summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2026-06-02http-api-client: T8955: enable TLS verification by defaultfix/T8955-http-api-verify-tlsYuriy Andamasov
ApiClientConfig.verify_tls defaulted to False and ApiClient unconditionally silenced urllib3's InsecureRequestWarning, so TLS peer verification was off by default. The sole consumer, src/op_mode/config_sync.py, builds the client without passing verify_tls and therefore connected to a *remote* secondary VyOS node over HTTPS without verifying the certificate -- a MITM exposure on the channel that carries the API key and the full configuration. - ApiClientConfig.verify_tls now defaults to True and accepts Union[bool, str]; a string is forwarded to requests as a CA bundle path (verify=<path>). - InsecureRequestWarning is suppressed only when verification is explicitly disabled (verify_tls is False), not when a CA path or True is set. - config_sync reads an optional verify_tls from the secondary runtime settings, defaulting to False to preserve current behaviour for self-signed secondaries. The insecurity is now explicit at the call site instead of hidden in the library default. A first-class CLI knob (set service config-sync secondary verify-tls / ca-certificate, with XML + migration) is the follow-up. 🤖 Generated by [robots](https://vyos.io)
2026-05-28Merge pull request #5109 from statio/fix/vrf-aware-port-checkDaniil Baturin
T8454: fix VRF-bind port availability check in service_https
2026-05-28Merge pull request #5169 from jestabro/exclusive-mask-config-syncJohn Estabrook
T8502: Add exclusion mask to config-sync
2026-05-28T8916: add simple nosetest for subtree_from_partial utilityJohn Estabrook
2026-05-28T8502: add util for updating config-sync-exclude.jsonJohn Estabrook
2026-05-28T8502: add client support for config-sync excluded pathsJohn Estabrook
2026-05-28T8502: add server support for config-sync excluded pathsJohn Estabrook
2026-05-28Merge pull request #5074 from vyos/fix/bare-except-clausesViacheslav Hletenko
python: T8857: replace bare except clauses with except Exception in config scripts
2026-05-27T8454: fix VRF-bind port availability check in service_httpsLee Clements
When service https is configured with a listen-address on a VRF interface, adding or changing the vrf option causes the commit to fail with "TCP port 443 is used by another service!" even though no conflict exists. Root cause: check_port_availability() performs a socket.bind() in the default network namespace. When the listen-address belongs to a VRF interface the address is unreachable from the default namespace, so the bind fails with OSError which is misinterpreted as "port in use". The secondary check via is_listen_port_bind_service() also fails because psutil cannot see sockets bound inside a VRF. Fix: add an optional vrf parameter to check_port_availability(). When set, the test socket is bound to the VRF master device via SO_BINDTODEVICE before the bind() call, so that the address is resolved in the correct L3 domain. This is done in-process (no subprocess) and works for both IPv4 and IPv6. service_https verify() now passes the configured VRF (if any) to check_port_availability(). Non-VRF configurations are unaffected. Add smoke test for HTTPS with listen-address inside a VRF. Co-authored-by: Christian Breunig <christian@breunig.cc>
2026-05-27Merge pull request #5208 from alexandr-san4ez/T8538-currentChristian Breunig
snmp: T8538: Persist engineBoots counter across reboots
2026-05-27ipsec: T8912: Fix log level not respected in system journalOleksandr Kuchmystyi
When setting 'vpn ipsec logging log-level 0', DPD informational messages (log level 1) were still appearing in the system journal. The root cause is that charon-systemd reads both `charon-systemd.conf` and `charon-logging.conf` and applies the higher of the two log levels to the journal. The VyOS only managed `charon-systemd.conf`, leaving `charon-logging.conf` at its default level of 1, which silently overrode the user-configured level. Fix this by rendering `charon-logging.conf` on every commit with syslog backend set to -1 (silent), making `charon-systemd.conf` the sole authoritative source for journal log verbosity. This also eliminates duplicate log entries in the journal that occurred when both backends were active and writing to the same destination.
2026-05-26Merge pull request #5157 from xTITUSMAXIMUSX/currentJohn Estabrook
geoip: T8590: fix initialization failure and set clobbering on boot and commit
2026-05-26Merge pull request #5197 from alexandr-san4ez/T7555-currentViacheslav Hletenko
ipsec: T7555: Implement `ikev2-reauth` for site-to-site peers
2026-05-26Merge pull request #5158 from alexandr-san4ez/T6478-currentDaniil Baturin
openvpn: T6478: Skip restart service when only client config changed
2026-05-26Merge pull request #5202 from indrajitr/T8877-pki-private-keyDaniil Baturin
pki: T8877: Add ability to show private key in pem format
2026-05-26Merge pull request #5179 from josephillips85/currentChristian Breunig
Policy: T8823: validation of GE and LE according FRR instructions
2026-05-26Merge pull request #5119 from AppMana/T8480Christian Breunig
wan: T8480: add suppress_prefixlength ip rules for internal routing
2026-05-25Merge pull request #5217 from c-po/wwan-modeswitchChristian Breunig
wwan: T8924: add UDEV configuration for USB modeswitch
2026-05-25Merge pull request #5218 from alexandr-san4ez/T8909-currentViacheslav Hletenko
conntrack: T8909: Remove connection id column from output table
2026-05-25Merge pull request #5216 from natali-rs1985/T8412Viacheslav Hletenko
wwan: T8412: Fix commit failure when modem is absent or not connected
2026-05-25conntrack: T8909: Remove connection id column from output tableOleksandr Kuchmystyi
This cleanup enhances readability and aligns the output with the actual data being displayed.
2026-05-25openvpn: T6478: Skip restart service when only client config changedOleksandr Kuchmystyi
OpenVPN server reads per-client files from `--client-config-dir` at connect time. When only `interfaces openvpn vtunN server client <client>` entries are modified there is no need to send SIGHUP or restart the service - the new CCD files written by `generate()` will be picked up automatically on the next client connection.
2026-05-25wwan: T8924: add UDEV configuration for USB modeswitchChristian Breunig
When using WWAN interfaces, the Linux kernel selects configuration 2 by default, but that does not work with ModemManager - configuration 3 (MBIM mode) is a better choice. Add UDEV rules for Huawei ME906s-158 and HP LT4132 which is a re-brand of Huawei ME906s-158 to properly set MBIM mode on system startup.
2026-05-22Merge pull request #5212 from sever-sever/T8883Christian Breunig
T8883: Fix restart PPPoE-server service when RADIUS settings change
2026-05-22snmp: T8538: Persist engineBoots counter across rebootsOleksandr Kuchmystyi
Per RFC 3414 section 2.2 (Replay Protection), the `snmpEngineBoots` counter must be stored in non-volatile storage and incremented on every snmpd restart. VyOS was not persisting this value, causing it to reset to 1 after every reboot. SNMP managers cache the engineBoots value from previous sessions. When VyOS resets the counter to 1 after reboot, managers reject incoming SNMPv3 trap packets as "too old", producing errors such as: ``` usm: Message too old. reboot count invalid ``` This change introduces `/config/snmp/engineboots.count` as a disk-backed persist file and it uses to sync the counter into snmpd's conf before the daemon starts.
2026-05-22wwan: T8412: Fix commit failure when modem is absent or not connectedNataliia Solomko
`mmcli --simple-disconnect` can be called when the modem bearer is not active. This causes cmd() to raise a `PermissionError` and abort the commit. Handle the case gracefully so the configuration can be committed before the modem is physically present or fully connected.
2026-05-22Merge pull request #5198 from indrajitr/T8862-dhcpv6-reservation-multiViacheslav Hletenko
dhcpv6: T8862: Allow multiple addresses and prefixes for reservations
2026-05-21ntp: T8601: add local stratum optionanderbak
2026-05-21Merge pull request #5175 from natali-rs1985/T8509Daniil Baturin
wireguard: T8509: Add fwmark ip rules for VRF-bound interfaces
2026-05-21T8883: Fix restart PPPoE-server service when RADIUS settings changeViacheslav Hletenko
Restart the PPPoE server when RADIUS configuration is modified. Previously, changes to settings such as `priority` and `backup` were not applied until the service was restarted manually.
2026-05-21wireless: mt7915e: de-nest code for firmware configuration fileChristian Breunig
Generation of the firmware configuration file can be made contitional only if the card is present/driver is loaded. The firmware configuration file itself must not be explicitly set to be owned as root as the default is user root and group vyattacfg.
2026-05-21wireless: T8528: add module config code for mt7916 based cardsAlain Lamar
2026-05-20load-balancing: T7928: Fix port conflict check to respect `listen-address` ↵Alexandr K.
(#5186) The port availability check in `verify()` was using `front_config.get('address')` which always resolved to `None`, causing the validator to treat any process holding a given port number as a conflict regardless of which IP it was bound to.
2026-05-20T7880: Add NTP hardware timestamp receive-filter compatibility check (#5160)Nataliia S.
Add a check to determine whether the NIC supports hardware timestamp receive filters required for NTP timestamping. Implement the query in a new python/vyos/netlink/timestamp.py module using pyroute2 generic netlink ETHTOOL_MSG_TSINFO_GET, avoiding ethtool output parsing.
2026-05-20T6933: fix "system option performance" overwrites sysctl parameters from ↵Christian Breunig
firewall (#5206) sysctl values written by firewall global-options are overwritten when using "system option performance" configuration on VyOS CLI. This is caused by a missing dependency fall from system_option.py to the firewall CLI helper script.
2026-05-20ipsec: T7555: Implement `ikev2-reauth` for site-to-site peersOleksandr Kuchmystyi
IKEv2 reauthentication was configurable via CLI but never translated into `swanctl.conf`. Add `reauth_time` to the peer connection template, driven by the `ikev2-reauth` flag on the ike-group and the per-peer override (yes/no/inherit).
2026-05-19geoip: T8590: fix initialization failure and set clobbering on boot and commitxTITUSMAXIMUSX
Three related bugs prevented GeoIP nftables sets from being populated correctly at boot and when incrementally modifying firewall or policy route rules. 1. geoip_updated() always returned False The previous implementation called node_changed() and then searched the result with dict_search_recursive(changes, 'geoip'). This could never match: node_changed() is annotated `-> list` and returns a flat list of the immediate top-level child names whose subtree changed (e.g. ['ipv4'] for the firewall path, or route names for policy route). The 'geoip' key sits several levels deeper than those names, so dict_search_recursive — which only walks dicts and lists for a matching dict key — never yielded a hit, and geoip_updated() always returned False. As a consequence, geoip_update() was never triggered by an incremental add or change of a GeoIP rule; the only path that ever populated /run/nftables-geoip.conf was the explicit \"update geoip\" command or the fallback when geoip_refresh() failed. Fix: bypass node_changed() and call get_config_diff() / get_child_nodes_diff() directly with expand_nodes=Diff.ADD|Diff.DELETE and recursive=True. In that mode, the 'add' and 'delete' values in the returned dict are full nested subtrees of the config diff, so dict_search_recursive correctly finds 'geoip' wherever it appears in the change set. 2. GeoIP block executed unconditionally, breaking the boot sequence geoip_sets() always returns {'name': [], 'ipv6_name': []}. A non-empty dict is truthy in Python regardless of whether its values are empty lists, so the guards \"if geoip_sets:\" and \"if 'name' in geoip_sets:\" were always True. On boot, when policy_route.py is invoked as a dependent of firewall.py (triggered by group_resync), it entered the GeoIP block even with no policy route GeoIP rules configured. Because /run/nftables-geoip.conf did not yet exist, geoip_refresh() returned False and geoip_update(policy=policy) was called with an empty policy. This created /run/nftables-geoip.conf containing only empty table stubs. When firewall.py subsequently called geoip_refresh(), the file existed and nft loaded it successfully — so the geoip_update(firewall) call was never reached and the firewall GeoIP sets stayed empty for the entire uptime of the router. Fix: check the actual list contents instead of the container dict: if geoip_sets['name'] or geoip_sets['ipv6_name']. 3. geoip_update() clobbered the other caller's sets geoip_update() renders /run/nftables-geoip.conf from both firewall_sets and policy_sets in a single pass. When called with only one argument (as firewall.py and policy_route.py each do), the other argument defaulted to None and that half of the file was rendered empty, erasing whatever the other script had written. The geoip-update helper used by \"update geoip\" and the weekly cron was unaffected because it always passes both arguments, which masked this bug in normal manual operation. Fix: when either argument is absent, read the missing config from the live Config session before building the set tables, so every invocation writes the complete combined firewall + policy file.
2026-05-18pki: T8877: Add ability to show private key in pem formatIndrajit Raychaudhuri
Add op-mode command having ability to show private key in pem format as part of PKI configuration. This is needed for users who want to render the certificate and its private key.
2026-05-18vyos-netlinkd: T8781: try IPRoute.bind() RTNL subscription first (#5207)Christian Breunig
Not all pyroute2 versions which ship IPRoute() support subscribing to RTNL multicast groups. If subscribing fails, fallback to all messages.
2026-05-16dhcpv6: T8862: Add validation for presence of address or prefix in reservationIndrajit Raychaudhuri
2026-05-16dhcpv6: T8862: Allow multiple addresses and prefixes for reservationsIndrajit Raychaudhuri
Add support for allowing DHCPv6 to assign reservations for multiple addresses and prefixes to a single client simultaneously.
2026-05-15vyos-netlinkd: T8781: use faster commit_in_progress2 with order O(1)Christian Breunig
Move to the re-implementation of the commit in progress check added in commit 002d45b70efd ("vyos.commit: T8781: move from O(n) to O(1) for commit_in_progress() checks").
2026-05-15vyos-netlinkd: T8781: do not call commit_in_progress() for EVERY netlink ↵Christian Breunig
message (#5199) * vyos-netlinkd: T8781: do not call commit_in_progress() for EVERY netlink message Signed-off-by: Fabrizzio Petrucci <fabrizziopm@compumundohipermegared.one> * vyos-netlinkd: T8781: restrict netlink subscription to link multicast group Bind IPRoute with RTMGRP_LINK only so route/rule/neighbour/address updates (e.g. full-table BGP) are not delivered to this socket. Add a match wildcard so unexpected message types do not raise MatchError and get logged as generic errors. --------- Signed-off-by: Fabrizzio Petrucci <fabrizziopm@compumundohipermegared.one> Co-authored-by: Fabrizzio Petrucci <fabrizziopm@compumundohipermegared.one>
2026-05-14Merge pull request #5182 from c-po/systemctl-stop-helperChristian Breunig
T8831: smoketests: irregular PermissionError caused by systemctl stop
2026-05-14T8831: smoketests: irregular PermissionError caused by systemctl stopChristian Breunig
Failures appear during PPPoEIf.remove() -> flush_addrs() -> set_dhcpv6(False), where disable uses self._cmd(f'systemctl stop ...'), which raises on any non-zero exit code of cmd(). PermissionError: [Errno 1] is misleading: cmd() raises OSError(exit_code, feedback); exit code 1 maps to PermissionError in Python 3, so logs point at "permissions" while the real signal is systemctl stop returned 1 (job failure, timeout, restart contention with Restart=always on dhcp6c@.service. Add a small systemd teardown helper stop_systemd_unit() validating the return codes from the "systemctl stop" calls.
2026-05-13T8823: Removed nullchecks because dict_Search return None if value not setJose Phillips
2026-05-13T8823: Used dictionary searchJose Phillips
2026-05-13T8823: validation of GE and LE according FRR instructionsJose Phillips
2026-05-13T8823: validation of GE and LE according FRR instructionsJose Phillips
2026-05-13bgp: T8588: Add match source-peer to policy route-map (#5149)Robin Christ