summaryrefslogtreecommitdiff
path: root/src/etc
AgeCommit message (Collapse)Author
2023-11-07T5706: Add custom systemd udev rules to exclude dynamic interfacesViacheslav Hletenko
Add custom systemd udev rules to exclude some regular and dynamic interfaces from "systemd-sysctl" calls. It fixes high CPU utilization (100%) as we have a lot of calls per interface for dynamic interfaces like ppp|ipoe|sstp etc. /lib/systemd/systemd-udevd should not be called for those interfaces (cherry picked from commit ca9cc86233520eb495c17602bf7a110094c1d8e7)
2023-10-08Change to BBR as TCP congestion control, or at least make it an config optionApachez
(cherry picked from commit ac1bd7c2f69e058f54084decbfe6b6d329df6462)
2023-09-14T5575: ARP/NDP table-size isnt set properlyApachez
(cherry picked from commit 9391fc273ce95ff92a6b40b2dee4a688d3048f9f)
2023-09-14Merge pull request #2212 from sever-sever/T5480-sagDaniil Baturin
T5480: Ability to disable SNMP for keepalived service VRRP
2023-09-08T5489: Add sysctl TCP congestion control by default to BBRViacheslav Hletenko
Add by default sysctl TCP congestion control to BBR. Default value `cubic` is not optimal. net.core.default_qdisc=fq net.ipv4.tcp_congestion_control=bbr (cherry picked from commit b99ed37dd1cff3310437ff8ccf1a27cd20714c41)
2023-09-06T5480: Ability to disable SNMP for keepalived service VRRPViacheslav Hletenko
By default we enable `--snmp` for keepalived unit service Add ability to disable it set high-availability vrrp disable-snmp (cherry picked from commit 5ae730a52de2f284e45cd433bb0cf66c8508f2f7)
2023-08-20netplug: T5491: invoke DHCP helpers also on wifi interfacesChristian Breunig
2023-08-16netplug: T5476: rewrite dhclient helper from Perl -> PythonChristian Breunig
There are two hooks called for bridge, ethernet and bond interfaces if the link-state changes up -> down or down -> up. The helpers are: * /etc/netplug/linkdown.d/dhclient * /etc/netplug/linkup.d/dhclient As those helpers use Linux actions to start/restart the dhclient process in Perl it's time to rewrite it. First goal is to get rid of all Perl code and the second is that we now have a Proper Python library. Instead of checking if the process is running the then restarting it without even systemd noticing (yeah we might get two processes beeing alive) we should: * Add a Python helper that can be used for both up and down (see man 8 netplugd FILES section) * Query the VyOS CLI config if the interface in question has DHCP(v6) configured and is not disabled * Add IPv6 DHCPv6 support MAN page: https://linux.die.net/man/8/netplugd
2023-08-05T5428: remove hardcoded dhcp lease file path from dhclient hookChristian Breunig
2023-08-05dhcp: T5428: remove hardcoded path to client runtime directoriesChristian Breunig
2023-07-26openvpn: T4974: do not automatically load the DCO moduleChristian Breunig
Module should be loaded/unloaded on demand.
2023-07-14T5195: vyos.util -> vyos.utils package refactoring (#2093)Christian Breunig
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process * T5195: use read_file and write_file implementation from vyos.utils.file Changed code automatically using: find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} + find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} + * T5195: move chmod* helpers to vyos.utils.permission * T5195: use colon_separated_to_dict from vyos.utils.dict * T5195: move is_systemd_service_* to vyos.utils.process * T5195: fix boot issues with missing imports * T5195: move dict_search_* helpers to vyos.utils.dict * T5195: move network helpers to vyos.utils.network * T5195: move commit_* helpers to vyos.utils.commit * T5195: move user I/O helpers to vyos.utils.io
2023-07-14dhclient: T5358: Use return in 99-ipsec-dhclient-hookDarin Kuo
Use return instead of exit in 99-dhclient-exit-hook to allow subsequent unnumbered hooks to run (like rfc3442-classless-routes). Hooks are sourced, not executed.
2023-07-09T3355: import startup scripts from vyatta-cfg repo for vyos-routerChristian Breunig
2023-06-20T5303: Rsyslog.service is not workingcuongdt1994
warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.24.0 try http://www.rsyslog.com/e/2307 ]
2023-06-12T5282: remove systemd management directive for frr.serviceJohn Estabrook
frr.service startup and shutdown is now explicitly managed by vyos-router, so remove the systemd management directive.
2023-06-04dns: T5144: Streamline ddclient systemd service overrideIndrajit Raychaudhuri
Templatize systemd override for ddclient service and move the generated override files in /run. This ensures that the override files are always generated afresh after boot. Additionally, simplify the systemd override file by removing the redundant/superfluous overrides.
2023-05-29T5234: add bash prompt identifier for given Network namespaceChristian Breunig
2023-05-29T5234: extend color prompt with VRF instance nameChristian Breunig
2023-05-28router-advert: T5240: verify() that no more then 3 IPv6 name-servers configuredChristian Breunig
This is a radvd limitation.
2023-05-21T5234: add bash prompt identifier for given VRF instanceChristian Breunig
2023-05-08syslog: T2769: add VRF supportChristian Breunig
Allow syslog messages to be sent through a VRF (e.g. management).
2023-05-08syslog: T2778: migrate to get_config_dict()Christian Breunig
2023-04-10hostapd: T5151: Override ConditionFileNotEmptyAndrew Gunnerson
Debian's `debian/2%2.10-12` update of the hostap packaging added a ConditionFileNotEmpty directive for `/etc/hostapd/<...>` paths, which doesn't match the `/run/hostapd/<...>` paths that VyOS uses. This commit updates the override file to use the proper VyOS paths. https://salsa.debian.org/debian/wpa/-/commit/d204ceb5a2dc33db888eb55b5fee542a1005e69c Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>
2023-04-04opennhrp: T5135: Rewritten opennhrp script using vyos.ipsecaapostoliuk
Rewritten opennhrp script using vyos.ipsec library
2023-04-03T5141: Add numbers for dhclient-exit-hooks.d to enforce orderViacheslav Hletenko
Add numbers for all dhclient-exit-hooks.d to enforce script order execution Also, move '99-run-user-hooks' to '98-run-user-hooks' due to vyatta-dhclient-hook bug and exit with 'exit 1' it is described in the https://vyos.dev/T4856, so we should move this hook to the end. Rename 'vyatta-dhclient-hook' to '99-vyatta-dhclient-hook'
2023-03-29frr: T5045: remove LimitNOFILESoftChristian Breunig
Commit cb872efb ("frr: T5045: lift LimitNOFILE 1024 -> 4096") added both LimitNOFILE and LimitNOFILESoft parameters for FRR, as "systemctl cat frr.service" showed both versions. During daemon startup systemd complains: Unknown key name 'LimitNOFILESoft' in section 'Service', ignoring. So the key got removed again.
2023-03-11keepalived: T5003: remove Debian default config path from ConditionFileNotEmptyChristian Breunig
Also ExecReload is a duplicate of the base service file
2023-03-11keepalived: T5003: move to Debian upstream versionChristian Breunig
2023-03-07frr: T5045: lift LimitNOFILE 1024 -> 4096Christian Breunig
Lift the amount of allowed open file descriptors for the FRR process tree. Required if there are hundreds to thousands interfaces on a system.
2023-02-26T4997: add dhcp client user hooksbri
This commit adds a script to run user-defined hook scripts upon renewing a DHCP lease. This can be used to, for example, dynamically define a firewall address-group based on the dynamic IP address of an interface. For an example of its use (as well as the use case I had in mind while coding this), see https://vyos.dev/T2196#142394 Co-authored-by: br <git@ibeep.com>
2023-02-13debian: T5003: Fixes dynamic DNS for Bookwormsarthurdev
2023-02-12T5001: Replace links to the phabricator siteChristian Breunig
Replace links to the phabricator site from https://phabricator.vyos.net to https://vyos.dev
2023-02-04T4975: always sync() filesystem after commitChristian Breunig
2023-01-27sysctl: T4928: remove outdated conntrack_helperMartin Böh
This sysctl has been removed from kernel 6.0.X onwards but its removal was skipped when upgrading the kernel. See: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/netfilter?id=b118509076b39cc5e616c0680312b5caaca535fe
2023-01-17ifb: T4938: add Python implementation for input function block interfacesChristian Breunig
2022-12-23ipsec: T2816: do not explicitly call intepreter for python scriptChristian Poessinger
Our python scripts use the shebang logic to set an intepreter - we should rely on this and not use an external interpreter in front of the helper.
2022-12-11sstp: T4384: initial implementation of SSTP client CLIChristian Poessinger
vyos@vyos# show interfaces sstpc sstpc sstpc10 { authentication { password vyos user vyos } server sstp.vyos.net ssl { ca-certificate VyOS-CA } }
2022-11-15T4815: ip-up/down scripts needs the executable bitYuxiang Zhu
ip-up/down scripts added in https://github.com/vyos/vyos-1x/pull/1656 need the executable bit.
2022-11-14T4815: Fix various name server config issuesYuxiang Zhu
1. When a PPPoE session is connected, `pppd` will update `/etc/resolv.conf` regardless of `system name-server` option unless `no-peer-dns` is set. This is because `pppd` vendors scripts `/etc/ppp/ip-up.d/0000usepeerdns` and `/etc/ppp/ip-down.d/0000usepeerdns`, which updates `/etc/resolv.conf` on PPPoE connection and reverts the change on disconnection. This PR removes those scripts and adds custom scripts to update name server entries through `vyos-hostsd` instead. 2. There is a typo in `/etc/dhcp/dhclient-enter-hooks.d/04-vyos-resolvconf, which misspells variable name `new_dhcp6_name_servers` as `new_dhcpv6_name_servers`. This causes IPv6 name server entries in `vyos-hostsd` not updated when dhclient receives nameservers from DHCPv6. 3. Regular expressions in scripts under `/etc/dhcp/dhclient-enter-hooks.d` and `/etc/dhcp/dhclient-exit-hooks.d/` are not enclosed in `^$`, so those IPv4 related branches (like `BOUND`) could be mistakenly executed when an IPv6 reason (like `BOUND6`) is given.
2022-10-14T4533: Allow basic permissions to unprivileged RADIUS usersViacheslav Hletenko
Unprivileged RADIUS users cannot do simple diagnostics like ping or traceroute. Allow them such tools. Ability to execute op-mode commands for them. It is not new 'operator mode' feature but it allows RADIUS users execute op-mode commands
2022-10-13monitoring: T4746: Add exception if we do not have firewall rulesViacheslav Hletenko
Telegraf checks the firewall table 'vyos_filter' but it we don't have any firewall in the system we don't have this table by default It cause commit error for "service monitoring" Add exception if the table "vyos_filter" is not found
2022-09-26ethernet: T4689: support asymetric RFS configuration on multiple interfacesChristian Poessinger
The initial implementation from commit ac4e07f9 ("rfs: T4689: Support RFS (Receive Flow Steering)") always adjusted the global rps_sock_flow_entries configuration. So if RFS was enabled for one NIC but not the other - it did not work. According to the documentation: RFS is only available if the kconfig symbol CONFIG_RPS is enabled (on by default for SMP). The functionality remains disabled until explicitly configured. The number of entries in the global flow table is set through: /proc/sys/net/core/rps_sock_flow_entries The number of entries in the per-queue flow table are set through: /sys/class/net/<dev>/queues/rx-<n>/rps_flow_cnt Both of these need to be set before RFS is enabled for a receive queue. Values for both are rounded up to the nearest power of two. The suggested flow count depends on the expected number of active connections at any given time, which may be significantly less than the number of open connections. We have found that a value of 32768 for rps_sock_flow_entries works fairly well on a moderately loaded server. This commit sets rps_sock_flow_entries via sysctl on bootup leafing the RFS configuration to the interface level.
2022-09-13firewall: T4605: Rename filter tables to vyos_filtersarthurdev
2022-08-27Merge pull request #1500 from aapostoliuk/T1070-sagittaChristian Poessinger
opennhrp: T1070: Fixed creating IPSEC tunnel to Hub
2022-08-27telegraf: T3872: replace local get_interfaces() function with ↵Christian Poessinger
Section.interface() Commit cfde4b49 ("ifconfig: T2223: add vlan switch for Section.interfaces()") added the functionality of the local get_interfaces() function to the base class so all other parts in the system can query for interface names of a given type including or excluding their vlan sub-interfaces.
2022-08-26opennhrp: T1070: Fixed creating IPSEC tunnel to Hubaapostoliuk
Fixed creating IPSEC tunnel to Hub. Added continues of execution generator functions.
2022-08-24opennhrp: T1070: Fixed removal all SAs in scriptaapostoliuk
Fixed removal all dmvpn SAs. Changed vici terminate by child-sa name on terminate by ike-id
2022-08-19ethernet: T4538: fix wrong systemd unit used for EAPoLChristian Poessinger
When MACsec was bound to an ethernet interface and the underlaying source-interface got changed (even description only) this terminated the MACsec session running on top of it. The root cause is when EAPoL was implemented in commit d59354e52a8a7f we re-used the same systemd unit which is responsible for MACsec. That indeed lead to the fact that wpa_supplicant was always stopped when anything happened on the underlaying source-interface that was not related to EAPoL.
2022-08-02hostap: T4584: add Debian specific options to systemd unit filesChristian Poessinger