| Age | Commit message (Collapse) | Author |
|
geoip: T8987: Support updates via source-address/vrf
|
|
T8097: strongswan: add CLI for ESN
|
|
|
|
T9015: fix thread safety of configtree read/write_cache
|
|
T8993: initialize ReferenceTree module from string not file
|
|
geoip: T5746: Add GeoIP ASN support
|
|
For thread-safe calls, move file operations to the Python side, leaving
only string operations for calls to ctypes bindings.
|
|
Avoid initialization error in threaded applications, for example when
calling libvyosconfig functions from FastAPI background tasks.
The read_internal function from file relies on the inherently non
thread-safe Unix module; read string first and pass to lib read_string.
|
|
concurrent rekey
The vti-up-down hook and vpn_ipsec.py modify a flat-file DB
(/tmp/ipsec_vti_interfaces) through three context managers that do an
unlocked read-modify-write. During a coordinated rekey, strongSwan fires
the hook for many VTIs concurrently, so the writers lost-update each
other: an interface whose up-client add is overwritten is left admin-down
while its CHILD_SA stays installed.
Serialise all DB access by reusing vyos.utils.locking.Lock. A new
_vti_updown_db_lock() context manager wraps the three public context
managers, and remove_vti_updown_db() holds the lock across both the DB
processing and the os.unlink() to close the create/delete race.
Make the helpers absence-safe under the lock so callers no longer compose
a separate existence check with a locked operation:
open_vti_updown_db_readonly() yields None when the DB does not exist and
remove_vti_updown_db() is a no-op when it is absent. Drop the
now-redundant unlocked vti_updown_db_exists() pre-checks in vti.py and
vpn_ipsec.py and handle the None yield.
|
|
T8099: strongswan: 6.0.6 + Post quantum options
|
|
vpp: T8913: Skip bond teardown for non-structural config changes
|
|
Add options for mlkem*
|
|
Introduce 'anycast-gateway' leafNode for pseudo-ethernet interfaces.
When set, a local FDB entry is installed on the parent bridge to
prevent the shared anycast MAC from leaking over the VXLAN overlay.
|
|
vpp: T8603: Expand ACL support to logical interfaces
|
|
Add CLI commands:
set vpn ipsec ike-group MyIKEGroup proposal 1 esn ESN-VALUE
set vpn ipsec esp-group MyESPGroup proposal 1 esn ESN-VALUE
Where ESN-VALUE can be one of:
* required: only establish connection using ESN
* optional: try using ESN, but if not available, accept non-ESN
* disabled (default): don't use ESN
StrongSwan 6.0.6 doesn't allow connections between proposal with
'-noesn' and without '-esn'/'-noesn'. To make it work as expected, use
two proposals for 'optional' and 'disabled':
* required: PROPOSAL-esn
* optional: PROPOSAL-esn-noesn,PROPOSAL
* disabled: PROPOSAL-noesn,PROPOSAL
|
|
config: T8858: fix mutable default argument in config API methods
|
|
firewall: T8546: Fix conntrack_required for global state-policy
|
|
flush_ip() used flush_addr(label=iface_name) which only matches addresses
whose label equals exactly the interface name. Secondary IP addresses are
assigned with :N suffixed labels (e.g. defunct_eth0:2, defunct_eth0:3)
and are not matched, so they remain on the interface.
Fix by flushing addresses by interface index instead of label, which
removes all addresses regardless of their label.
|
|
|
|
|
|
T8923: normalize "can not" to "cannot" and other typo fixes
|
|
|
|
|
|
Replace two-word "can not" / "Can not" with "cannot" across comments,
ConfigError messages, CLI help text, and op-mode output.
Standard SNMP MIB files under mibs/ are left unchanged.
|
|
|
|
|
|
This is no real need to have these in config_mgmt; moving to config_sync
will localize needed modifications to local/remote configs for exclusion
mask.
|
|
Add util for commonly used retrieval of ConfigTree of the saved config.
|
|
|
|
vrf: T8936: Specify `pref 1998` when deleting fwmark routing rules on VRF removal
|
|
T8503: clean up linting errors, reformatting, and minor refactoring
|
|
remote: T8956: stop leaking URL credentials in TftpC.upload()
|
|
removal
|
|
VPP bond teardown was triggered on every commit regardless of
what changed, dropping all subinterfaces and BGP sessions even
for trivial changes like descriptions or IP addresses.
Only mode, hash-policy and mac_address require full recreation
since VPP has no in-place update API for these; all other
changes are now applied incrementally.
|
|
TftpC.upload() printed `{command} "{urlstring}"` to stdout before running the
command. This was debug code from the time where VRF support was added. As TFTP
has no authentication - no credentials got leaked.
|
|
frr: T7931: Do not restart FRR on unrelated config changes when VRF protocols are configured
|
|
T8492: CRL generated by VyOS PKI lacks X.509 extensions required for strongSwan validation
|
|
|
|
protocols are configured
FRR was restarted on every commit when VRF protocols were configured, even when no
routing-related configuration changed. Root cause: the rendering loop mutated `config_dict`
in-place by injecting a `vrf` key into each VRF protocol sub-dict, polluting `cached_config_dict`
which holds a reference to the same object, causing the equality check to always fail on the
next commit.
|
|
|
|
Prevent access to missing dictionary key by probing for availability. On removal
of inbound-interface or outbound-interface name CLI node, there was a guard
missing when accessing the CLI dictionary containing the config data.
|
|
T8454: fix VRF-bind port availability check in service_https
|
|
For use in nosetests or other, allow passing ReferenceTree from an
internal cache in a non-standard location.
|
|
|
|
|
|
|
|
When service https is configured with a listen-address on a VRF
interface, adding or changing the vrf option causes the commit to
fail with "TCP port 443 is used by another service!" even though
no conflict exists.
Root cause: check_port_availability() performs a socket.bind() in
the default network namespace. When the listen-address belongs to
a VRF interface the address is unreachable from the default
namespace, so the bind fails with OSError which is misinterpreted
as "port in use". The secondary check via is_listen_port_bind_service()
also fails because psutil cannot see sockets bound inside a VRF.
Fix: add an optional vrf parameter to check_port_availability().
When set, the test socket is bound to the VRF master device via
SO_BINDTODEVICE before the bind() call, so that the address is
resolved in the correct L3 domain. This is done in-process (no
subprocess) and works for both IPv4 and IPv6.
service_https verify() now passes the configured VRF (if any) to
check_port_availability(). Non-VRF configurations are unaffected.
Add smoke test for HTTPS with listen-address inside a VRF.
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
geoip: T8590: fix initialization failure and set clobbering on boot and commit
|
|
`mmcli --simple-disconnect` can be called when the modem bearer is not active.
This causes cmd() to raise a `PermissionError` and abort the commit.
Handle the case gracefully so the configuration can be committed before the modem
is physically present or fully connected.
|
|
dhcpv6: T8862: Allow multiple addresses and prefixes for reservations
|