| Age | Commit message (Collapse) | Author |
|---|
|
wan-load-balancing: T7584: Default SNAT behaviour fixed to effect loa…
|
|
balanced packets only
Updated smoketest to match the updated nftable rule
|
|
T7591: remove copyright years from source files
|
|
|
|
The legal team says years are not necessary so we can go ahead with it, since
it will simplify backporting.
Automatically removed using: git ls-files | grep -v libvyosconfig | xargs sed -i -E \
's/^# Copyright (19|20)[0-9]{2}(-[0-9]{4})? VyOS maintainers.*/# Copyright VyOS maintainers and contributors <maintainers@vyos.io>/g'
In addition we will error-out during "make" if someone re-adds a legacy
copyright notice
|
|
|
|
firewall: T6951: Add a configuration command for ethertypes that bridge firewalls should always accept
|
|
firewalls should always accept
|
|
journald
|
|
T7432: RPKI VRF Support
|
|
openvpn: T7056: Raise error if non-TAP device is bridged
|
|
|
|
|
|
T7510: ospfd.frr.j2 ospf nssa translation error - fix template
|
|
conntrack: T7208: nf_conntrack_buckets defaults and behavior
|
|
|
|
Previously, we used a lower limit of 1 and a default value of 32768 for the
nf_conntrack_buckets (conntrack hash-size) sysctl option. However, the Linux
kernel enforces an internal minimum of 1024. A configuration migrator will now
adjust the lower limit to 1024 if necessary.
The former default value of 32768 was passed as a kernel module option, which
only took effect after the second system reboot. This was due to the option being
rendered but not applied during the first boot. This behavior has been changed so
that the value is now configurable at runtime and takes effect immediately.
Additionally, since VyOS 1.4 increased the hardware requirements to 4GB of RAM,
we now align the default value of nf_conntrack_buckets with the kernel's
default for systems with more than 1GB of RAM to 65536 entries. Previously, we
only supported half that amount.
|
|
|
|
|
|
The `tc` output burst size was changed from bytes to kilobytes
|
|
|
|
T6013: Add support for AuthorizedPrincipalsFile to trusted_user_ca_key
|
|
* zebra: T7349: Added importing routes from non to the kernel routing table
Added importing routes from non to the kernel routing table.
---------
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
The current implementation for SSH CA based authentication uses "set service
ssh trusted-user-ca-key ca-certificate <foo>" to define an X.509 certificate
from "set pki ca <foo> ..." - fun fact, native OpenSSH does not support X.509
certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys.
This commit changes the bahavior to support antive certificates generated using
ssh-keygen and loaded to our PKI tree. As the previous implementation
did not work at all, no migrations cript is used.
|
|
Thisc omplements commit e7cab89f9f81 ("T6013: Add support for configuring
TrustedUserCAKeys in SSH service with local and remote CA keys"). It introduces
a new CLI node per user to support defining the authorized principals used by
any given PKI certificate. It is now possible to associate SSH login users with
their respective principals.
Authored-by: Takeru Hayasaka <hayatake396@gmail.com>
|
|
|
|
flowtable: T7350: Prevent interface deletion if referenced on flowtable
|
|
Bridge: T7430: Add BPDU Guard and Root Guard support
|
|
|
|
wireguard: T7387: Optimise wireguard peer handling
|
|
If we use several port for the `conntrack ignore` there
have to be used curly braces for nftables
Incorrect format: dport 500,4500
Correct format: dport { 500, 4500 }
|
|
T7443: Un-restricting non-root logins after scheduled reboot/shutdown via pam_nologin
|
|
T7386: firewall: Allow IPv6 member in firewall remote-groups
|
|
pam_nologin
When using reboot in, reboot at, or shutdown in, non-root users are prevented
from logging in via SSH or console starting 5 minutes before the scheduled
shutdown or reboot time.
This behavior is intended by pam_nologin.so, which is included in the SSH and
login PAM stack (default on Debian). While expected, it may be inconvenient
and could be reconsidered.
|
|
T7423: Add kernel boot options isolcpus, hugepages, numa_balancing
|
|
Add kernel options which apply during the boot:
- isolcpus
- nohz_full
- rcu_nocbs
- default_hugepagesz
- hugepages
- hugepagesz
- numa_balancing
- hpet
- mce
- nosoftlockup
- nmi_watchdog
CLI:
```
set system option kernel cpu disable-nmi-watchdog
set system option kernel cpu isolate-cpus '1,2,4-5'
set system option kernel cpu nohz-full '1,2,4-5'
set system option kernel cpu rcu-no-cbs '1,2,4-5'
set system option kernel disable-hpet
set system option kernel disable-mce
set system option kernel disable-softlockup
set system option kernel memory default-hugepage-size '2M'
set system option kernel memory disable-numa-balancing
set system option kernel memory hugepage-size 1G hugepage-count '2'
set system option kernel memory hugepage-size 2M hugepage-count '512'
```
|
|
nat66: T7051: snat group as destination
|
|
remote groups
|
|
T7122: pki: unable to switch from custom cert to ACME when HAProxy service is running with 'redirect-http-to-https' option
|
|
This will add support for BPDU Guard and Root Guard to the bridge interface.
Verification will come from:
show log spanning-tree
|
|
When instructing certbot to listen on a given address, check if the address is
free to use. Also take this into account when spawning certbot behind HAProxy.
If the address is not (yet) bound - the request must be done in standalone mode
and not via the reverse-proxy.
|
|
Always enable the ACL entry to reverse-proxy requests to the path
"/.well-known/acme-challenge/" when "redirect-http-to-https" is configured for
a given HAProxy frontend service.
This is an intentional design decision to simplify the implementation and reduce
overall code complexity. It poses no risk: a missing path returns a 404, and an
unavailable backend yields an error 503.
This approach avoids a chicken-and-egg problem where certbot might try to
request a certificate via reverse-proxy before the proxy config is actually
generated and active.
By always routing through HAProxy, we also eliminate downtime as port 80 does
not need to be freed for certbot's standalone mode.
|
|
router-advert: T7389: Duplicate prefix safeguard
|
|
|
|
Add CLI config node for "group" when configuring NAT66 source
Ensure there is only one group in NAT66 source rule config
Add smoketest to cover new group usage in source NAT66 rules
|
|
T7382: adds podman log driver configuration option
|
|
T7397: add "system kernel option quiet" to suppress boot messages
|
|
Add option to limit the number of messages that are displayed on the console
during the boot process and to persist this setting with image upgrades.
set system option kernel quiet
|
|
There is "set system option kernel amd-pstate-driver" which requires a Kernel
driver to operate. This adds a smoketest validating the Kernel configuration.
|
|
settings
FAIL: test_vxlan_group_remote_error (__main__.VXLANInterfaceTest.test_vxlan_group_remote_error)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/usr/libexec/vyos/tests/smoke/cli/test_interfaces_vxlan.py", line 139, in test_vxlan_group_remote_error
self.assertIn('Both group and remote cannot be specified', str(exception))
AssertionError: 'Both group and remote cannot be specified' not found in '[[interfaces vxlan vxlan60]] failed\nCommit failed\n'
This happens because cm variable is accessed when no longer valid. Change
behavior to match common smoketest style, check ConfigError exception - but do
not check exception message. Fix the error and commit again.
|
