| Age | Commit message (Collapse) | Author |
|
pki: T7976: calls to node_changed_presence() must use unmangled config paths
|
|
T7789: T7661: VPP prevent failing to load XDP in clouds (ena/gve drivers)
|
|
- Drop "tls enable" node (make "tls" a standalone key).
- Split "tls permitted-peers" list by commas into multiple "tls permitted-peer" entries.
|
|
Container networks are only started when there is at least one active consumer.
If a network is created without any attached containers, it does not need to be
assigned to a VRF yet.
When the last container in a pod is stopped, its associated container network
is removed. Upon container restart, the kernel recreates the network, but the
VRF assignment may be lost in the process.
This change ensures that all container networks are correctly reattached to
their designated VRFs when a pod restarts.
|
|
T7949: VPP add the ability to configure bond subinterfaces for NAT
|
|
T7980: Load active config on vyconfd restart
|
|
wlb: T7966: Restore default route when interface disconnects/reconnects
|
|
We do use mangled config paths where
pki = conf.get_config_dict(base, key_mangling=('-', '_'), ...
returns a config dict where "-" is replaced by "_" when assembling the config
dict keys.
This does not work when we throw the retrieved path into
ConfigDiff().node_changed_presence()
https://github.com/vyos/vyos-1x/blob/07936657062c/src/conf_mode/pki.py#L259-L265
Add orig_path key which is preferred over path.
|
|
|
|
To ensure consistency of vyconfd restart in the testing framework, defer
startup until execution of set_vyconf_backend.py. This will be restored
to vyos-router once vyos-boot-config-loader.py is adapted to vyconf.
|
|
pki: T7953: implement certbot_renew() function to have everything at one place
|
|
Some cloud NICs (ena, gve) fail to load XDP if all RX queues are configured. To
avoid this, we limit the number of queues to half of the maximum supported by the driver.
|
|
checks
- Renamed `permitted-peers` to `permitted-peer` across templates, schema, and tests.
- Added support for multiple `permitted-peer` entries and trimmed empty values.
- Replaced TLS/UDP warning with ConfigError for strict validation.
- Updated tests to use TCP for TLS and verified new validation logic.
|
|
|
|
T7797: VPP: switching from XDP to DPDK driver fails in cloud vm (hv_netvsc)
|
|
T6686: adds container health checks
|
|
PrivateTmp needs to be disabled, otherwise we can not load the current
VyOS configuration to reconfigure the service automatically when certbot
runs.
|
|
|
|
|
|
Commit f08a5700e7 ("dhcpv6: T7646: restore missing default route after upgrade")
introduced a regression affecting both non-VIF and VIF interfaces.
The addressing mode check in the migration logic was incorrect for both cases.
For non-VIF interfaces, the migration was skipped entirely due to a missing
configuration test. For VIF (VLAN) interfaces, the existing test always
evaluated to true, since it incorrectly assumed that DHCPv6 was configured
even when a static address was present.
Smoketests have been extended to cover for these cases.
|
|
pki: T7953: refactor internal dependency generation
|
|
T7896: Add frr profile selection
|
|
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
|
|
* dhcp-server: T3936: Added support for DHCP Option 82
This commit adds support in both the CLI and the underlying code for
DHCP Option 82 to be used to filter/route DHCP address assignments.
The primary use case for this is to support enterprise switches which
can "tag" DHCP requests with physical real world informaiton such as
which switch first saw the request and which port it originated from
(known in this context as remote-id and circuit-id). Once
client-classes have been defined they can be assigned to subnets or
ranges so that only certain addresses get assigned to specific
requests.
There is also a corresponding documentation update which pairs with
this code change.
(cherry picked from commit 326b5e713cb363a2b9f69e2204c4ee2ccd9939bb)
* Update src/conf_mode/service_dhcp-server.py
Co-authored-by: Nataliia S. <81954790+natali-rs1985@users.noreply.github.com>
* Update src/conf_mode/service_dhcp-server.py
Co-authored-by: Nataliia S. <81954790+natali-rs1985@users.noreply.github.com>
* Update interface-definitions/include/dhcp/dhcp-server-common-config.xml.i
Co-authored-by: Nataliia S. <81954790+natali-rs1985@users.noreply.github.com>
---------
Co-authored-by: Daniil Baturin <daniil@baturin.org>
Co-authored-by: Nataliia S. <81954790+natali-rs1985@users.noreply.github.com>
|
|
T7938: VPP: Rewrite sFlow implementation
|
|
|
|
|
|
|
|
|
|
|
|
The call to rc_cmd('podman inspect ...') determines whether a container image
scheduled for deletion has any ancestor containers still using it. Previously,
if the podman command wrote output to stderr, rc_cmd() would return that error
message alongside or instead of the ancestor container ID.
This caused subsequent podman calls to fail, as the error string was incorrectly
treated as a valid command argument. This change ensures only valid ancestor
IDs are returned.
This is a fix for commit a99ca6d11b5 ("op-mode: T7403: add option for forcefully
remove a container image")
|
|
|
|
|
|
|
|
T3680: protocols: add dhclient hooks for dhcp-interface static routes
|
|
frr: T7664: properly set log configuration during daemon startup
|
|
In large networks with many zones where simple allow/deny rules are not sufficient,
zones become tedious to manage. Many use cases can be simplified by providing an
ability to define a default ruleset for traffic from other zones. This change proposes
adding the follwing syntax:
set firewall zone <name> default_firewall name <name>
set firewall zone <name> default_firewall ipv6_name <name>
The proposed behavior is the following:
local in:
The default firewall ruleset for the local zone will be appended after all
from configurations.
local out:
If a non-local zone does not have a from local ruleset but does have a
default_firewall ruleset, the default_firewall ruleset will be appended using
oifname
forward:
The default firewall ruleset for the zone will be appended after all from
configurations
To keep the behavior consistent with from ruleset configurations, a return is appended
after the default_firewall ruleset.
The proposed behavior differs slightly from the default_policy configuration for the
local out chains. The default_policy applied in the out templates comes from the local
zone, not the actual outbound zone. The proposed change does not amend this, but does
make default_firewall logically consistent with the intent of the out rules.
|
|
kea: T7925: Improve error handling, validate IPv6 PD prefix length
|
|
Solves the problem that vyos-configs in FRRender caches configuation and
DHCP changes are ignored.
* Add src/helpers/vyos-request-configd-update.py that requests vyos-configd
to update FRR configuration.
* Make dhclient hooks use it instead of calling protocols_static.py
* Make FRRender cache not only configuration but also DHCP gateways so
that is any of them changes, FRR configuration is updated
|
|
|
|
Execute commands for vpp sflow with API calls. Use values for polling interval and sampling rate from 'system sflow'. Add op-mode command
|
|
T7946: log redirected stdout from FRRender
|
|
T5942: Make failover support dhcp-interface
|
|
T7930: VPP: Changing NAT44 settings resets `forwarding_enabled` to False
|
|
translation pool
|
|
Related to commits:
* fca49413f - frrender: T7664: do not log unique-id in syslog messages
* c4c339fb5 - frrender: T7664: reduce log level to notifications during
normal operation
* 7ff824f44 - frrender: T7664: add "log timestamp precision 3" global option
|
|
After T7855, logging of stdout from FRRender was dropped. Explicity log
redirected stdout in vyos-configd/commitd; restore parity of logging
between the two daemons.
|
|
Enable/disable NAT forwarding in vpp_nat.py script to prevent it's reset
|
|
The previous implementation used awk with a regex to extract the VRF name from
JSON data, relying on "(\w+)" to match the value. This broke for valid VRF
names containing hyphens or other non-word characters.
This update replaces the regex-based extraction with a jq query that reliably
parses the JSON structure, ensuring correct behavior regardless of VRF name
format. This also reduces parsing fragility by using a tool purpose-built for
JSON processing.
|