| Age | Commit message (Collapse) | Author |
|
During first boot after installing a new VyOS image, migrations are
executed before the filesystem is fully initialized.
At this point `/config` is not yet bind-mounted, causing auth files
(certificates, keys, credentials) for OpenVPN, WireGuard and Ethernet
EAPoL interfaces under `/config/auth` to be inaccessible even though they
exist under the underlying `/opt/vyatta/etc/config/auth` path which is
available at all boot stages.
Add fallback logic to `read_auth_file()` to retry the file lookup under
`/opt/vyatta/etc/config/auth` when the file is not found under `/config/auth`.
|
|
Previously, VyOS hardcoded the kernel boot log console to either ttyS0 or
tty0, with no post-install CLI method to change it (manual GRUB edits
were required).
This commit adds a new CLI node:
system console device <name> kernel
When set, the selected serial console is used as the kernel boot console.
When removed, the kernel boot console falls back to tty0.
|
|
firewall: T8281: Normalize network prefixes in rule configuration
|
|
Convert non-canonical IPv4 and IPv6 prefixes in 'source/destination address'
fields to proper network addresses (e.g. 10.10.10.1/30 -> 10.10.10.0/30).
This prevents invalid configurations and ensures consistent prefix handling.
|
|
Replace unsupported characters (e.g. `,`, `+`) with `_` when migrating
from 1.3.x and handle name collisions safely to prevent commit failures.
|
|
Fix typos and mistakes
No functional changes
|
|
T8410: Fix typos and mistakes for operational and configuration commands
|
|
protocol 'all'
Updated the migration script to ensure that when migrating firewall rules,
if a `port-group` exists, the protocol will be set to 'tcp_udp' only
when its previous value is 'all'.
|
|
Fix typos and mistakes in the commands and comments
No functional changes
|
|
|
|
openvpn: T8304: fix migration for des, bf128 or bf256 cipher; use 3des instead
|
|
This extends the CLI migration from commit 941c5adfaca2c7 ("openvpn: T5634:
Remove support for insecure DES and Blowfish ciphers") by not only deleting
insecure DES and Blowfish ciphers, but providing an alternative (3DES).
If no cipher is defined, this will result in OpenVPN service not starting at
all, as the implicit defined BF-CBC cipher is no longer supported by
OpenSSL 3.0.0.
|
|
section
|
|
|
|
|
|
|
|
Disabled "point-to-multipoint" mode for GRE interfaces, along with related "mode" node.
This mode relies on the 'teib' feature, which is not implemented yet.
|
|
|
|
|
|
|
|
|
|
(target version 6)
|
|
|
|
|
|
Remove `dpdk-options` under `set vpp settings interface <ethN>`
and move its child options to the interface level:
- `num-rx-desc`
- `num-rx-queues`
- `num-tx-desc`
- `num-tx-queues`
Also remove `set vpp settings interface <ethN> dpdk-options promisc`.
|
|
commands
Add `set vpp settings interfaces-rx-mode <polling|interrupt|adaptive>`
to configure RX mode for all interfaces. Raise error if any interface
does not support the selected mode.
Also remove per-interface rx-mode commands:
- `set vpp settings interface <name> rx-mode`
- `set vpp kernel-interfaces <name> rx-mode`
|
|
'resource-allocation'
Replace legacy VPP CPU settings (main-core, skip-cores, workers, corelist-workers) with a single resource-allocation cpu-cores option.
CPU assignment is now handled automatically: two cores are reserved for the system, the VPP main thread is placed on the first available core, and the remaining allocated cores are used as workers.
This simplifies configuration and ensures consistent CPU allocation.
|
|
Instead of `vpp settings unix poll-sleep-usec`
use `vpp settings poll-sleep-usec`.
|
|
|
|
|
|
This commit changes logging settings naming:
- before: `set vpp settings logging default-log-level <alert>`
- after: `set vpp settings logging default-level <alert>`
|
|
|
|
vpp: T8250: Rewrite the CLI for ACL tcp-flags
|
|
|
|
Handle absent `service dns dynamic address <iface> service` nodes
during 1-to-2 migration to prevent ConfigTreeError.
|
|
- Migration script removes 'driver' and 'xdp-options' nodes.
- XDP logic is commented out in config verification and CLI tests, preserving code for future use.
- The rest of XDP-related code remains untouched
|
|
pppoe-server: T8143: Set 'vpp-cp' option automatically if interface is in VPP
|
|
T7664: support FRR 10.5
|
|
|
|
In FRR 10.5 ip protocols
* connected
* kernel
* local
* table
* table-direct
are removed. First three in fb8e399e4f66d09780f176fbecb99168089e64eb,
table* in 7fd030504be060387694e8a2af7f19ddd7dee39d.
In `ip protocols`, `ipv6 protocols` and `vrf` VyOS supports
* connected
* kernel
* table
Remove these from CLI, add migration scripts, update tests.
|
|
- Introduced new CLI option 'data-ciphers-fallback' for OpenVPN interfaces
(used as fallback cipher in site-to-site mode)
- Adjust migration 1‑to‑2 to skip migrating 'cipher' for site‑to‑site interfaces
|
|
According to [1] rijndael-cbc@lysator.liu.se is an alias for aes256-cbc which
was standardized in RFC4253 (2006).
This changes the migrator implementation to not only delete the old
"rijndael-cbc@lysator.liu.se" cipher from the CLI and set the new, standardized
aes256-cbc SSH cipher.
1: https://github.com/openssh/openssh-portable/commit/03e93c753d7c223063a
|
|
Follow VyOS CLI best practices for using singular whenever possible to build a
CLI node. As we introduce a new migration 2 -> 3 for SSH we can correct this
minor detail.
|
|
According to an Arch Linux forum discussion, the cipher
rijndael-cbc@lysator.liu.se was removed in OpenSSH 6.7.
References:
- https://bbs.archlinux.org/viewtopic.php?id=188613
- https://www.openssh.org/txt/release-6.7
- https://github.com/openssh/openssh-portable/commit/03e93c753d7c223063a
|
|
While producing all configtest assert files for VyOS 1.4 it was noted that
the the isis-small testcase from fails. This config fragment is not properly
migrated when updating from VyOS 1.3.0-rc1 -> 1.4 and using IS-IS.
protocols {
isis FOO {
interface eth1 {
bfd
}
net 49.0001.1921.6800.1002.00
redistribute {
ipv4 {
connected {
level-2 {
route-map EXPORT-ISIS
}
}
}
}
}
}
and results in loosing IS-IS connectivity. This is due the fact that
config.rename() does not work when only using the base tagNode.
|
|
vpp: T7972: Make `nat44 no-forwarding` feature automatically configurable
|
|
ipsec: T7594: Rename `respond` connection-type in IPSec peer settings to `trap`
|
|
syslog: T8059: migrate host:port node names to the new syntax with a dedicated port option
|
|
The previous 'connection-type respond' option in IPsec site-to-site peers
was misleading - instead of passively waiting for peer initiation, it would
initiate negotiation when matching traffic appeared, potentially causing
SA duplication and renegotiation loops.
|
|
If any dynamic rule is configured forwarding should be disabled because each
packet must be processed through the NAT session table to apply proper
translations
|