Age | Commit message (Collapse) | Author |
|
dynamic-protection
|
|
|
|
op-mode: T5642: 'generate tech-support archive' moved to vyos-1x
|
|
'generate tech-support archive' moved to vyos-1x.
Output of 'show tech-support report' command is added to archive.
The default location of the archive is moved to '/tmp'.
The script is rewritten to Python.
|
|
pmacct: T5232: Fixed pmacct service control via systemctl
|
|
pmacct daemons have one very important specific - they handle control signals in
the same loop as packets. And packets waiting is blocking operation.
Because of this, when systemctl sends SIGTERM to uacctd, this signal has no
effect until uacct receives at least one packet via nflog. In some cases, this
leads to a 90-second timeout, sending SIGKILL, and improperly finished tasks.
As a result, a working folder is not cleaned properly.
This commit contains several changes to fix service issues:
- add a new nftables table for pmacct with a single rule to get the ability to
send a packet to nflog and unlock uacctd
- remove PID file options from the uacctd and a systemd service file. Systemd
can detect proper PID, and PIDfile is created by uacctd too late, which leads
to extra errors in systemd logs
- KillMode changed to mixed. Without this, SIGTERM is sent to all plugins and
the core process exits with status 1 because it loses connection to plugins too
early. As a result, we have errors in logs, and the systemd service is in a
failed state.
- added logging to uacctd
- systemctl service modified to send packets to specific address during a service
stop which unlocks uacctd and allows systemctl to finish its work properly
|
|
|
|
bonding: T5254: Fixed changing ethernet when it is a bond member
|
|
openvpn: T5634: Remove support for insecure DES and Blowfish ciphers
|
|
|
|
T5165: Implement policy local-route source and destination port
|
|
http-api: T2612: correct the response message and add reload for api self-configuration
|
|
|
|
|
|
|
|
|
|
T5530: isis: Adding loop free alternate feature
|
|
pppoe: T5630: allow to specify MRU in addition to already configurable MTU
|
|
Add `policy local-route` source and destination port
set policy local-route rule 23 destination port '222'
set policy local-route rule 23 protocol 'tcp'
set policy local-route rule 23 set table '123'
set policy local-route rule 23 source port '8888'
% ip rule show prio 23
23: from all ipproto tcp sport 8888 dport 222 lookup 123
|
|
|
|
|
|
Calling system-login.py with no mounted VyOS config has the negative effect
that the script will not detect any local useraccounts and thus assumes they
all need to be removed from the password backend.
As soon as the VyOS configuration is mounted and the CLI content is processed,
system-login.py get's invoked and re-creates the before deleted user accounts.
As the account names are sorted in alphabetical order, the name <-> UID mapping
can get mixed up during system reboot.
The intention behind calling system-login.py from vyos-router init was to
reset system services (PAM, NSS) back to sane defaults with the defaults
provided via system-login.py. As PAM is already reset in vyos-router startup
script, /etc/nsswitch.conf was the only candidate left.
This is now accomplished by simply creating a standard NSS configuration file
tailored for local system accounts.
This is the second revision after the first change via commit 64d32329958
("login: T5521: home directory owner changed during reboot") got reverted.
|
|
This reverts commit 64d323299586da646ca847e78255ff2cd8464578.
|
|
|
|
init: T5577: clear mandatory and optional RADIUS/TACACS PAM settings
|
|
login: T5521: home directory owner changed during reboot
|
|
T5436: Add missing preconfig-script
|
|
During system startup the system-login.py script is invoked by vyos-router
systemd service. As there is no complete configuration available at this
point in time - and the sole purpose of this call is to reset/re-render
the system NSS/PAM configs back to default - it accidently also deleted the
local useraccounts.
Once the VyOS configuration got mounted, users got recreated in alphabetical
order and thus UIDs flipped and the /home suddenely belonged to a different
account.
This commit prevents any mangling with the local userdatabase during VyOS
bootup phase.
|
|
This complements commit 5181ab60bb ("RADIUS: T5577: Added 'mandatory' and
'optional' modes for RADIUS") and commit 1c804685d0 ("TACACS: T5577: Added
'mandatory' and 'optional' modes for TACACS+"). As those new services
should also be cleaned during system boot.
|
|
If ethernet interface is a bond memeber:
1. Allow for changing only specific parameters which are specified
in EthernetIf.get_bond_member_allowed_options function.
2. Added inheritable parameters from bond interface to ethernet
interface which are scpecified
in BondIf.get_inherit_bond_options.
Users can change inheritable options under ethernet interface
but in commit it will be copied from bond interface.
3. All other parameters are denied for changing.
Added migration script. It deletes all denied parameters under
ethernet interface if it is a bond member.
|
|
vyos@vyos:~$ show system login users
Username Type Locked Tty From Last login
---------- ------ -------- ----- ------------- ------------------------
vyos vyos False pts/0 172.16.33.139 Mon Oct 2 20:42:24 2023
|
|
|
|
Add support for per-service cache management for ddclient providers
via `wait-time` and `expiry-time` options. This allows for finer-grained
control over how often a service is updated and how long the hostname
will be cached before being marked expired in ddclient's cache.
More specifically, `wait-time` controls how often ddclient will attempt
to check for a change in the hostname's IP address, and `expiry-time`
controls how often ddclient to a forced update of the hostname's IP
address.
These options intentionally don't have any default values because they
are provider-specific. They get treated similar to the other provider-
specific options in that they are only used if defined.
|
|
T5165: Migrate policy local-route rule x destination to address
|
|
ddclient: T5612: Miscellaneous improvements and fixes for dynamic DNS
|
|
T5497: Add ability to resequence rule numbers for firewall
|
|
T5616: firewall and policy: add option to be able to match firewall marks
|
|
Migrate policy local-route <destination|source> to node address
replace 'policy local-route{v6} rule <tag> destination|source <x.x.x.x>'
=> 'policy local-route{v6} rule <tag> destination|source address <x.x.x.x>'
|
|
Updated spacing.
|
|
filter and in policy route.
|
|
Fixes `KeyError: 'conntrack_sync'`
Ignore `ConfigError("ConfigError('Interface eth1 requires an IP address!')")` due to calling conntrack-sync too early
|
|
|
|
T5577: Optimized PAM configs for RADIUS/TACACS+
|
|
|
|
Rename avahi-daemon config file to avahi-daemon.conf.j2 to match the
convention used by other config files.
|
|
This commit adds a new configuration option to the mDNS repeater service
to allow controlling which IP version to use for mDNS repeater.
Additionally, publishing AAAA record over IPv4 and A record over IPv6 is
disabled as suggested.
See:
- https://github.com/lathiat/avahi/issues/117#issuecomment-1651475104
- https://bugzilla.redhat.com/show_bug.cgi?id=669627#c2
|
|
T5217: Add firewall synproxy
|
|
conntrack: T5376: T5598: Restore kernel conntrack helpers
|
|
ipsec: T5606: Add support for whole CA chains
|
|
Add option `protocol` for policy local-route
set policy local-route rule 100 destination '192.0.2.12'
set policy local-route rule 100 protocol 'tcp'
set policy local-route rule 100 set table '100'
|