| Age | Commit message (Collapse) | Author |
|
According to [1] rijndael-cbc@lysator.liu.se is an alias for aes256-cbc which
was standardized in RFC4253 (2006).
This changes the migrator implementation to not only delete the old
"rijndael-cbc@lysator.liu.se" cipher from the CLI and set the new, standardized
aes256-cbc SSH cipher.
1: https://github.com/openssh/openssh-portable/commit/03e93c753d7c223063a
|
|
Follow VyOS CLI best practices for using singular whenever possible to build a
CLI node. As we introduce a new migration 2 -> 3 for SSH we can correct this
minor detail.
|
|
According to an Arch Linux forum discussion, the cipher
rijndael-cbc@lysator.liu.se was removed in OpenSSH 6.7.
References:
- https://bbs.archlinux.org/viewtopic.php?id=188613
- https://www.openssh.org/txt/release-6.7
- https://github.com/openssh/openssh-portable/commit/03e93c753d7c223063a
|
|
While producing all configtest assert files for VyOS 1.4 it was noted that
the the isis-small testcase from fails. This config fragment is not properly
migrated when updating from VyOS 1.3.0-rc1 -> 1.4 and using IS-IS.
protocols {
isis FOO {
interface eth1 {
bfd
}
net 49.0001.1921.6800.1002.00
redistribute {
ipv4 {
connected {
level-2 {
route-map EXPORT-ISIS
}
}
}
}
}
}
and results in loosing IS-IS connectivity. This is due the fact that
config.rename() does not work when only using the base tagNode.
|
|
vpp: T7972: Make `nat44 no-forwarding` feature automatically configurable
|
|
ipsec: T7594: Rename `respond` connection-type in IPSec peer settings to `trap`
|
|
syslog: T8059: migrate host:port node names to the new syntax with a dedicated port option
|
|
The previous 'connection-type respond' option in IPsec site-to-site peers
was misleading - instead of passively waiting for peer initiation, it would
initiate negotiation when matching traffic appeared, potentially causing
SA duplication and renegotiation loops.
|
|
If any dynamic rule is configured forwarding should be disabled because each
packet must be processed through the NAT session table to apply proper
translations
|
|
with a dedicated port option
|
|
When migrating from VyOS 1.3 to 1.4, OpenVPN interfaces sharing the same
certificate (chain) end up getting duplicated certificate entries, one per
interface — instead of reusing a single cert if applicable.
This change makes the migration logic detect shared certificates and reuse a
single CA and server certificate objects, preventing redundant certificate
entries in the config.
|
|
syslog: T4251: Rename "permitted-peers" to "permitted-peer" and improve TLS checks
|
|
- Drop "tls enable" node (make "tls" a standalone key).
- Split "tls permitted-peers" list by commas into multiple "tls permitted-peer" entries.
|
|
Commit f08a5700e7 ("dhcpv6: T7646: restore missing default route after upgrade")
introduced a regression affecting both non-VIF and VIF interfaces.
The addressing mode check in the migration logic was incorrect for both cases.
For non-VIF interfaces, the migration was skipped entirely due to a missing
configuration test. For VIF (VLAN) interfaces, the existing test always
evaluated to true, since it incorrectly assumed that DHCPv6 was configured
even when a static address was present.
Smoketests have been extended to cover for these cases.
|
|
Execute commands for vpp sflow with API calls. Use values for polling interval and sampling rate from 'system sflow'. Add op-mode command
|
|
Remove no-syscall-lock from CLI and enable this option if interrupt/adaptive mode is enabled and workers are configured.
Also forbid interrupt mode for ixgbevf driver
|
|
This reverts commit d871fe9c4c65de87232802ed54b263c9b2824391.
|
|
This reverts commit 85fe32f0e1a91a47fe4a6d4a5cdd6ac516dcc3b9.
|
|
This reverts commit 3f8404ac78e1a31e8afcacc6ce8e7331130d2093.
|
|
|
|
bgp: T7760: remove per vrf instance system-as node
|
|
T75: migrate from pmacct to ipt_NETFLOW
|
|
* Change nft to iptables in system_flow-accounting.py as ipt_NETFLOW
is iptales plugin
* Remove specific and non-relevant pmacct options
* Add ipt_NETFLOW options
* Move 'interfaces' to 'netflow' tree
* Support more flexible 'source-address' and 'source-interface' for
each server instead of one source
* Add migration script
* Update op mode command 'show flow-accounting'
* Update op mode command 'restart flow-accounting'
|
|
Commit de44c6aef249 ("interface: T7379: do not request SLAAC default route when
only DHCPv6 is set") introduced a behavioral change while addressing an earlier
issue fixed in e9fb2078d5ea ("interface: T7375: SLAAC assigned address is not
cleared when removing SLAAC").
This change caused unintended connectivity loss after upgrading to VyOS 1.4.3.
The underlying reason is that VyOS now requires explicit configuration to
determine how IPv6 addressing and routing should be handled, rather than making
assumptions: Requesting a DHCPv6 address alone will correctly assign an address.
However, since the IPv6 default route is typically advertised via SLAAC (and not
DHCPv6), SLAAC must also be explicitly enabled to receive the default route.
Historically, this distinction was implicit and did not require additional
configuration.
To preserve backward compatibility, a configuration migrator has been added.
It inspects existing configurations that only request a DHCPv6 address and
automatically appends the required CLI node to also enable SLAAC, ensuring that
the default route is restored after upgrade.
|
|
VyOS 1.5 and onwards will no longer have the following CLI node available:
set vrf name <name> protocols bgp system-as <asn>
|
|
Originating from the bug in T7665. To avoid potential issues down the line - and
given that there's no compelling technical reason to retain the system-as CLI
node under per-VRF BGP configuration, which cannot be achieved through
alternative means - the maintainers have collectively decided to deprecate the
following command:
set vrf name <name> protocols bgp system-as <asn>
Starting with VyOS 1.4.4, this CLI command will be considered deprecated. While
it will still be accepted, it will no longer have any operational effect. A
deprecation warning will be displayed at commit time, indicating that the BGP
ASN from the global BGP configuration is now used instead.
A migration script will handle the transition and perform the following actions:
* Ensure a global BGP configuration exists; if not, initialize one.
* Iterate over all configured VRFs to determine whether a BGP instance exists
* For any insance, update the configuration to use the global system-as
and apply the local-as ASN no-prepend replace-as option on all affected
neighbors to preserve existing behavior.
* If a neighbor is already configured with a local-as directive, that neighbor
will be excluded from the migration process, as it already follows a custom
configuration.
* Add allowas-in per neighbor option. Required to not deny prefix received
updates due to as-path contains our own global ASN.
|
|
Added checks in the verify_rule() function of firewall.py for empty nodes.
Added migration script 19-to-20 to remove empty nodes from the config.
|
|
|
|
|
|
|
|
|
|
The legal team says years are not necessary so we can go ahead with it, since
it will simplify backporting.
Automatically removed using: git ls-files | grep -v libvyosconfig | xargs sed -i -E \
's/^# Copyright (19|20)[0-9]{2}(-[0-9]{4})? VyOS maintainers.*/# Copyright VyOS maintainers and contributors <maintainers@vyos.io>/g'
In addition we will error-out during "make" if someone re-adds a legacy
copyright notice
|
|
firewall: T6951: Add a configuration command for ethertypes that bridge firewalls should always accept
|
|
1.3.x did not disallow an ip address as value of:
protocols static route addr next-hop-interface
Consequently, the case should be checked and handled during migration.
|
|
firewalls should always accept
|
|
journald
|
|
Previously, we used a lower limit of 1 and a default value of 32768 for the
nf_conntrack_buckets (conntrack hash-size) sysctl option. However, the Linux
kernel enforces an internal minimum of 1024. A configuration migrator will now
adjust the lower limit to 1024 if necessary.
The former default value of 32768 was passed as a kernel module option, which
only took effect after the second system reboot. This was due to the option being
rendered but not applied during the first boot. This behavior has been changed so
that the value is now configurable at runtime and takes effect immediately.
Additionally, since VyOS 1.4 increased the hardware requirements to 4GB of RAM,
we now align the default value of nf_conntrack_buckets with the kernel's
default for systems with more than 1GB of RAM to 65536 entries. Previously, we
only supported half that amount.
|
|
VyOS 1.4.1 implemented support for logging facilities for HAProxy. The
facilities got included from the syslog XML definition, which also added
"virtual" or non existing facilities in HAProxy, namely: all, authpriv and mark.
If any of the above facilities is set, HAProxy will not start.
The XML definition for syslog also came with an arbitrary log-level "all" that
is also unsupported in HAProxy.
This commit adds a migration script removing the illegal CLI nodes.
|
|
Migration from 1.3.x may not contain table entries, later required.
The migration script should not fail with error, leaving enforcement to
config scripts.
|
|
The migration script assumed the existence of path
['vrf', 'name', tag-val-name, 'protocols', 'static', 'route']
ignoring sole entries for [..., 'route6'].
Check existence of each path before calling set_tag.
|
|
kea: T7281: Add ping-check, use built-in option for classless static routes
|
|
ids: T7241: remove Fastnetmon from the base system
|
|
It will eventually be moved to an addon
|
|
|
|
policy: T7116: Remove unsupported use of BGP community "internet"
|
|
* wlb: T7196: Migrate interface wildcards to nftables format
* wlb: T7196: Fix exclude/interface verify check
* wlb: T7196: Extra sanity check on ipv4 address function
|
|
This has been split into a separate commit in case this is overkill for
the fix. 1.2 and 1.3 installs predate the change to FRR that removed support,
but "internet" is already broken on 1.4.
|
|
LLDP is a stateless protocol which does not necessitate sending to receive
advertisements. There are multiple scenarios such as provider peering links in
which it is advantageous to receive LLDP but not disclose internal information
to the provider.
Add new CLI command:
* set service lldp interface <name> mode [disable|rx-tx|rx|tx]
The default is unchanged and will be rx-tx.
Furthermore if an interface has an explicit LLDP disable configured under
"set service lldp interface <name> disable" this will be migrated to
"set service lldp interface <name> mode disable"
|
|
* set protocols bgp address-family <ipv4-unicast|ipv6-unicast> redistribute
table <n> [metric <n>] [route-map <name>]
|
|
Rsyslog supports individual VRFs per omfwd remote entry - so we should support
this, too.
|