| Age | Commit message (Collapse) | Author |
|---|
|
The `class_id_max` is wrong due to `tmp.sort` of Strings
If we have class 5 and class 10 we get sorted max value 5, expected 10
```
>>> tmp = ['5', '10']
>>> tmp.sort()
>>> tmp
['10', '5']
>>>
>>> hex(5+1)
'0x6'
>>>
>>> hex(10+1)
'0xb'
>>>
```
This way we get wrong default maximum class value:
```
tc qdisc replace dev eth1 root handle 1: htb r2q 444 default 6
```
Expect:
```
tc qdisc replace dev eth1 root handle 1: htb r2q 444 default b
```
Fix this converting Strings to Integers and get max value.
|
|
T5960: Rewritten authentication node in PPTP to a single view
|
|
op-mode: T4038: Python rewrite of image tools
|
|
init: T2044: only start rpki if cache is configured
|
|
This extends commit 9199c87cf ("init: T2044: always start/stop rpki during
system boot") to check the bootup configuration if an RPKI cache is defined.
Only start RPKI if this is the case.
|
|
Rewritten authentication node in accel-ppp services
to a single view. In particular - PPTP authentication.
|
|
The current calculation `r2q` is wrong as it uses `Floor division`
but expecting `division`
This way `math.ceil` calculate wrong value as we expect
round a number upward to its nearest integer
For example for speed 710 mbits expected value `444` but we get `443`
```
from math import ceil
MAXQUANTUM = 200000
speed = 710000000
speed_bps = int(speed) // 8
>>> speed_bps // MAXQUANTUM
443
>>> speed_bps / MAXQUANTUM
443.75
>>>
>>>
>>> ceil(speed_bps // MAXQUANTUM)
443
>>> ceil(speed_bps / MAXQUANTUM)
444
>>>
```
|
|
|
|
Commit b152b5202 ("configdict: T5894: add get_config_dict() flag with_pki")
added the generic PKI flag but if there was no PKI subsystem available
in the configuration, no pki dict key ever manifested in the resulting
dictionary requested by the caller.
This is different to the old behavior (which each caller implementing the call
itself) where there always was a pki key present - even if it was empty.
This triggered a bug in the IPSec script
Traceback (most recent call last):
File "/usr/libexec/vyos/conf_mode/vpn_ipsec.py", line 600, in <module>
verify(ipsec)
File "/usr/libexec/vyos/conf_mode/vpn_ipsec.py", line 372, in verify
verify_pki_rsa(ipsec['pki'], rsa)
~~~~~^^^^^^^
KeyError: 'pki'
As it wanted to verify keys, but there was no pki dictionary key available.
This commit restores the previous behavior.
|
|
qos: T5848: Add triple-isolate option to CAKE policy config
|
|
dhcpv6: T3771: Installation of routes for delegated prefixes, add excluded-prefix to PD
|
|
T5971: Rewritten ppp options in accel-ppp services
|
|
T4839: firewall: Add dynamic address group in firewall configuration
|
|
ddclient: T5966: Adjust dynamic dns config address subpath
|
|
T5974: Fix QoS shape bandwidth and ceil calculation for default
|
|
Rewritten 'ppp-options' to the same view in all accel-ppp services.
Adding IPv6 support to PPTP.
|
|
|
|
|
|
appropiate commands to populate such groups using source and destination address of the packet.
|
|
|
|
|
|
|
|
The default `bandwidth` and `ceiling` should calculate values
based on <tag> bandwidth but currently it gets the value from
qos.base `/sys/class/net/{self._interface}/speed`
```
set qos policy shaper SHAPER bandwidth '20mbit'
set qos policy shaper SHAPER default bandwidth '95%'
set qos policy shaper SHAPER default ceiling '100%'
```
It causes wrong calculations for class `default` i.e
950Mbit for bandwidth (expected 95% of bandwidth, 19Mbit)
1Gbit for ceil (expected 100% of bandwidth, 20Mbit)
Gets incorrect values
```
r4# tc class show dev eth1
class htb 1:1 root rate 20Mbit ceil 20Mbit burst 1600b cburst 1600b
class htb 1:a parent 1:1 leaf 8053: prio 0 rate 200Kbit ceil 200Kbit burst 1Mb cburst 1600b
class htb 1:b parent 1:1 leaf 8054: prio 7 rate 950Mbit ceil 1Gbit burst 15200b cburst 1375b
```
Fix this
|
|
Typo (missaligned -/_) in the code causes hw-tc-offload to never be enabled in
the underlaying hardware via ethtool.
|
|
|
|
|
|
T5958: QoS add basic implementation of policy shaper-hfsc
|
|
If we have QoS policy shaper class match `vif` (VLAN) we have to
use `basic match "meta(vlan mask 0xfff eq xxx)` instead of
`action policy`
Actual incorrect TC filter:
tc filter add dev eth1 parent 1: protocol all prio 1 action police rate 100000000 burst 15k flowid 1:64
The correct TC filter after fix:
tc filter add dev eth1 parent 1: protocol all prio 1 basic match "meta(vlan mask 0xfff eq 100)" flowid 1:64
|
|
|
|
It is impossible to detect interface speed for some devices
for exmaple virtio interfaces:
```
vyos@r4:~$ cat /sys/class/net/eth1/speed
-1
```
It causes wrong negative calcultaions like:
- bandwidth: -1000000
- 4% of bandwidth: -40000
tc class replace dev eth1 parent 1: classid 1:1 htb rate -1000000
tc class replace dev eth1 parent 1:1 classid 1:a htb rate -40000
Fix this with checking negative value.
Add default interface speed to 1000 Mbit if we cannot detect the
interface speed, the current default value 10 Mbit is too low
for nowadays
|
|
QoS policy shaper-hfsc was not implemented after rewriting the
traffic-policy to qos policy. We had CLI but it does not use the
correct class. Add a basic implementation of policy shaper-hfsc.
Write the class `TrafficShaperHFS`
|
|
|
|
T5865: Moved ipv6 pools to named ipv6 pools in accel-ppp
|
|
image-tools: T5923: update system_console.py for new GRUB file structure
|
|
Moved ipv6 pools to named ipv6 pools in accel-ppp services
|
|
Add util function to set serial console speed in accordance with revised
GRUB file structure; in keeping with the intentions of the config_mode
script, adjust the GRUB var 'console_speed' to only modify ttyS0.
|
|
* Also migrate `address-range` to `range` tag node for consistency with dhcpv4 server syntax
|
|
This uses a more common pattern froma base class while the original code from
0a1c9bc38 ("T5791: DNS dynamic exclude check for dynamic interfaces PPPoE") is
still retained.
|
|
the lease file (#2796)
|
|
dhcp: T3316: T5787: T5912: Extend scope of DHCP options, bugfixes
|
|
|
|
supported by Kea
|
|
|
|
We have not seen the adoption of the https virtual-host CLI option.
What it did?
* Create multiple webservers each listening on a different IP/port
(but in the same VRF)
* All webservers shared one common document root
* All webservers shared the same SSL certificates
* All webservers could have had individual allow-client configurations
* API could be enabled for a particular virtual-host but was always enabled on
the default host
This configuration tried to provide a full webserver via the CLI but VyOS is a
router and the Webserver is there for an API or to serve files for a local-ui.
Changes
Remove support for virtual-hosts as it's an incomplete and thus mostly useless
"thing". Migrate all allow-client statements to one top-level allow statement.
|
|
Commit ad9bdfc24 ("T5195: add timeout argument to process_named_running()")
added a 2*10 seconds penalty for every interface test (dhcp and dhcpv6).
This leads to long runs of "make test" after an ISO build.
There is no need to wait 10 seconds for a test that checks for a process
not running. The timeout is there to give the process some time to startup.
|
|
image: T5898: fix kernel-level partition rescan
|
|
pki: T5886: add support for ACME protocol (LetsEncrypt)
|
|
Smoketests heavily rely on process_named_running() so in order to "relax"
system constraints during a test we will add a timeout of 10 seconds for
every testcase provided by base_interfaces_test.py
|
|
This fix moves from partprobe to partx to rescan the partition table on an affected disk.
|
|
The "idea" of this PR is to add new CLI nodes under the pki subsystem to
activate ACME for any given certificate.
vyos@vyos# set pki certificate NAME acme
Possible completions:
+ domain-name Domain Name
email Email address to associate with certificate
listen-address Local IPv4 addresses to listen on
rsa-key-size Size of the RSA key (default: 2048)
url Remote URL (default:
https://acme-v02.api.letsencrypt.org/directory)
Users choose if the CLI based custom certificates are used
set pki certificate EXAMPLE acme certificate <base64>
or if it should be generated via ACME.
The ACME server URL defaults to LetsEncrypt but can be changed to their staging
API for testing to not get blacklisted.
set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory
Certificate retrieval has a certbot --dry-run stage in verify() to see if it
can be generated.
After successful generation, the certificate is stored in under
/config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set
interfaces ethernet eth0 eapol certificate EXAMPLE) we call
vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the
base64 encoded certificate into the JSON data structure normally used when
using a certificate set by the CLI.
Using this "design" does not need any change to any other code referencing the
PKI system, as the base64 encoded certificate is already there.
certbot renewal will call the PKI python script to trigger dependency updates.
|
