| Age | Commit message (Collapse) | Author |
|
|
|
|
|
T7591: remove copyright years from source files
|
|
T7589: Add no-split-gso and ack-filter for CAKE
|
|
dmbaturin/T7580-op-cache-generator-standalone-virtual
build: T7580: add support for standalone and virtual tag nodes to the op mode cache generator
|
|
|
|
vrf: T7544: Ensure correct quoting for VRF ifnames in nftables
|
|
The legal team says years are not necessary so we can go ahead with it, since
it will simplify backporting.
Automatically removed using: git ls-files | grep -v libvyosconfig | xargs sed -i -E \
's/^# Copyright (19|20)[0-9]{2}(-[0-9]{4})? VyOS maintainers.*/# Copyright VyOS maintainers and contributors <maintainers@vyos.io>/g'
In addition we will error-out during "make" if someone re-adds a legacy
copyright notice
|
|
to ensure that the JSON cache is usable for command lookup
|
|
* For VRF create/delete:
* Simple dquoting, as before, was parsed away by the shell
* Just escaping the double quotes could cause issues with the shell mangling
VRF names (however unlikely)
* Wrapping original quotes in shell-escaped single quotes is a quick & easy
way to guard against both improper shell parsing and string names being
taken as nft keywords.
* Firewall configuration:
* Firewall "interface name" rules support VRF ifnames and used them unquoted,
fixed for nft_rule template tags (parse_rule)
* Went through and quoted all iif/oifname usage by zones and interface
groups. VRF ifnames weren't available for all cases, but there is
no harm in completeness.
* For this, also created a simple quoted_join template filter to replace
any use of |join(',')
* PBR calls nft but doesn't mind the "vni" name - table IDs used instead
I may have missed some niche nft use-cases that would be exposed to this problem.
|
|
mode cache generator
|
|
|
|
* T7424: Refactor and extend resource usage verification on commit for VPP CLI
T7424: Fix ruff errors
* T7424: Implement check for smoke tests runtime; reduce resource requirements for test environments
T7424: Fix errors in calculating the skipped and reserved CPU cores; Adjust default main heap size value.
* T7424: Refactor the CPU checks logic; Add total CPU usage check
T7424: Fix CPU reserve and skip cores calculations; Add total CPU usage check
T7424: Refactor smoketests to reflect new logic
* T7424: Refactor the CPU and memory checks logic
---------
Co-authored-by: oniko94 <onikolaiev94@outlook.com>
|
|
T7561: simplify op-mode-definitions XML cache generation
|
|
pki: T7574: add optional force argument to renew certbot-issued certificates
|
|
Certbot renewal command in op-mode "renew certbot" only works if any of the
certificates is up for renewal. There is no CLI option to forcefully renew a
certificate. This is about adding a force option to the CLI and with this
addition move the entire certbot renew handling to new-style op-mode commands.
vyos@vyos:~$ renew certbot force
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /config/auth/letsencrypt/renewal/vyos.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for vyos.io
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
/config/auth/letsencrypt/live/vyos/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hook 'post-hook' ran with output:
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
|
|
|
|
|
|
|
|
|
|
|
|
The original implementation of the op-mode XML cache generation resulted
in a structure that was difficult to use, for example, in documentation
generation. The source of complication is that, unlike the XML of
interface-definitions, path names are not unique: the same path may
occur as both a regular node and as a tag node. Here we simplify the
underlying structure by enriching path names with type information, thus
disambiguating paths. An interface to the cache is provided by explicit
generator and lookup functions.
|
|
T7554: fix wireguard fwmark parsing
|
|
firewall: T6951: Add a configuration command for ethertypes that bridge firewalls should always accept
|
|
For the XDP driver and Mellanox NIC, we create `defunct_*` interfaces to hide original
interfaces from CLI, when they are replaced with VPP-enabled pairs. But sometimes IP addresses
are not flushed from these `defunct_*` interfaces, which leads to broken routing afterward.
This commit introduces an additional flush operation for `defunct_*` interfaces to ensure that
they do not conflict with VPP interfaces.
|
|
|
|
firewalls should always accept
|
|
T7488: add utility for automatic rollback of section on apply stage error
|
|
T7432: RPKI VRF Support
|
|
|
|
|
|
|
|
|
|
http-api: T3955: add commit-confirm to endpoints /configure /config-file
|
|
|
|
|
|
T6013: Add support for AuthorizedPrincipalsFile to trusted_user_ca_key
|
|
config-mgmt: T7500: fix typo preventing commit-confirm hard rollback
|
|
http-api: T7498: allow passing config string in body of 'load' or 'merge' request
|
|
The current implementation for SSH CA based authentication uses "set service
ssh trusted-user-ca-key ca-certificate <foo>" to define an X.509 certificate
from "set pki ca <foo> ..." - fun fact, native OpenSSH does not support X.509
certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys.
This commit changes the bahavior to support antive certificates generated using
ssh-keygen and loaded to our PKI tree. As the previous implementation
did not work at all, no migrations cript is used.
|
|
|
|
|
|
|
|
|
|
flowtable: T7350: Prevent interface deletion if referenced on flowtable
|
|
Bridge: T7430: Add BPDU Guard and Root Guard support
|
|
|
|
We maintain compatibility with the legacy commit lock file until all
other references are resolved; this requires a POSIX-type lock instead
of the BSD-type lock of vyos.utils.locking.
|
|
|
|
|