| Age | Commit message (Collapse) | Author |
|
udev: T9071: fix invalid ATTR key assignment
|
|
Prefent ISO build issue:
Skipping overridden file '/usr/lib/udev/rules.d/40-usb_modeswitch.rules'.
Reading rules file: /etc/udev/rules.d/40-usb_modeswitch.rules
|
|
This fixes a (cosmetic) error which pops up in the logfiles:
40-usb_modeswitch.rules:4 ATTR key takes '==', '!=', or '=' operator, assuming '='.
It was introduced in commit 93406237d ("wwan: T8924: add UDEV configuration for
USB modeswitch")
|
|
vpp: T9018: Auto-enable promiscuous mode for interfaces with VLANs
|
|
vpp: T9062: Enable DHCP/DHCPv6 client detection on VLAN sub-interfaces
|
|
The 'ip4-dhcp-client-detect' and 'ip6-icmp-ra-punt' VPP features were only
ever enabled on the base ethernet interface, so DHCP and DHCPv6 clients
never worked on VLAN sub-interfaces (vif/vif-s) of a VPP-managed interface.
Apply the same feature toggles to each vif/vif-s using its own address
configuration. vif-c is intentionally excluded, as Q-in-Q sub-interfaces
are not currently functional under VPP.
|
|
remote: T8829: fall back to GET when HEAD is not supported
|
|
VPP drops VLAN-tagged frames unless the parent interface has promiscuous
mode enabled, causing VLAN sub-interfaces to lose connectivity.
Automatically enable promiscuous mode on VPP interfaces that have VLAN
sub-interfaces (vif/vif-s) configured.
|
|
T8344: Preserve symlinks when copying config to/from TPM encrypted volume
|
|
T9002: grant CAP_NET_RAW to blackbox-exporter when ICMP modules are configured
|
|
shutil.copytree() defaults to symlinks=False, so it recurses into
symlinked directories and recreates them as real directories instead
of preserving the symlink.
cloud-init creates /opt/vyatta/etc/config/cloud/instance as a symlink
to instances/i-<id>. Enabling/disabling config encryption copied this
tree with copytree() and silently turned that symlink into a real
directory, causing cloud-init to fail on later runs with:
IsADirectoryError: [Errno 21] Is a directory: '.../cloud/instance'
Pass symlinks=True to preserve symlinks during the copy.
|
|
The blackbox-exporter runs as node_exporter user which cannot create
ICMP sockets due to restricted ping_group_range. Add CAP_NET_RAW
capability to the systemd service when ICMP modules are configured.
In non-VRF mode, use systemd AmbientCapabilities/CapabilityBoundingSet.
In VRF mode, replace runuser with setpriv to preserve the capability
across the UID change.
|
|
This change re-implements the intended behaviour from T4180 aswell as from
T4506, it ensures that both the vrf-member interface aswell as the vrf itself
is added as an oifname -> meaning that traffic traversing and originating from
withing VyOS is matches outbound.
Changes done by c-po:
* re-sort dependency list to keep diff low
* vyos.configdict.is_vrf_changed() should return early and not carry
over the to-be return value
* keep common coding style (dict by . separation) in nftables-zone.j2
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
T8963: policy-route: trigger domain resolver for domain groups
|
|
Authentication protocols are implemented as modules in accel-ppp-ng.
The CLI setting configures which modules need to be loaded, for this
change to take effect pppoe server must be restarted.
|
|
https: T9022: serve the full CA certificate chain
|
|
ci: T8490: fix typos in comments, strings, and local identifiers
|
|
utils: T9003: add list-argument variant of cmd() for safer subprocess execution
|
|
Reaches a clean typos baseline for the T8490 ruleset pilot. Categories:
- Comments/docs: recursivly, taret, passsed, characted, arhive, AtrributeError;
"ned" -> "new" (migration comments).
- Messages/strings: writeable -> writable (x5); OCaml log "Commandis" -> "Command is".
- Local variables (all refs in-function): commited, formating, presistent;
inpt_range -> input_range; tz_datas -> tz_data_raw (avoids the tz_data collision).
- Self-contained renames (definition + all references in-file): formated_stats,
_get_formatted_output_conections -> ..._connections, expension_failure ->
expansion_failure (ping + traceroute), snmpd_restart_reqired -> ..._required.
False positives are allowlisted centrally (vyos/.github, separate PR), NOT changed
here: mke2fs, Maya-calendar "Mak", RFC 4122 "IDentifier" (hostapd), and VPP's
"U-Forwrd" bridge-domain column header (op_mode/vpp.py + the VPP smoketest assert
the real upstream `vppctl` output). Verified: typos clean, py_compile of every
edited .py, zero remaining old-identifier references.
🤖 Generated by [robots](https://vyos.io)
|
|
When a certificate is assigned to the HTTPS service, nginx was only
sent the leaf certificate. An intermediate CA was included only when
an operator manually configured "ca-certificate", and even then just
that single CA - the rest of the issuer chain was never followed.
As a result, clients that do not already trust the issuing intermediate
CA (for example Let's Encrypt's newer E- and R-series intermediates)
could not build a path to a trusted root and rejected the connection.
Build the complete chain from the CA certificates present in the PKI
using find_chain(), the same helper already used by HAProxy, OpenConnect,
stunnel and the other PKI consumers. The intermediate chain is now
discovered automatically, so configuring "ca-certificate" is no longer
required; it remains accepted for backwards compatibility.
|
|
bgp: T8865: Reject `vni` sub-block in VRF l2vpn-evpn when `advertise-all-vni` is globally active
|
|
geoip: T8987: Support updates via source-address/vrf
|
|
`advertise-all-vni` is globally active
When `advertise-all-vni` is configured in the global/default BGP instance,
VyOS generated a `vni <id>` sub-block under each VRF BGP `address-family
l2vpn evpn` context. This conflicts with advertise-all-vni: FRR already
owns all kernel VNIs and returns `% Failed to create VNI` when frr-reload.py
attempts to apply the VRF-level vni sub-block. FRR then performs an early
exit from config processing, silently dropping the entire l2vpn evpn
address-family for all subsequent VRF BGP instances.
|
|
T9011: enable proxy_ndp sysctl for static IPv6 neighbor proxy
|
|
bgp: T5526: Fix BGP neighbor validation not raising when interface does not exist
|
|
|
|
T9015: fix thread safety of configtree read/write_cache
|
|
geoip: T5746: Add GeoIP ASN support
|
|
exist
Validation of interface-based BGP neighbors relied on checking physical
interface existence, which silently skipped the check when interface didn't
exist yet, letting invalid config reach FRR. Fix by checking whether the
neighbor is not an IP address instead, and improve the error messages to
show the correct command.
|
|
|
|
|
|
The module previously had no tests. Cover the DB logic (add/remove,
multiple connections per interface, removeAllOtherInterfaces,
setPersistentInterfaces, seed-from-file) and assert each open_* helper
acquires the serialising lock, exercised with vyos.utils.locking.Lock
patched out.
|
|
concurrent rekey
The vti-up-down hook and vpn_ipsec.py modify a flat-file DB
(/tmp/ipsec_vti_interfaces) through three context managers that do an
unlocked read-modify-write. During a coordinated rekey, strongSwan fires
the hook for many VTIs concurrently, so the writers lost-update each
other: an interface whose up-client add is overwritten is left admin-down
while its CHILD_SA stays installed.
Serialise all DB access by reusing vyos.utils.locking.Lock. A new
_vti_updown_db_lock() context manager wraps the three public context
managers, and remove_vti_updown_db() holds the lock across both the DB
processing and the os.unlink() to close the create/delete race.
Make the helpers absence-safe under the lock so callers no longer compose
a separate existence check with a locked operation:
open_vti_updown_db_readonly() yields None when the DB does not exist and
remove_vti_updown_db() is a no-op when it is absent. Drop the
now-redundant unlocked vti_updown_db_exists() pre-checks in vti.py and
vpn_ipsec.py and handle the None yield.
|
|
haproxy: T8931: Improve WebSocket support for HAProxy
|
|
vpp: T8913: Skip bond teardown for non-structural config changes
|
|
pseudo-ethernet: T8540: Add anycast-gateway support for EVPN
|
|
qos: T7965: Fix qos fails to reapply on dynamic interfaces after reconnection
|
|
The previous vyos-netlinkd implementation for QoS policy re-apply was very heavy.
It conducted a full CLI validation and re-apply on every interface. Instead we
do not only re-apply the QoS configuration to the interface which has had an
address change detected by vyos-netlinkd.
This can be tested by checking "tc qdisc show" before disconnecting a PPPoE
interface and during/after reconnect. There will be no qdisc until the dynamic
interface has received an IP address - then the qdisc will be re-applied.
|
|
Introduce 'anycast-gateway' leafNode for pseudo-ethernet interfaces.
When set, a local FDB entry is installed on the parent bridge to
prevent the shared anycast MAC from leaking over the VXLAN overlay.
|
|
vpp: T8603: Expand ACL support to logical interfaces
|
|
HttpC.download() always probed remote URLs with HEAD before GET to
discover redirects and Content-Length. Some APIs (e.g. AbuseIPDB)
reject HEAD with 405 Method Not Allowed, causing firewall remote-group
downloads to fail and leave empty cached list files.
Treat HEAD 405/501 as unsupported and proceed with GET using the
original URL. When HEAD does not provide Content-Length, read it from
the GET response headers instead. Validate available storage after
determining file size and before opening the destination file.
Log sanitized download errors in vyos-domain-resolver when a remote-
group list-file fetch fails. Add unit tests with mock servers that
return 405 or 501 on HEAD and 200 on GET.
|
|
Re-apply QoS after dynamic interfaces get addresses after connect/disconnect.
When PPPoE interfaces re-connect we need to re-do QoS settings.
|
|
A list-argument variant of cmd() for safer subprocess execution named cmdl().
Command must be a list of strings; no shell interpolation is performed, which
eliminates a class of command-injection risks present when building commands
with f-strings or other string formatting.
|
|
|
|
dhcp: T8941: Support filter and sorting combination on DHCPv4/v6 server lease entries in op mode
|
|
dhcp-server: T8524: Validate DDNS key-name references defined tsig-key
|
|
password-reset: T8985: Fix unbounded `sed` ranges corrupting other user blocks
|
|
pki: T8994: add graceful error handling in case certbot fails
|
|
If ACME and certbot are used for PKI and e.g. haproxy it can become an issue if
certbot is blocked by the firewall. The renewal service will fail and tear-down
the production service - even if the certificate is yet not expired.
The production service was not restarted. This has been changed as every service
which is stopped prior to the renew is later restarted even upon failure of
renewing said certificate.
|
|
|