| Age | Commit message (Collapse) | Author |
|
geoip: T8590: fix initialization failure and set clobbering on boot and commit
|
|
Add two enhancements to the `show conntrack table` op-mode command:
- Display per-flow packet and byte counters (original and reply
direction).
- Add VRF filter option `show conntrack table <ipv4|ipv6> vrf <vrf-name>`
that maps VRF name to its conntrack table ID and
passes `--orig-zone` to the underlying conntrack call.
|
|
ipsec: T7555: Implement `ikev2-reauth` for site-to-site peers
|
|
openvpn: T6478: Skip restart service when only client config changed
|
|
pki: T8877: Add ability to show private key in pem format
|
|
Policy: T8823: validation of GE and LE according FRR instructions
|
|
wan: T8480: add suppress_prefixlength ip rules for internal routing
|
|
wwan: T8924: add UDEV configuration for USB modeswitch
|
|
conntrack: T8909: Remove connection id column from output table
|
|
wwan: T8412: Fix commit failure when modem is absent or not connected
|
|
This cleanup enhances readability and aligns the output
with the actual data being displayed.
|
|
OpenVPN server reads per-client files from `--client-config-dir` at connect
time. When only `interfaces openvpn vtunN server client <client>`
entries are modified there is no need to send SIGHUP or restart
the service - the new CCD files written by `generate()` will
be picked up automatically on the next client connection.
|
|
When using WWAN interfaces, the Linux kernel selects configuration 2 by
default, but that does not work with ModemManager - configuration 3 (MBIM mode)
is a better choice.
Add UDEV rules for Huawei ME906s-158 and HP LT4132 which is a re-brand of
Huawei ME906s-158 to properly set MBIM mode on system startup.
|
|
T8883: Fix restart PPPoE-server service when RADIUS settings change
|
|
Per RFC 3414 section 2.2 (Replay Protection), the `snmpEngineBoots`
counter must be stored in non-volatile storage and incremented on
every snmpd restart. VyOS was not persisting this value, causing
it to reset to 1 after every reboot.
SNMP managers cache the engineBoots value from previous sessions.
When VyOS resets the counter to 1 after reboot, managers reject
incoming SNMPv3 trap packets as "too old", producing errors such as:
```
usm: Message too old.
reboot count invalid
```
This change introduces `/config/snmp/engineboots.count` as a disk-backed
persist file and it uses to sync the counter into snmpd's conf
before the daemon starts.
|
|
`mmcli --simple-disconnect` can be called when the modem bearer is not active.
This causes cmd() to raise a `PermissionError` and abort the commit.
Handle the case gracefully so the configuration can be committed before the modem
is physically present or fully connected.
|
|
dhcpv6: T8862: Allow multiple addresses and prefixes for reservations
|
|
|
|
wireguard: T8509: Add fwmark ip rules for VRF-bound interfaces
|
|
Restart the PPPoE server when RADIUS configuration is modified.
Previously, changes to settings such as `priority` and `backup`
were not applied until the service was restarted manually.
|
|
Generation of the firmware configuration file can be made contitional only if
the card is present/driver is loaded. The firmware configuration file itself
must not be explicitly set to be owned as root as the default is user root and
group vyattacfg.
|
|
|
|
(#5186)
The port availability check in `verify()` was using `front_config.get('address')`
which always resolved to `None`, causing the validator to treat any process
holding a given port number as a conflict regardless of which IP it was
bound to.
|
|
Add a check to determine whether the NIC supports hardware
timestamp receive filters required for NTP timestamping.
Implement the query in a new python/vyos/netlink/timestamp.py module
using pyroute2 generic netlink ETHTOOL_MSG_TSINFO_GET,
avoiding ethtool output parsing.
|
|
firewall (#5206)
sysctl values written by firewall global-options are overwritten when using
"system option performance" configuration on VyOS CLI. This is caused by a
missing dependency fall from system_option.py to the firewall CLI helper script.
|
|
IKEv2 reauthentication was configurable via CLI but never translated
into `swanctl.conf`. Add `reauth_time` to the peer connection template,
driven by the `ikev2-reauth` flag on the ike-group and the per-peer
override (yes/no/inherit).
|
|
Three related bugs prevented GeoIP nftables sets from being populated
correctly at boot and when incrementally modifying firewall or policy
route rules.
1. geoip_updated() always returned False
The previous implementation called node_changed() and then searched
the result with dict_search_recursive(changes, 'geoip'). This could
never match: node_changed() is annotated `-> list` and returns a flat
list of the immediate top-level child names whose subtree changed
(e.g. ['ipv4'] for the firewall path, or route names for policy
route). The 'geoip' key sits several levels deeper than those names,
so dict_search_recursive — which only walks dicts and lists for a
matching dict key — never yielded a hit, and geoip_updated() always
returned False. As a consequence, geoip_update() was never triggered
by an incremental add or change of a GeoIP rule; the only path that
ever populated /run/nftables-geoip.conf was the explicit \"update
geoip\" command or the fallback when geoip_refresh() failed.
Fix: bypass node_changed() and call get_config_diff() /
get_child_nodes_diff() directly with expand_nodes=Diff.ADD|Diff.DELETE
and recursive=True. In that mode, the 'add' and 'delete' values in
the returned dict are full nested subtrees of the config diff, so
dict_search_recursive correctly finds 'geoip' wherever it appears in
the change set.
2. GeoIP block executed unconditionally, breaking the boot sequence
geoip_sets() always returns {'name': [], 'ipv6_name': []}. A
non-empty dict is truthy in Python regardless of whether its values
are empty lists, so the guards \"if geoip_sets:\" and
\"if 'name' in geoip_sets:\" were always True.
On boot, when policy_route.py is invoked as a dependent of
firewall.py (triggered by group_resync), it entered the GeoIP block
even with no policy route GeoIP rules configured. Because
/run/nftables-geoip.conf did not yet exist, geoip_refresh() returned
False and geoip_update(policy=policy) was called with an empty
policy. This created /run/nftables-geoip.conf containing only empty
table stubs. When firewall.py subsequently called geoip_refresh(),
the file existed and nft loaded it successfully — so the
geoip_update(firewall) call was never reached and the firewall GeoIP
sets stayed empty for the entire uptime of the router.
Fix: check the actual list contents instead of the container dict:
if geoip_sets['name'] or geoip_sets['ipv6_name'].
3. geoip_update() clobbered the other caller's sets
geoip_update() renders /run/nftables-geoip.conf from both
firewall_sets and policy_sets in a single pass. When called with
only one argument (as firewall.py and policy_route.py each do), the
other argument defaulted to None and that half of the file was
rendered empty, erasing whatever the other script had written. The
geoip-update helper used by \"update geoip\" and the weekly cron was
unaffected because it always passes both arguments, which masked
this bug in normal manual operation.
Fix: when either argument is absent, read the missing config from
the live Config session before building the set tables, so every
invocation writes the complete combined firewall + policy file.
|
|
Add op-mode command having ability to show private
key in pem format as part of PKI configuration.
This is needed for users who want to render the
certificate and its private key.
|
|
Not all pyroute2 versions which ship IPRoute() support subscribing to RTNL
multicast groups. If subscribing fails, fallback to all messages.
|
|
|
|
Add support for allowing DHCPv6 to assign reservations for multiple
addresses and prefixes to a single client simultaneously.
|
|
Move to the re-implementation of the commit in progress check added in
commit 002d45b70efd ("vyos.commit: T8781: move from O(n) to O(1) for
commit_in_progress() checks").
|
|
message (#5199)
* vyos-netlinkd: T8781: do not call commit_in_progress() for EVERY netlink message
Signed-off-by: Fabrizzio Petrucci <fabrizziopm@compumundohipermegared.one>
* vyos-netlinkd: T8781: restrict netlink subscription to link multicast group
Bind IPRoute with RTMGRP_LINK only so route/rule/neighbour/address updates
(e.g. full-table BGP) are not delivered to this socket.
Add a match wildcard so unexpected message types do not raise MatchError and
get logged as generic errors.
---------
Signed-off-by: Fabrizzio Petrucci <fabrizziopm@compumundohipermegared.one>
Co-authored-by: Fabrizzio Petrucci <fabrizziopm@compumundohipermegared.one>
|
|
T8831: smoketests: irregular PermissionError caused by systemctl stop
|
|
Failures appear during PPPoEIf.remove() -> flush_addrs() -> set_dhcpv6(False),
where disable uses self._cmd(f'systemctl stop ...'), which raises on any
non-zero exit code of cmd().
PermissionError: [Errno 1] is misleading: cmd() raises OSError(exit_code,
feedback); exit code 1 maps to PermissionError in Python 3, so logs point at
"permissions" while the real signal is systemctl stop returned 1 (job failure,
timeout, restart contention with Restart=always on dhcp6c@.service.
Add a small systemd teardown helper stop_systemd_unit() validating the return
codes from the "systemctl stop" calls.
|
|
|
|
|
|
|
|
|
|
strongSwan validation
Previously generated CRLs were missing the Authority Key Identifier and
CRL Number extensions required by strongSwan for certificate revocation
validation. Without these extensions, strongSwan silently ignores the CRL,
allowing revoked certificates to authenticate successfully.
The migration regenerates existing CRLs for all CAs that have a private
key available. CAs with passphrase-protected keys are skipped with a
warning, as the passphrase cannot be provided non-interactively
|
|
|
|
scripts
Bare except: catches everything derived from BaseException, including
SystemExit and KeyboardInterrupt. Config scripts must not silently
continue past sys.exit(), so replace bare except: with except Exception:
in the three config-mode scripts that contained one.
Library code (python/vyos/configverify.py, python/vyos/config.py) and
op-mode scripts are intentionally out of scope: those cases require
case-by-case design review (e.g. MTU lookups should accept defaults as
arguments rather than rely on exception handling; reset-style op-mode
scripts may legitimately want to ignore KeyboardInterrupt).
Sites changed:
- src/conf_mode/interfaces_ethernet.py (MTU adapter lookup)
- src/conf_mode/vpp_interfaces_bonding.py (MAC validation)
- src/conf_mode/container.py x2 (IPv4 / IPv6 prefix lookup)
|
|
|
|
(#5193)
Recently (commit 35db941bcf "serial: T8375: add CLI option to explicitly set
kernel console") we added the CLI knob to enable the Kernel and GRUB serial
console on a given device.
Currently this is supported for serial console interfaces starting with ttyS
and ttyAMA only. Main limitation is that these interfaces are wired to the CPU
and bootloader infos can be displayed.
|
|
|
|
WLB per-interface routing tables only contain a default route. When
LAN traffic is fwmarked by WLB nftables rules, ip rule policy routes
it to these tables where internal destinations (BGP, connected, DNAT)
have no matching route and incorrectly exit via WAN.
Add ip rule with table main suppress_prefixlength 0 before each
per-interface table rule. This checks the main routing table first
for specific routes but suppresses the default route, so only
internet-bound traffic falls through to WLB per-interface tables.
Signed-off-by: doctorpangloss <2229300+doctorpangloss@users.noreply.github.com>
|
|
* wan: T8481: scope flush-connections to WLB connection marks
flush-connections runs conntrack --delete which destroys all conntrack
entries system-wide, including unrelated NAT translations and
established connections that have nothing to do with WLB.
WLB tags every connection it manages with a conntrack mark via the
wlb_mangle_isp_<ifname> chain (ct mark set 0xc9, 0xca, etc.). Scope
the flush to these marks so only WLB-managed connections are affected.
Signed-off-by: doctorpangloss <2229300+doctorpangloss@users.noreply.github.com>
* wan: T8481: replace conntrack deletion from state changed block
---------
Signed-off-by: doctorpangloss <2229300+doctorpangloss@users.noreply.github.com>
Co-authored-by: doctorpangloss <2229300+doctorpangloss@users.noreply.github.com>
|
|
dhcp-relay: T8760: Remove redundant deprecation warning for legacy interface option
|
|
When a WireGuard interface has both fwmark and VRF configured, outgoing
tunnel packets marked with the fwmark were not routed into the correct
VRF routing table, causing them to hit the l3mdev unreachable rule instead.
Add an ip rule at priority 1998 (after l3mdev at 1000 and before l3mdev
unreachable at 2000) to route fwmark-tagged packets into the correct
VRF routing table.
|
|
|