| Age | Commit message (Collapse) | Author |
|
After upgrading from VyOS 1.3 to 1.4, there is an inconsistent behavior with
MAC address assignment on bonded interfaces. In VyOS 1.3, bond interfaces used
a hardware MAC address from one of the member interfaces. In 1.4, a synthetic
MAC is used by default - generated by the Linux Kernel.
Oddly, setting mode 802.3ad (which is also the default) temporarily causes the
hardware MAC to be used again - until a reboot, after which the synthetic MAC
returns.
Deleting the mode config again causes the hardware MAC to be used. This
inconsistent behavior has caused issues with MAC-based filtering in networks.
The fix is to retrive the hardware MAC address from the first bond member
interface and use set it explicitly for the bond interface.
|
|
|
|
|
|
T7685: load-balancing: fix rules with multiple ports
|
|
|
|
Fix custom conntrack timeout rules and add smoketests
|
|
Improve smoketest reliability by preventing false failures and making errors
more informative.
|
|
* VPP: T7175
Added conf mode CLI for VPP sflow plugin and updated VPP template to include plugin.
* VPP: T7175: Conf mode CLI and startup template.
* T7175: VPP fix sFlow verify use vpp enstead of enable_vpp
* T7175: VPP add sFlow smoketest
* T7175: VPP remove unused config_changed variable
---------
Co-authored-by: Viacheslav <v.gletenko@vyos.io>
|
|
* T7667: Smoke test cli/test_vpn_ipsec.py typo makes DPD check always pass
* Update smoketest/scripts/cli/test_vpn_ipsec.py
Co-authored-by: Alexandr K. <alexandrk95@gmail.com>
---------
Co-authored-by: Daniil Baturin <daniil@baturin.org>
Co-authored-by: Alexandr K. <alexandrk95@gmail.com>
|
|
|
|
In case when there is no local/remote prefix configured in a tunnel settings,
a protocol configured for such tunnel is ignored.
The correct way to generate the configuration is to set the prefix
to `dynamic` if it was not set. The correct config for the described case is:
```
local_ts = dynamic[gre/]
remote_ts = dynamic[gre/]
```
|
|
upgrade to 1.4.x
Upgrading from VyOS 1.3.8 (strongSwan 5.7.2) to 1.4.x (strongSwan 5.9.11) caused
the IPsec service to fail if the configuration contained:
```
set vpn ipsec site-to-site peer <peer> tunnel <id> protocol 'all'
```
In 1.3.8, 'all' was supported in the CLI for protocol and converted internally to '%any'
in ipsec.conf traffic selectors, allowing the tunnel to match all protocols. However, in
1.4.x and strongSwan 5.9.11+, the '[all/]' syntax is no longer supported, and use of
'protocol all' produces an invalid traffic selector (e.g., 'x.x.x.0/24[all/]'), causing
the strongSwan service to fail on reload.
This fix ensures that 'protocol all' is converted to just the subnet notation (e.g.,
'x.x.x.0/24') in the generated traffic selector, restoring previous behavior and allowing
seamless service startup after upgrade.
|
|
ipsec: T7504: Added IKEv2 retransmission options
|
|
Added IKEv2 retransmission options (base, tries, timeout).
|
|
|
|
T7623: Add test route static dhcp in VRF
|
|
|
|
T7624: smoketest: Fix typing QEMU in test_protocols_static.py
|
|
|
|
|
|
wan-load-balancing: T7584: Default SNAT behaviour fixed to effect loa…
|
|
balanced packets only
Updated smoketest to match the updated nftable rule
|
|
T7591: remove copyright years from source files
|
|
|
|
|
|
The legal team says years are not necessary so we can go ahead with it, since
it will simplify backporting.
Automatically removed using: git ls-files | grep -v libvyosconfig | xargs sed -i -E \
's/^# Copyright (19|20)[0-9]{2}(-[0-9]{4})? VyOS maintainers.*/# Copyright VyOS maintainers and contributors <maintainers@vyos.io>/g'
In addition we will error-out during "make" if someone re-adds a legacy
copyright notice
|
|
* T7424: Refactor and extend resource usage verification on commit for VPP CLI
T7424: Fix ruff errors
* T7424: Implement check for smoke tests runtime; reduce resource requirements for test environments
T7424: Fix errors in calculating the skipped and reserved CPU cores; Adjust default main heap size value.
* T7424: Refactor the CPU checks logic; Add total CPU usage check
T7424: Fix CPU reserve and skip cores calculations; Add total CPU usage check
T7424: Refactor smoketests to reflect new logic
* T7424: Refactor the CPU and memory checks logic
---------
Co-authored-by: oniko94 <onikolaiev94@outlook.com>
|
|
|
|
firewall: T6951: Add a configuration command for ethertypes that bridge firewalls should always accept
|
|
firewalls should always accept
|
|
journald
|
|
T7432: RPKI VRF Support
|
|
openvpn: T7056: Raise error if non-TAP device is bridged
|
|
T7510: ospfd.frr.j2 ospf nssa translation error - fix template
|
|
conntrack: T7208: nf_conntrack_buckets defaults and behavior
|
|
|
|
Previously, we used a lower limit of 1 and a default value of 32768 for the
nf_conntrack_buckets (conntrack hash-size) sysctl option. However, the Linux
kernel enforces an internal minimum of 1024. A configuration migrator will now
adjust the lower limit to 1024 if necessary.
The former default value of 32768 was passed as a kernel module option, which
only took effect after the second system reboot. This was due to the option being
rendered but not applied during the first boot. This behavior has been changed so
that the value is now configurable at runtime and takes effect immediately.
Additionally, since VyOS 1.4 increased the hardware requirements to 4GB of RAM,
we now align the default value of nf_conntrack_buckets with the kernel's
default for systems with more than 1GB of RAM to 65536 entries. Previously, we
only supported half that amount.
|
|
|
|
|
|
|
|
|
|
The `tc` output burst size was changed from bytes to kilobytes
|
|
|
|
T6013: Add support for AuthorizedPrincipalsFile to trusted_user_ca_key
|
|
* zebra: T7349: Added importing routes from non to the kernel routing table
Added importing routes from non to the kernel routing table.
---------
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
The current implementation for SSH CA based authentication uses "set service
ssh trusted-user-ca-key ca-certificate <foo>" to define an X.509 certificate
from "set pki ca <foo> ..." - fun fact, native OpenSSH does not support X.509
certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys.
This commit changes the bahavior to support antive certificates generated using
ssh-keygen and loaded to our PKI tree. As the previous implementation
did not work at all, no migrations cript is used.
|
|
Thisc omplements commit e7cab89f9f81 ("T6013: Add support for configuring
TrustedUserCAKeys in SSH service with local and remote CA keys"). It introduces
a new CLI node per user to support defining the authorized principals used by
any given PKI certificate. It is now possible to associate SSH login users with
their respective principals.
Authored-by: Takeru Hayasaka <hayatake396@gmail.com>
|
|
|
|
flowtable: T7350: Prevent interface deletion if referenced on flowtable
|
|
Bridge: T7430: Add BPDU Guard and Root Guard support
|