| Age | Commit message (Collapse) | Author |
|---|
|
The current implementation for SSH CA based authentication uses "set service
ssh trusted-user-ca-key ca-certificate <foo>" to define an X.509 certificate
from "set pki ca <foo> ..." - fun fact, native OpenSSH does not support X.509
certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys.
This commit changes the bahavior to support antive certificates generated using
ssh-keygen and loaded to our PKI tree. As the previous implementation
did not work at all, no migrations cript is used.
|
|
|
|
|
|
|
|
|
|
flowtable: T7350: Prevent interface deletion if referenced on flowtable
|
|
Bridge: T7430: Add BPDU Guard and Root Guard support
|
|
|
|
We maintain compatibility with the legacy commit lock file until all
other references are resolved; this requires a POSIX-type lock instead
of the BSD-type lock of vyos.utils.locking.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In the absence of Cstore, the env var remains as the sole indication of
config mode for the legacy CLI, and its emulation here.
|
|
The environment variable _OFR_CONFIGURE is used by bash completion to
setup the config mode environment. We check this setting to coordinate
vyconf config mode and CLI config mode, independent of the legacy
backend Cstore check.
|
|
|
|
ipoe_server: T6997: Do not require to create client ip pool when dhcp-relay is used
|
|
is used
|
|
T7348: Add config CPU thread-count for accel-ppp services
|
|
wireguard: T7387: Optimise wireguard peer handling
|
|
If we use several port for the `conntrack ignore` there
have to be used curly braces for nftables
Incorrect format: dport 500,4500
Correct format: dport { 500, 4500 }
|
|
Accel-ppp services should not use all CPU cores to process requests.
At the moment accel-ppp services use all available CPU cores
to process requests from the subscribers (establish/update session/etc).
During mass connection of sessions, this can lead to the fact that it
utilizes all CPU, and for other services like FRR, there is not enough
CPU time to process their own stable work.
services:
- L2TP
- SSTP
- PPPoE
- IPoE
- PPtP
Add this option configurable and use all cores if not set:
```
set service pppoe-server thread-count < all | half | x >
```
The defaultValue `all`
|
|
T7386: firewall: Allow IPv6 member in firewall remote-groups
|
|
utils: T7095: make `vrf` and `netns` arguments aware of the shell
|
|
remote groups
|
|
frr: T7431: missing logging options after rewrite to frrender class
|
|
In src/etc/systemd/system/frr.service.d/override.conf#L6-L11 the log entry is
added on restart - but not during normal operation of frrender.py
Logging should be added persistent when rendering the FRR configuration
using FRRender class.
|
|
This will add support for BPDU Guard and Root Guard to the bridge interface.
Verification will come from:
show log spanning-tree
|
|
When both the CLI PKI node for an ACME-issued certificate and HAProxy are
configured during initial setup, the certbot challenge cannot be served via the
reverse proxy because HAProxy has not yet been configured at all.
This commit introduces a special case to handle this bootstrap scenario,
ensuring that the certbot challenge can still be served correctly in standalone
mode on port 80 despite initial config dependencies/priorities between PKI
and HAProxy.
|
|
This will wrap the messages at 72 characters in the same way as Warning() and
DeprecationWarning() would do. We now have simple wrappers for it!
Example:
vyos@vyos# commit
[ pki ]
Updating configuration: "load-balancing haproxy service frontend ssl
certificate LE_cloud"
Add/replace automatically imported CA certificate for "LE_cloud"
|
|
Add a new category if Jinja2 operands. We already have filters and tests, but
sometimes we would like to call a Python function without and data "|" piped
to it - that's what they call a clever-function.
{{ get_default_port(NAME) }} can be used to retrieve the value from
vyos.defaults.internal_ports[NAME] within Jinja2. We no longer need to extend
the dictionary with arbitrary data retrieved from vyos.defaults, we can now
simply register another clever-function to the Jinja2 backend.
|
|
If we detect that an ACME issued certificate is consumed by haproxy service,
we will move the certbot webserver to localhost and a highport, to proxy the
request via haproxy which is already using port 80.
|
|
|
|
Commit 4523e9c897b3 ("wireguard: T3763: Added check for listening port
availability") added a function to check if a port is free to use or already
occupied by a different running service. This has been done by trying to bind a
socket to said given port.
Unfortunately there is no support for IPv6 address-fdamily in both
socketserver.TCPServer or socketserver.UDPServer. This must be done manually by
deriving TCPServer and setting self.address_family for IPv6.
The new implementation gets rid of both TCPServer and UDPServer and replaces it
with a simple socket binding to a given IPv4/IPv6 address or any interface/
address if unspecified.
In addition build time tests are added for the function to check for proper
behavior during build time of vyos-1x.
|
|
|
|
T7316: Add MTU validation for interfaces with MTU less then 1200
|
|
syslog: T7367: ensure rsyslog is registered as default systemd syslog service
|
|
interface: T7375: cleanup SLAAC assigned address and default route after removing SLAAC CLI configuration
|
|
geoip: T5636: Add geoip for policy route/route6
|
|
interface: T4627: support setting of IPv6 Interface Identifier(Token)
|
|
bridge: T7322: fix slow performance of allowed vlan
|
|
ospf: T7383: Fixed unconfigured redistribution of nhrp into ospf
|
|
|
|
When an interface runs in DHCPv6 only mode, there is no reason to have a
default installed that was received via SLAAC. If SLAAC is needed, it should
be turned on explicitly.
This bug was only triggered during system boot where a DHCPv6 client address
and a default route to a link-local address was shown in the system. If DHCPv6
was enabled only on an interface while VyOS was already running - no default
route got installed.
|
|
When using SLAAC for IPv6 addresses we will also receive a default route via a
RA (Router Advertisement). When we disable SLAAC on a interface the Linux
Kernel does not automatically flush all addresses nor the routes received.
The Kernel wait's until the addresses/prefixes/routes expire using their
lifestime setting.
When removing SLAAC from an interface, also remove the auto generated IPv6
address and both the default router received and the connected IP prefix of the
SLAAC advertisement.
|
|
We can reference "self.ifname" in any Python f-ormatted string directly. No
need for an interim temporary variable.
|
|
|
