| Age | Commit message (Collapse) | Author |
|
removal
|
|
|
|
Prevent access to missing dictionary key by probing for availability. On removal
of inbound-interface or outbound-interface name CLI node, there was a guard
missing when accessing the CLI dictionary containing the config data.
|
|
T8454: fix VRF-bind port availability check in service_https
|
|
T8502: Add exclusion mask to config-sync
|
|
The added calculations were just enough to introduce a race between
remote commit completion and show remote config.
|
|
When service https is configured with a listen-address on a VRF
interface, adding or changing the vrf option causes the commit to
fail with "TCP port 443 is used by another service!" even though
no conflict exists.
Root cause: check_port_availability() performs a socket.bind() in
the default network namespace. When the listen-address belongs to
a VRF interface the address is unreachable from the default
namespace, so the bind fails with OSError which is misinterpreted
as "port in use". The secondary check via is_listen_port_bind_service()
also fails because psutil cannot see sockets bound inside a VRF.
Fix: add an optional vrf parameter to check_port_availability().
When set, the test socket is bound to the VRF master device via
SO_BINDTODEVICE before the bind() call, so that the address is
resolved in the correct L3 domain. This is done in-process (no
subprocess) and works for both IPv4 and IPv6.
service_https verify() now passes the configured VRF (if any) to
check_port_availability(). Non-VRF configurations are unaffected.
Add smoke test for HTTPS with listen-address inside a VRF.
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
snmp: T8538: Persist engineBoots counter across reboots
|
|
ipsec: T7555: Implement `ikev2-reauth` for site-to-site peers
|
|
Policy: T8823: validation of GE and LE according FRR instructions
|
|
wan: T8480: add suppress_prefixlength ip rules for internal routing
|
|
Per RFC 3414 section 2.2 (Replay Protection), the `snmpEngineBoots`
counter must be stored in non-volatile storage and incremented on
every snmpd restart. VyOS was not persisting this value, causing
it to reset to 1 after every reboot.
SNMP managers cache the engineBoots value from previous sessions.
When VyOS resets the counter to 1 after reboot, managers reject
incoming SNMPv3 trap packets as "too old", producing errors such as:
```
usm: Message too old.
reboot count invalid
```
This change introduces `/config/snmp/engineboots.count` as a disk-backed
persist file and it uses to sync the counter into snmpd's conf
before the daemon starts.
|
|
Add a CLI knob to terminate idle IPoE sessions after a configurable
timeout:
set service ipoe-server idle-timeout <0-86400>
Today there is no way to age out stale IPoE sessions: clients that go
silent (powered off, link down) leave a session record on the router
indefinitely. accel-ppp natively supports idle-timeout in its [ipoe]
section but VyOS did not expose it.
The option is added as a shared accel-ppp include so it can be reused
by other accel-ppp services in follow-up PRs.
|
|
dhcpv6: T8862: Allow multiple addresses and prefixes for reservations
|
|
|
|
|
|
T8822: Add BFD strict mode for BGP
|
|
wireguard: T8509: Add fwmark ip rules for VRF-bound interfaces
|
|
|
|
(#5186)
The port availability check in `verify()` was using `front_config.get('address')`
which always resolved to `None`, causing the validator to treat any process
holding a given port number as a conflict regardless of which IP it was
bound to.
|
|
IKEv2 reauthentication was configurable via CLI but never translated
into `swanctl.conf`. Add `reauth_time` to the peer connection template,
driven by the `ikev2-reauth` flag on the ike-group and the per-peer
override (yes/no/inherit).
|
|
virtual-server (#5205)
|
|
Add support for allowing DHCPv6 to assign reservations for multiple
addresses and prefixes to a single client simultaneously.
|
|
* dhcpv6: T8849: Add time-zone support for Kea DHCPv6
Add DHCPv6 option support for time zone (RFC4833 options
41 and 42). This includes both the POSIX-style TZ string
(`new-posix-timezone`) and the IANA time zone name
(`new-tzdb-timezone`).
* dhcpv6: T8849: Refactor per code-review suggestion
* dhcpv6: T8849: Reformat for compliance
|
|
|
|
|
|
According to Kea documentation:
When a data field is a string and that string contains
the comma (`,`; U+002C) character, the comma must be escaped
with two backslashes (`\\,`; U+005C) because both the routine
splitting of CSV data into fields and JSON use the same
escape character. A single escape (`\,`) would make the JSON
invalid.
Accordingly, the pcode generated for time-zone should have
the `,` double escaped. For example, `"GMT0BST,M3.5.0/1,M10.5.0"`
should be rendered as `"GMT0BST\\,M3.5.0/1\\,M10.5.0"`.
See: https://kea.readthedocs.io/en/stable/arm/dhcp4-srv.html#standard-dhcpv4-options
|
|
|
|
|
|
|
|
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
T8612: upgrade frr to 10.6.1
|
|
bgp: T8607: Add CLI support for BGP update-delay and establish-wait
|
|
The smoketest framework heavily relies on deriving common code paths. The
tearDownClass() is called when a testcase finishes and testcases like protocols
BGP delete CLI nodes before calling the base class.
The base-class never calls commit() thus the deletions are discarded instead
of committed.
test_protocols_bgp.py
@classmethod
def tearDownClass(cls):
cls.cli_delete(cls, ['policy', 'route-map'])
cls.cli_delete(cls, ['policy', 'prefix-list'])
cls.cli_delete(cls, ['policy', 'prefix-list6'])
super(TestProtocolsBGP, cls).tearDownClass()
base class base_vyostest_shim.py
@classmethod
def tearDownClass(cls):
# discard any pending changes which might caused a messed up config
cls._session.discard()
|
|
When a WireGuard interface has both fwmark and VRF configured, outgoing
tunnel packets marked with the fwmark were not routed into the correct
VRF routing table, causing them to hit the l3mdev unreachable rule instead.
Add an ip rule at priority 1998 (after l3mdev at 1000 and before l3mdev
unreachable at 2000) to route fwmark-tagged packets into the correct
VRF routing table.
|
|
|
|
FRR commit 4257c1dc28e71234f9338f1623a8fe677445db7e introduced check
that virtual-link is allowed only for ABR router.
Update test accordingly.
|
|
kea: T8763: Fix vendor-encapsulated-options space
|
|
|
|
|
|
T8147: Update Linux Kernel to 6.18
|
|
Kernel 6.18 exposes support for adaptive_rx interrupt coalescing - but if set
via ethtool, it still is in disabled state.
$ sudo ethtool -C eth2 adaptive-rx on
$ sudo ethtool -c eth2
Coalesce parameters for eth2:
Adaptive RX: off TX: n/a
Disable testcase for virtio modules.
|
|
FRR (#4994)
* sr-te: T6750: Adding Segment Routing Traffic Engineering portion of FRR
---------
Co-authored-by: Cheeze_It <none@none.com>
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
|
|
Setting a timeout allows VRRP health-check scripts to run longer than the set interval.
Without timeout, keepalived considers the script as failed after interval seconds.
With timeout set higher than interval, the script has more time to complete
before being marked as failed and transitioning VRRP to FAULT state.
|
|
vpp: T8460: Use isolated cpus for VPP cpu-cores
|
|
VPP: T8495: fix issue with assigning acl on sub interfaces
|
|
T8534: refactor sysctl_(read|write) to accept key parts
|
|
VPP CPU core assignment now uses kernel-isolated CPUs (from /sys/devices/system/cpu/isolated) with explicit corelist-workers instead of computing offsets from available cores with skip-cores/workers. Added validation that enough CPUs are actually isolated before VPP starts, and that isolate-cpus config only references existing CPU IDs. Moved smoketest for kernel option 'isolate-cpus' to test_vpp.py
|
|
firewall: T8446: Prevent chain with offload rule on local zone
|