summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2026-01-05Merge pull request #4933 from c-po/eth-fixChristian Breunig
ethernet: T8142: do not raise ValueError for non-existing interfaces
2026-01-05T7098: Fix VPP MTU misconfigurationNataliia Solomko
2026-01-05Merge pull request #4618 from giga1699/T7635Viacheslav Hletenko
T7635: OpenConnect Certificate Authentication
2026-01-05Merge pull request #4934 from giga1699/T8145Christian Breunig
T8145: LUKS Encryption Passphrase Observable
2026-01-05ipsec: T8022: Fix invalid automatic `dynamic` prefix assignment for ↵Oleksandr Kuchmystyi
transport mode tunnels When ESP was configured in transport mode for GRE-based site-to-site tunnels, the default value `dynamic` was automatically injected into the configuration, even though prefixes must not be set in transport mode. This led to error "Local/remote prefix cannot be used with ESP transport mode" and commit failures. This fix updates configuration logic to skip default prefix assignment for site-to-site peers using ESP transport mode tunnels.
2026-01-04ethernet: T8142: do not raise ValueError for non-existing interfacesChristian Breunig
Call verify_interface_exists() with state_required=True to ensure the interface exists physically and is recognized by the kernel, rather than relying on its presence in the CLI configuration. Unlike bridge or bond interfaces, Ethernet interfaces are not virtual and must be physically present. Ethtool() instance can only be created when the physical interface exists, otherwise a ValueError is raised.
2026-01-03T8146: Encryption without TPM confirm keyGiga Murphy
2026-01-03T8145: LUKS Encryption Passphrase ObservableGiga Murphy
2026-01-01nat66: T8139: add support for NAT66 source groupsMarius Lindvall
Copy the support for NAT66 destination groups (commit f96733dd and commit 43554efc) over to NAT66 source groups as well. Change the existing smoketest for NAT66 groups to also cover a source group use-case example.
2025-12-30Update src/conf_mode/vpn_openconnect.pyDaniil Baturin
2025-12-30Merge pull request #4918 from c-po/no-pki-default-nodeDaniil Baturin
config: T8124: make get_config_dict() pki={} node purely optional
2025-12-29Merge pull request #4917 from c-po/bond-no-always-remove-memberChristian Breunig
bond: T2416: support hot-add/remove of bond member interfaces
2025-12-29T7635: OpenConnect Certificate AuthenticationGiga Murphy
2025-12-26config: T8124: make get_config_dict() pki={} node purely optionalChristian Breunig
Automatic parsing and integration of the PKI subsystem into the resulting config dict is now enabled by passing with_pki=True to get_config_dict(). However, when no PKI configuration is present, the resulting dictionary still includes an empty PKI key. This is undesirable; we should only include keys in the dictionary when they contain relevant data.
2025-12-26bond: T2416: support hot-add/remove of bond member interfacesChristian Breunig
Previously, adding or removing a bond member interface would force the entire bond into an admin-down state, removing and re-adding all member interfaces. This caused unnecessary link up/down events and excessive log noise on partner devices. This change refactors the code to allow hot-adding and removal of bond member interfaces without disrupting existing members, minimizing link state changes and log entries.
2025-12-26bond: T2416: rename bond slave terminology to member interfacesChristian Breunig
2025-12-23Merge pull request #4913 from natali-rs1985/T7203Daniil Baturin
vpp: T7203: Add op-mode to show bridge-domain
2025-12-23Merge pull request #4904 from natali-rs1985/T8080Daniil Baturin
vpp: T8080: Fix handling of configuration system lock after vpp commit failure
2025-12-23vpp: T7203: Add op-mode to show bridge-domainNataliia Solomko
2025-12-23vpp: T8080: Fix handling of configuration system lock after vpp commit failureNataliia Solomko
2025-12-19bond: T8084: disallow bond members that do not support MAC changesChristian Breunig
Building on commit ba60266ab1896 (“ethernet: T8084: prevent MAC changes on ENA interfaces (AWS EC2)”), add safeguards to prevent interfaces from being used as bond members if they: * do not support MAC address changes, or * appear on a denylist of interfaces invalid for bonding (currently empty)
2025-12-19ethernet: T8084: prevent MAC changes on ENA interfaces (AWS EC2)Christian Breunig
Add a safeguard to block MAC address changes when the underlying driver is ENA (used on AWS EC2), and display a clear error message instead of raising "OSError: [Errno 95] Operation not supported."
2025-12-19bond: T8084: refactor verify() to remove duplicationChristian Breunig
Consolidate repeated helper function calls used for both bonded and non-bonded Ethernet interfaces, resulting in cleaner and more maintainable code.
2025-12-19bond: T8084: remove dynamic interface type detection via vyos.ifconfig.SectionChristian Breunig
Aggregated / bonded interfaces do only work with ethernet interfaces as underlaying link. There is no need to "dynamically" detect that eth0, eth1 or any other interface starting with eth is an ethernet interface. Remove calls to vyos.ifconfig.Section().
2025-12-19T8110: "list_interfaces --bondable" must not return VLAN subinterfacesChristian Breunig
Inspired by the regex used for "set interfaces ethernet" adjust the regex to match for interfaces acting as a bond member interface. This has been changed to also include (in addition to eth) lan, eno, ens prefixed physical interfaces.
2025-12-19T7995: Fix UnboundLocalError for key in parse_cmdlineNataliia Solomko
2025-12-18Merge pull request #4903 from c-po/ssh-migrate-aes256-cbcDaniil Baturin
ssh: T8098: migrate "rijndael-cbc@lysator.liu.se" to "aes256-cbc" cipher
2025-12-18Merge pull request #4875 from natali-rs1985/T7995Daniil Baturin
T7995: Add capability to start VPP dataplane during system deployment
2025-12-18Merge pull request #4890 from natali-rs1985/T7954Daniil Baturin
vpp: T7954: Add op-mode commands to show LACP
2025-12-18T7995: Add capability to start VPP dataplane during system deploymentNataliia Solomko
Kernel command-line change detection and automatic system reboot via kexec during initial deployment
2025-12-18Merge pull request #4899 from xTITUSMAXIMUSX/currentJohn Estabrook
T8026: Fixed session commit for the generate router
2025-12-17login: T8086: replace getpwnam()/getpwuid() with get_local_passwd_entries()Christian Breunig
Switch to our custom implementation to avoid NSS/TACACS timeouts as explained in commit 4c9eaaa96e06 ("login: replace getpwall() user enumeration to avoid NSS/TACACS timeouts").
2025-12-17login: T8086: replace getpwall() occurances with get_local_passwd_entries()Christian Breunig
Switch to our custom implementation to avoid NSS/TACACS timeouts as explained in commit 4c9eaaa96e06 ("login: replace getpwall() user enumeration to avoid NSS/TACACS timeouts").
2025-12-17login: T8086: replace getpwall() user enumeration to avoid NSS/TACACS timeoutsChristian Breunig
The previous implementation of "system login" relied on Python's pwd.getpwall() to enumerate user accounts. This forces a full walk through the NSS stack, which is acceptable in general but problematic for our use-case. VyOS only needs information about locally created accounts and not remote accounts provided via AAA backends such as TACACS or RADIUS. When TACACS servers are unreachable, NSS lookups become extremely slow due to repeated timeouts. As a result, any operation triggering pwd.getpwall() (including configuration commits) can stall for several minutes. This change introduces a dedicated helper, get_local_passwd_entries(), which reads /etc/passwd directly and avoids NSS entirely. Since only local UIDs are relevant, this provides all required data with no external dependencies. Performance improvement on VyOS 1.4.3 with two unreachable TACACS servers: # set system login tacacs server 192.168.1.50 key test123 # set system login tacacs server 192.168.1.51 key test123 # time commit Before: real 3m29.825s user 0m0.329s sys 0m0.246s After: real 0m1.464s user 0m0.337s sys 0m0.195s This significantly improves commit performance and removes sensitivity to AAA server outages.
2025-12-17vpp: T7954: Add op-mode commands to show LACPNataliia Solomko
2025-12-17ssh: T8098: migrate "rijndael-cbc@lysator.liu.se" to "aes256-cbc" cipherChristian Breunig
According to [1] rijndael-cbc@lysator.liu.se is an alias for aes256-cbc which was standardized in RFC4253 (2006). This changes the migrator implementation to not only delete the old "rijndael-cbc@lysator.liu.se" cipher from the CLI and set the new, standardized aes256-cbc SSH cipher. 1: https://github.com/openssh/openssh-portable/commit/03e93c753d7c223063a
2025-12-16Merge pull request #4901 from jestabro/vyos-op-run-when-rootJohn Estabrook
T8103: add root to those allowed to call op-run commands directly
2025-12-15T8103: add root to those allowed to call op-run commands directlyJohn Estabrook
2025-12-14T8026: Fixed missing session commit for the generate routerxTITUSMAXIMUSX
2025-12-14ssh: T8098: rename "ciphers" CLI node to "cipher"Christian Breunig
Follow VyOS CLI best practices for using singular whenever possible to build a CLI node. As we introduce a new migration 2 -> 3 for SSH we can correct this minor detail.
2025-12-14ssh: T8098: remove support for deprecated "rijndael-cbc@lysator.liu.se" cipherChristian Breunig
According to an Arch Linux forum discussion, the cipher rijndael-cbc@lysator.liu.se was removed in OpenSSH 6.7. References: - https://bbs.archlinux.org/viewtopic.php?id=188613 - https://www.openssh.org/txt/release-6.7 - https://github.com/openssh/openssh-portable/commit/03e93c753d7c223063a
2025-12-14ssh: T8090: add support for config test mode (sshd -t)Christian Breunig
Add a safety-net for development to check if the rendered sshd(8) configuration can be applied at all. If it can't be applied - throw an error. From https://linux.die.net/man/8/sshd: -t Test mode. Only check the validity of the configuration file and sanity of the keys. This is useful for updating sshd reliably as configuration options may change. Explicitly forcing a broken config now results in: vyos@vyos# commit [ service ssh ] Unexpected error with SSH configuration! /run/sshd/sshd_config line 21: X11DisplayOffset integer value invalid. [[service ssh]] failed Commit failed
2025-12-12isis: T8094: bugfix config migration from 1.3.0-rc1 -> 1.4Christian Breunig
While producing all configtest assert files for VyOS 1.4 it was noted that the the isis-small testcase from fails. This config fragment is not properly migrated when updating from VyOS 1.3.0-rc1 -> 1.4 and using IS-IS. protocols { isis FOO { interface eth1 { bfd } net 49.0001.1921.6800.1002.00 redistribute { ipv4 { connected { level-2 { route-map EXPORT-ISIS } } } } } } and results in loosing IS-IS connectivity. This is due the fact that config.rename() does not work when only using the base tagNode.
2025-12-11Merge pull request #4880 from natali-rs1985/T7972Viacheslav Hletenko
vpp: T7972: Make `nat44 no-forwarding` feature automatically configurable
2025-12-11Merge pull request #4889 from cpcowart/cc/fix-dhcpv6-renew-gateViacheslav Hletenko
T8078: dhcpv6: allow lease renew for pd & parameters
2025-12-10T7819: VPP do not override driver if it is already doneViacheslav Hletenko
The upstream VPP code already writes the ena device ID to new_id So we can remove `ena` from `override_driver()` The kernel does not provide a reliable way to check whether an ID has already been registered, so we simply attempt the write and ignore the FileExistsError. Any other failure is treated as a warning. Fixes this case: Traceback (most recent call last): File "/usr/libexec/vyos/services/vyos-configd", line 156, in run_script script.apply(c) File "/usr/libexec/vyos/conf_mode/vpp.py", line 613, in apply control_host.override_driver( File "/usr/lib/python3/dist-packages/vyos/vpp/control_host.py", line 138, in override_driver Path('/sys/module/vfio_pci/drivers/pci:vfio-pci/new_id').write_text( File "/usr/lib/python3.11/pathlib.py", line 1079, in write_text with self.open(mode='w', encoding=encoding, errors=errors, newline=newline) as f: FileExistsError: [Errno 17] File exists
2025-12-09T8078: dhcpv6: allow lease renew for pd & parametersChris Cowart
The renew command will refuse to restart the dhcp6c process for an interface unless it is configured to request an address, but the client may also be running to manage parameters and/or prefix delegations.
2025-12-08tech-support: T7134: add topology snapshot generation using `hwloc` packageOleksandr Kuchmystyi
This enhances diagnostic capabilities by providing hardware topology visuals within support archives.
2025-12-07Merge pull request #4885 from dmbaturin/T8056-deprecate-salt-minionChristian Breunig
salt: T8056: add a deprecation warning
2025-12-05Merge pull request #4888 from dmbaturin/T7810-fix-pppoe-resetViacheslav Hletenko
op-mode: T7810: fix broken 'reset connection' command