| Age | Commit message (Collapse) | Author |
|---|
|
Fix for service monitoring prometheus stops unconfigured services.
Check if the service is in active state before stop it.
|
|
T7591: remove copyright years from source files
|
|
The legal team says years are not necessary so we can go ahead with it, since
it will simplify backporting.
Automatically removed using: git ls-files | grep -v libvyosconfig | xargs sed -i -E \
's/^# Copyright (19|20)[0-9]{2}(-[0-9]{4})? VyOS maintainers.*/# Copyright VyOS maintainers and contributors <maintainers@vyos.io>/g'
In addition we will error-out during "make" if someone re-adds a legacy
copyright notice
|
|
* For VRF create/delete:
* Simple dquoting, as before, was parsed away by the shell
* Just escaping the double quotes could cause issues with the shell mangling
VRF names (however unlikely)
* Wrapping original quotes in shell-escaped single quotes is a quick & easy
way to guard against both improper shell parsing and string names being
taken as nft keywords.
* Firewall configuration:
* Firewall "interface name" rules support VRF ifnames and used them unquoted,
fixed for nft_rule template tags (parse_rule)
* Went through and quoted all iif/oifname usage by zones and interface
groups. VRF ifnames weren't available for all cases, but there is
no harm in completeness.
* For this, also created a simple quoted_join template filter to replace
any use of |join(',')
* PBR calls nft but doesn't mind the "vni" name - table IDs used instead
I may have missed some niche nft use-cases that would be exposed to this problem.
|
|
pki: T7573: fix TypeError when HAProxy is not in use
|
|
Commit 59d86826a2f ("haproxy: T7122: add ACME/certbot bootstrap support")
introduced a regression where a None value was inadvertently iterated over.
This patch prevents the invalid access by verifying that all required keys are
present in the dictionary before proceeding.
|
|
|
|
journald
|
|
|
|
T7432: RPKI VRF Support
|
|
openvpn: T7056: Raise error if non-TAP device is bridged
|
|
T7492: Fix modem connection code
|
|
T7510: ospfd.frr.j2 ospf nssa translation error - fix template
|
|
T7532: container sysctl parameter values are quoted
|
|
To keep existing CLI behavior use a Warning() to prompt the user for an invalid
configuration. It is not possible to have more the one area-type defined per
area logically - the CLI does support it. In addition the backbone area cannot
be of type STUB or NSSA.
CLI configuration should be cleaned up using a migrator in the future.
|
|
|
|
Previously, we used a lower limit of 1 and a default value of 32768 for the
nf_conntrack_buckets (conntrack hash-size) sysctl option. However, the Linux
kernel enforces an internal minimum of 1024. A configuration migrator will now
adjust the lower limit to 1024 if necessary.
The former default value of 32768 was passed as a kernel module option, which
only took effect after the second system reboot. This was due to the option being
rendered but not applied during the first boot. This behavior has been changed so
that the value is now configurable at runtime and takes effect immediately.
Additionally, since VyOS 1.4 increased the hardware requirements to 4GB of RAM,
we now align the default value of nf_conntrack_buckets with the kernel's
default for systems with more than 1GB of RAM to 65536 entries. Previously, we
only supported half that amount.
|
|
|
|
openconnect: T7511: bugfix invalid variable name
|
|
|
|
|
|
|
|
|
|
T6013: Add support for AuthorizedPrincipalsFile to trusted_user_ca_key
|
|
* zebra: T7349: Added importing routes from non to the kernel routing table
Added importing routes from non to the kernel routing table.
---------
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
The current implementation for SSH CA based authentication uses "set service
ssh trusted-user-ca-key ca-certificate <foo>" to define an X.509 certificate
from "set pki ca <foo> ..." - fun fact, native OpenSSH does not support X.509
certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys.
This commit changes the bahavior to support antive certificates generated using
ssh-keygen and loaded to our PKI tree. As the previous implementation
did not work at all, no migrations cript is used.
|
|
We need to establish proper dependencies on "system login" and "pki ca" for
the SSH subsystem. If the CA is updated or user principal names are modified,
we must also ensure that the SSH daemon is restarted accordingly.
|
|
We already support using per-user SSH public keys for system authentication.
Instead of introducing a new CLI path to configure per-user principal names,
we should continue using the existing CLI location and store the principal
names alongside the corresponding SSH public keys.
set system login user <name> principal <principal>
The certificate used for SSH authentication contains an embedded principal
name, which is defined under this CLI node. Only users with matching principal
names are permitted to log in.
|
|
Thisc omplements commit e7cab89f9f81 ("T6013: Add support for configuring
TrustedUserCAKeys in SSH service with local and remote CA keys"). It introduces
a new CLI node per user to support defining the authorized principals used by
any given PKI certificate. It is now possible to associate SSH login users with
their respective principals.
Authored-by: Takeru Hayasaka <hayatake396@gmail.com>
|
|
|
|
Added another possible condition to the flow through the config apply function
so that interfaces will reconnect as expected, even when there has been no
significant change to the contig tags.
|
|
flowtable: T7350: Prevent interface deletion if referenced on flowtable
|
|
QoS: T7415: Fix tcp flags matching
|
|
Bridge: T7430: Add BPDU Guard and Root Guard support
|
|
|
|
Empty leaf nodes are cleaned, causing the tcp
ack and syn flags to not match. These values are exempted from being cleaned.
|
|
|
|
|
|
pppoe: T7463: Added restart if CoA is changed
|
|
Added a restart if CoA is changed
Added a restart if the authentication mode is changed
|
|
prometheus: T7435: Ensure only configured exporters are started
|
|
wireguard: T7387: Optimise wireguard peer handling
|
|
policy: T5069: large-community-list regex validator disallows whitespace
|
|
openconnect: T7287: VPN Openconnect does not check dictionary key se…
|
|
with authentication mode RADIUS
|
|
VPN IPsec unexpected passthrough logic bug was introduced in this
commit https://github.com/vyos/vyos-1x/commit/f480346bb8e934b1ce2e0fc3be23f7168273bba1
The correct behaviour of the `cidr_fit` was replaced with the
incorrect `overlap`
This way, the passthrough option is used every time when networks overlap.
```
>>> from ipaddress import ip_network
>>>
>>> a = ip_network('192.0.2.0/24')
>>> b = ip_network('192.0.2.100/30')
>>>
>>> a.overlaps(b)
True
>>>
>>> b.overlaps(a)
True
>>>
```
But there should be `subnet_of`:
```
>>> a.subnet_of(b)
False
>>>
>>> b.subnet_of(a)
True
>>>
```
In configuration it looks like
```
set vpn ipsec site-to-site peer RIGHT tunnel 0 local prefix '192.0.2.0/24'
set vpn ipsec site-to-site peer RIGHT tunnel 0 remote prefix '192.0.2.100/30'
```
The StrongSwan unexpected configuration:
```
RIGHT-tunnel-0-passthrough {
local_ts = 192.0.2.0/24
remote_ts = 192.0.2.0/24
start_action = trap
mode = pass
}
```
So all outcoming traffic to the 192.0.2.0/24 pass through the main routing
table instead of out SA
Use `subnet_of` to fix this
|
|
Added verification of the route-map existence in the vrf
route-leaking.
|
|
T7423: Add kernel boot options isolcpus, hugepages, numa_balancing
|
|
* Re-introduce the whitespace/pattern matches ' ' and '_' as allowed
* Perform a general Python regex validity check (not 100% 1003.2, but in combination
with allowedChars, pretty close)
* Introduce a warning against potentially malformed or over-complex patterns,
but leave it up to the user to resolve - there are plenty of useful
expressions we cannot validate easily
|
|
Add kernel options which apply during the boot:
- isolcpus
- nohz_full
- rcu_nocbs
- default_hugepagesz
- hugepages
- hugepagesz
- numa_balancing
- hpet
- mce
- nosoftlockup
- nmi_watchdog
CLI:
```
set system option kernel cpu disable-nmi-watchdog
set system option kernel cpu isolate-cpus '1,2,4-5'
set system option kernel cpu nohz-full '1,2,4-5'
set system option kernel cpu rcu-no-cbs '1,2,4-5'
set system option kernel disable-hpet
set system option kernel disable-mce
set system option kernel disable-softlockup
set system option kernel memory default-hugepage-size '2M'
set system option kernel memory disable-numa-balancing
set system option kernel memory hugepage-size 1G hugepage-count '2'
set system option kernel memory hugepage-size 2M hugepage-count '512'
```
|
