| Age | Commit message (Collapse) | Author |
|---|
|
T7386: firewall: Allow IPv6 member in firewall remote-groups
|
|
T7423: Add kernel boot options isolcpus, hugepages, numa_balancing
|
|
Add kernel options which apply during the boot:
- isolcpus
- nohz_full
- rcu_nocbs
- default_hugepagesz
- hugepages
- hugepagesz
- numa_balancing
- hpet
- mce
- nosoftlockup
- nmi_watchdog
CLI:
```
set system option kernel cpu disable-nmi-watchdog
set system option kernel cpu isolate-cpus '1,2,4-5'
set system option kernel cpu nohz-full '1,2,4-5'
set system option kernel cpu rcu-no-cbs '1,2,4-5'
set system option kernel disable-hpet
set system option kernel disable-mce
set system option kernel disable-softlockup
set system option kernel memory default-hugepage-size '2M'
set system option kernel memory disable-numa-balancing
set system option kernel memory hugepage-size 1G hugepage-count '2'
set system option kernel memory hugepage-size 2M hugepage-count '512'
```
|
|
nat66: T7051: snat group as destination
|
|
remote groups
|
|
T7122: pki: unable to switch from custom cert to ACME when HAProxy service is running with 'redirect-http-to-https' option
|
|
When instructing certbot to listen on a given address, check if the address is
free to use. Also take this into account when spawning certbot behind HAProxy.
If the address is not (yet) bound - the request must be done in standalone mode
and not via the reverse-proxy.
|
|
Always enable the ACL entry to reverse-proxy requests to the path
"/.well-known/acme-challenge/" when "redirect-http-to-https" is configured for
a given HAProxy frontend service.
This is an intentional design decision to simplify the implementation and reduce
overall code complexity. It poses no risk: a missing path returns a 404, and an
unavailable backend yields an error 503.
This approach avoids a chicken-and-egg problem where certbot might try to
request a certificate via reverse-proxy before the proxy config is actually
generated and active.
By always routing through HAProxy, we also eliminate downtime as port 80 does
not need to be freed for certbot's standalone mode.
|
|
router-advert: T7389: Duplicate prefix safeguard
|
|
|
|
Add CLI config node for "group" when configuring NAT66 source
Ensure there is only one group in NAT66 source rule config
Add smoketest to cover new group usage in source NAT66 rules
|
|
T7382: adds podman log driver configuration option
|
|
T7397: add "system kernel option quiet" to suppress boot messages
|
|
Add option to limit the number of messages that are displayed on the console
during the boot process and to persist this setting with image upgrades.
set system option kernel quiet
|
|
settings
FAIL: test_vxlan_group_remote_error (__main__.VXLANInterfaceTest.test_vxlan_group_remote_error)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/usr/libexec/vyos/tests/smoke/cli/test_interfaces_vxlan.py", line 139, in test_vxlan_group_remote_error
self.assertIn('Both group and remote cannot be specified', str(exception))
AssertionError: 'Both group and remote cannot be specified' not found in '[[interfaces vxlan vxlan60]] failed\nCommit failed\n'
This happens because cm variable is accessed when no longer valid. Change
behavior to match common smoketest style, check ConfigError exception - but do
not check exception message. Fix the error and commit again.
|
|
firewall: T7358: add offload option to global state policy
|
|
Change autoignoreprefixes config template and add smoketests
|
|
advertisements (#4463)
|
|
syslog: T7367: ensure rsyslog is registered as default systemd syslog service
|
|
geoip: T5636: Add geoip for policy route/route6
|
|
interface: T4627: support setting of IPv6 Interface Identifier(Token)
|
|
|
|
|
|
|
|
- Added smoketest for offload in global state policy
|
|
Add common IPv6 CLI option (use ethernet as example):
set interfaces ethernet eth0 ipv6 address interface-identifier
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
Systemd states:
The default syslog implementation should make syslog.service a symlink to
itself, so that this socket activates the right actual syslog service.
|
|
T7343: IPsec add traffic-selector handling for VTI interfaces
|
|
Allow to set traffic-selector for VTI interfaces
We can set several local and remote IPv4 and IPv6 prefixes
```
set vpn ipsec site-to-site peer P1 vti traffic-selector local prefix 0.0.0.0/0
set vpn ipsec site-to-site peer P1 vti traffic-selector local prefix :/0
set vpn ipsec site-to-site peer P1 vti traffic-selector remote prefix 192.0.2.0/24
```
|
|
kea: T7281: Add ping-check, use built-in option for classless static routes
|
|
ids: T7241: remove Fastnetmon from the base system
|
|
* dhcp-server: T7310: add support for option 138 CAPWAP AC to KEA
* kea: T7310: Update data/templates/dhcp-server/kea-dhcp4.conf.j2
Co-authored-by: Simon <965089+sarthurdev@users.noreply.github.com>
* kea: T7310: Update python/vyos/kea.py
Co-authored-by: Simon <965089+sarthurdev@users.noreply.github.com>
* kea: T7310: add smoketest for capwap-ac-v4
* kea: T7310: Update python/vyos/kea.py
Co-authored-by: Simon <965089+sarthurdev@users.noreply.github.com>
---------
Co-authored-by: David Vølker <davvol@davvol.dk>
Co-authored-by: Simon <965089+sarthurdev@users.noreply.github.com>
|
|
It will eventually be moved to an addon
|
|
|
|
|
|
|
|
Remove legacy windows static route on option 249
|
|
Some unused import statements sneaked into the codebase.
This is about cleaning them up
|
|
Upgrading to Linux 6.6.85 will make the WIFI interface tests fail because of:
8021q: VLANs not supported on wlan0
8021q: VLANs not supported on wlan1
This is most likely b/c of commit [1]. Running this on a platform with a real
wifi card still works.
10: wlan0.10@wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
state LOWERLAYERDOWN group default qlen 1000
link/ether 00:12:34:3c:d3:40 brd ff:ff:ff:ff:ff:ff
inet 1.1.1.1/24 brd 1.1.1.255 scope global wlan0.10
valid_lft forever preferred_lft forever
vyos@vyos# run show ver kernel
6.6.85-vyos
Do not run VIF based smoketests if mac80211_hwsim driver is in use.
1: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3561442599804905c3defca241787cd4546e99a7
|
|
Support added in commit 383af2dd4ab ("virtual-ethernet: T7293: add support to
define interface MTU").
|
|
|
|
virtual-ethernet: T7293: add support to define interface MTU
|
|
|
|
syslog: T7270: fix typos in rsyslog.conf
|
|
If a router has not formed an LDP neighbor adjacency yet, it
answers all received LDP Hello packets from non-neighbors with
new Hello packets.
This leads to flooding LDP packets to all routers for each LDP
incoming packet.
Add configuration option to disable this behavior
```
set protocols mpls ldp interface eth0 disable-establish-hello
```
|
|
|
|
|
|
|
|
|
|
* bgp: T7157: Allow using route-maps for VRF route leaking in BGP
Added the possibility of using route-map in route leaking.
* Improve the constraint error message
---------
Co-authored-by: Daniil Baturin <daniil@baturin.org>
|
