| Age | Commit message (Collapse) | Author |
|---|
|
The legal team says years are not necessary so we can go ahead with it, since
it will simplify backporting.
Automatically removed using: git ls-files | grep -v libvyosconfig | xargs sed -i -E \
's/^# Copyright (19|20)[0-9]{2}(-[0-9]{4})? VyOS maintainers.*/# Copyright VyOS maintainers and contributors <maintainers@vyos.io>/g'
In addition we will error-out during "make" if someone re-adds a legacy
copyright notice
|
|
firewall: T6951: Add a configuration command for ethertypes that bridge firewalls should always accept
|
|
1.3.x did not disallow an ip address as value of:
protocols static route addr next-hop-interface
Consequently, the case should be checked and handled during migration.
|
|
firewalls should always accept
|
|
journald
|
|
Previously, we used a lower limit of 1 and a default value of 32768 for the
nf_conntrack_buckets (conntrack hash-size) sysctl option. However, the Linux
kernel enforces an internal minimum of 1024. A configuration migrator will now
adjust the lower limit to 1024 if necessary.
The former default value of 32768 was passed as a kernel module option, which
only took effect after the second system reboot. This was due to the option being
rendered but not applied during the first boot. This behavior has been changed so
that the value is now configurable at runtime and takes effect immediately.
Additionally, since VyOS 1.4 increased the hardware requirements to 4GB of RAM,
we now align the default value of nf_conntrack_buckets with the kernel's
default for systems with more than 1GB of RAM to 65536 entries. Previously, we
only supported half that amount.
|
|
VyOS 1.4.1 implemented support for logging facilities for HAProxy. The
facilities got included from the syslog XML definition, which also added
"virtual" or non existing facilities in HAProxy, namely: all, authpriv and mark.
If any of the above facilities is set, HAProxy will not start.
The XML definition for syslog also came with an arbitrary log-level "all" that
is also unsupported in HAProxy.
This commit adds a migration script removing the illegal CLI nodes.
|
|
Migration from 1.3.x may not contain table entries, later required.
The migration script should not fail with error, leaving enforcement to
config scripts.
|
|
The migration script assumed the existence of path
['vrf', 'name', tag-val-name, 'protocols', 'static', 'route']
ignoring sole entries for [..., 'route6'].
Check existence of each path before calling set_tag.
|
|
kea: T7281: Add ping-check, use built-in option for classless static routes
|
|
ids: T7241: remove Fastnetmon from the base system
|
|
It will eventually be moved to an addon
|
|
|
|
policy: T7116: Remove unsupported use of BGP community "internet"
|
|
* wlb: T7196: Migrate interface wildcards to nftables format
* wlb: T7196: Fix exclude/interface verify check
* wlb: T7196: Extra sanity check on ipv4 address function
|
|
This has been split into a separate commit in case this is overkill for
the fix. 1.2 and 1.3 installs predate the change to FRR that removed support,
but "internet" is already broken on 1.4.
|
|
LLDP is a stateless protocol which does not necessitate sending to receive
advertisements. There are multiple scenarios such as provider peering links in
which it is advantageous to receive LLDP but not disclose internal information
to the provider.
Add new CLI command:
* set service lldp interface <name> mode [disable|rx-tx|rx|tx]
The default is unchanged and will be rx-tx.
Furthermore if an interface has an explicit LLDP disable configured under
"set service lldp interface <name> disable" this will be migrated to
"set service lldp interface <name> mode disable"
|
|
* set protocols bgp address-family <ipv4-unicast|ipv6-unicast> redistribute
table <n> [metric <n>] [route-map <name>]
|
|
Rsyslog supports individual VRFs per omfwd remote entry - so we should support
this, too.
|
|
The previously "global" options actually were only relevant for the local
logging to /var/log/messages.
|
|
|
|
Move "global preserve-fqdn" one CLI level up, as it relates to all logging
targets (console, global and remote).
|
|
|
|
|
|
Should be added as runtime option similar to "terminal monitor" known from
other vendors.
|
|
|
|
With T3008 we moved from ntpd to chrony. This came with a restructuring of the
CLI (mainly moving ntp out of system to services). In addition the definition
of a server was made mandatory.
The bug itself manifests at a more crucial point - config migration
vyos-router[1265]: Migration script error: /opt/vyatta/etc/config-migrate/migrate/ntp/1-to-2:
[Errno 1] failed to run command: ['/opt/vyatta/etc/config-migrate/migrate/ntp/1-to-2',
'/opt/vyatta/etc/config/config.boot']
vyos-router[1265]: returned: - op: copy old_path: ['system', 'ntp'] new_path: ['service', 'ntp']
vyos-router[1265]: - op: delete path: ['system', 'ntp']
The fix is that we will no longer migrate an empty ntp CLI node from the old
syntax to the new.
|
|
|
|
Fixed network-id migration.
Every tunnel should have its own nhrp network-id.
|
|
NHRP migration to FRR
|
|
VRF support was introduced in VyOS 1.4.0. If a VRF is added as an interface in
the zone based firewall, it will be migrated to the new syntax.
OLD:
set firewall zone FOO interface RED
set firewall zone FOO interface eth0
NEW:
set firewall zone FOO member vrf RED
set firewall zone FOO member interface eth0
|
|
Improve config parsing for ZBF when using VRFs and interfaces attached to VRFs
|
|
interfaces attached to VRFs
|
|
|
|
|
|
Consolidate "multicast interface-route" and "multicast route" under common
"mroute <x.x.x.x/y>" CLI node.
|
|
Migrate "set protocols static route <x.x.x.x/x> next-hop <y.y.y.y> bfd multi-hop
source <z.z.z.z> profile <NAME>" to: "set protocols static route <x.x.x.x/x>
next-hop <y.y.y.y> bfd profile bar"
FRR supports only one source IP address per BFD multi-hop session. VyOS
had CLI cupport for multiple source addresses which made no sense.
|
|
- Fixed handling of flow isolation parameters.
- Corrected support for `nat` and `nonat` in flow isolation.
- Extended RTT values to cover the full range supported by `tc`.
- Make migration script 2-to-3 qos
|
|
|
|
|
|
|
|
|
|
|
|
and return an empty list in that case
(handy for migration scripts and the like)
|
|
OpenVPN CLI-option: T6571: rename ncp-ciphers with data-ciphers
|
|
This patch on #3616 will only attempt to fix ipsec matches in rules if the
firewall config tree passed to migrate_chain() has rules attached.
|
|
(#3616)
* Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for
fw rules
* Add ipsec match-ipsec-out and match-none-out
* Change all the points where the match-ipsec.xml.i include was used
before, making sure the new includes (match-ipsec-in/out.xml.i) are
used appropriately. There were a handful of spots where match-ipsec.xml.i
had snuck back in for output hooked chains already
(the common-rule-* includes)
* Add the -out generators to rendered templates
* Heavy modification to firewall config validators:
* I needed to check for ipsec-in matches no matter how deeply nested
under an output-hook chain(via jump-target) - this always generates
an error.
* Ended up retrofitting the jump-targets validator from root chains
and for named custom chains. It checks for recursive loops and improper
IPsec matches.
* Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation"
smoketests
|
|
|
|
|
|
defined in zone policy.
|
