrent rekey
The vti-up-down hook and vpn_ipsec.py modify a flat-file DB
(/tmp/ipsec_vti_interfaces) through three context managers that do an
unlocked read-modify-write. During a coordinated rekey, strongSwan fires
the hook for many VTIs concurrently, so the writers lost-update each
other: an interface whose up-client add is overwritten is left admin-down
while its CHILD_SA stays installed.
Serialise all DB access by reusing vyos.utils.locking.Lock. A new
_vti_updown_db_lock() context manager wraps the three public context
managers, and remove_vti_updown_db() holds the lock across both the DB
processing and the os.unlink() to close the create/delete race.
Make the helpers absence-safe under the lock so callers no longer compose
a separate existence check with a locked operation:
open_vti_updown_db_readonly() yields None when the DB does not exist and
remove_vti_updown_db() is a no-op when it is absent. Drop the
now-redundant unlocked vti_updown_db_exists() pre-checks in vti.py and
vpn_ipsec.py and handle the None yield.
|
|
T8099: strongswan: 6.0.6 + Post quantum options
|
|
vpp: T8913: Skip bond teardown for non-structural config changes
|
|
Add options for mlkem*
|
|
Introduce 'anycast-gateway' leafNode for pseudo-ethernet interfaces.
When set, a local FDB entry is installed on the parent bridge to
prevent the shared anycast MAC from leaking over the VXLAN overlay.
|
|
vpp: T8603: Expand ACL support to logical interfaces
|
|
config: T8858: fix mutable default argument in config API methods
|
|
firewall: T8546: Fix conntrack_required for global state-policy
|
|
flush_ip() used flush_addr(label=iface_name) which only matches addresses
whose label equals exactly the interface name. Secondary IP addresses are
assigned with :N suffixed labels (e.g. defunct_eth0:2, defunct_eth0:3)
and are not matched, so they remain on the interface.
Fix by flushing addresses by interface index instead of label, which
removes all addresses regardless of their label.
|
|
|
|
|
|
T8923: normalize "can not" to "cannot" and other typo fixes
|
|
|
|
|
|
Replace two-word "can not" / "Can not" with "cannot" across comments,
ConfigError messages, CLI help text, and op-mode output.
Standard SNMP MIB files under mibs/ are left unchanged.
|
|
|
|
|
|
This is no real need to have these in config_mgmt; moving to config_sync
will localize needed modifications to local/remote configs for exclusion
mask.
|
|
Add util for commonly used retrieval of ConfigTree of the saved config.
|
|
|
|
vrf: T8936: Specify `pref 1998` when deleting fwmark routing rules on VRF removal
|
|
T8503: clean up linting errors, reformatting, and minor refactoring
|
|
remote: T8956: stop leaking URL credentials in TftpC.upload()
|
|
removal
|
|
VPP bond teardown was triggered on every commit regardless of
what changed, dropping all subinterfaces and BGP sessions even
for trivial changes like descriptions or IP addresses.
Only mode, hash-policy and mac_address require full recreation
since VPP has no in-place update API for these; all other
changes are now applied incrementally.
|
|
TftpC.upload() printed `{command} "{urlstring}"` to stdout before running the
command. This was debug code from the time where VRF support was added. As TFTP
has no authentication - no credentials got leaked.
|
|
frr: T7931: Do not restart FRR on unrelated config changes when VRF protocols are configured
|
|
T8492: CRL generated by VyOS PKI lacks X.509 extensions required for strongSwan validation
|
|
|
|
protocols are configured
FRR was restarted on every commit when VRF protocols were configured, even when no
routing-related configuration changed. Root cause: the rendering loop mutated `config_dict`
in-place by injecting a `vrf` key into each VRF protocol sub-dict, polluting `cached_config_dict`
which holds a reference to the same object, causing the equality check to always fail on the
next commit.
|
|
|
|
Prevent access to missing dictionary key by probing for availability. On removal
of inbound-interface or outbound-interface name CLI node, there was a guard
missing when accessing the CLI dictionary containing the config data.
|
|
T8454: fix VRF-bind port availability check in service_https
|
|
For use in nosetests or other, allow passing ReferenceTree from an
internal cache in a non-standard location.
|
|
|
|
|
|
|
|
When service https is configured with a listen-address on a VRF
interface, adding or changing the vrf option causes the commit to
fail with "TCP port 443 is used by another service!" even though
no conflict exists.
Root cause: check_port_availability() performs a socket.bind() in
the default network namespace. When the listen-address belongs to
a VRF interface the address is unreachable from the default
namespace, so the bind fails with OSError which is misinterpreted
as "port in use". The secondary check via is_listen_port_bind_service()
also fails because psutil cannot see sockets bound inside a VRF.
Fix: add an optional vrf parameter to check_port_availability().
When set, the test socket is bound to the VRF master device via
SO_BINDTODEVICE before the bind() call, so that the address is
resolved in the correct L3 domain. This is done in-process (no
subprocess) and works for both IPv4 and IPv6.
service_https verify() now passes the configured VRF (if any) to
check_port_availability(). Non-VRF configurations are unaffected.
Add smoke test for HTTPS with listen-address inside a VRF.
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
geoip: T8590: fix initialization failure and set clobbering on boot and commit
|
|
`mmcli --simple-disconnect` can be called when the modem bearer is not active.
This causes cmd() to raise a `PermissionError` and abort the commit.
Handle the case gracefully so the configuration can be committed before the modem
is physically present or fully connected.
|
|
dhcpv6: T8862: Allow multiple addresses and prefixes for reservations
|
|
(#5186)
The port availability check in `verify()` was using `front_config.get('address')`
which always resolved to `None`, causing the validator to treat any process
holding a given port number as a conflict regardless of which IP it was
bound to.
|
|
Add a check to determine whether the NIC supports hardware
timestamp receive filters required for NTP timestamping.
Implement the query in a new python/vyos/netlink/timestamp.py module
using pyroute2 generic netlink ETHTOOL_MSG_TSINFO_GET,
avoiding ethtool output parsing.
|
|
|
|
Add support for allowing DHCPv6 to assign reservations for multiple
addresses and prefixes to a single client simultaneously.
|
|
Historically, commit_in_progress() used psutil.process_iter() to enumerate every
process on the system and inspect open file descriptors under /proc in order to
determine whether the configuration commit lock was held. That approach scales
linearly with process count and incurs substantial overhead under load.
Replace it with the shared lock-file utilities: attempt to acquire the commit
lock using a non-blocking exclusive lock. If acquisition fails, another holder
retains the lock and a commit is considered in progress; if it succeeds, no
commit was active and the lock acquired for the probe is released immediately.
|
|
* dhcpv6: T8849: Add time-zone support for Kea DHCPv6
Add DHCPv6 option support for time zone (RFC4833 options
41 and 42). This includes both the POSIX-style TZ string
(`new-posix-timezone`) and the IANA time zone name
(`new-tzdb-timezone`).
* dhcpv6: T8849: Refactor per code-review suggestion
* dhcpv6: T8849: Reformat for compliance
|