summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
4 daysMerge pull request #5322 from c-po/udev-rules-fixrollingChristian Breunig
udev: T9071: fix invalid ATTR key assignment
4 daysT9071: rename 40-usb_modeswitch.rules to 41-usb_modeswitch_wwan.rulesChristian Breunig
Prefent ISO build issue: Skipping overridden file '/usr/lib/udev/rules.d/40-usb_modeswitch.rules'. Reading rules file: /etc/udev/rules.d/40-usb_modeswitch.rules
5 daysudev: T9071: fix invalid ATTR key assignmentChristian Breunig
This fixes a (cosmetic) error which pops up in the logfiles: 40-usb_modeswitch.rules:4 ATTR key takes '==', '!=', or '=' operator, assuming '='. It was introduced in commit 93406237d ("wwan: T8924: add UDEV configuration for USB modeswitch")
5 daysMerge pull request #5314 from natali-rs1985/T9018Viacheslav Hletenko
vpp: T9018: Auto-enable promiscuous mode for interfaces with VLANs
5 daysMerge pull request #5317 from natali-rs1985/T9062Daniil Baturin
vpp: T9062: Enable DHCP/DHCPv6 client detection on VLAN sub-interfaces
5 daysvpp: T9062: Enable DHCP/DHCPv6 client detection on VLAN sub-interfacesNataliia Solomko
The 'ip4-dhcp-client-detect' and 'ip6-icmp-ra-punt' VPP features were only ever enabled on the base ethernet interface, so DHCP and DHCPv6 clients never worked on VLAN sub-interfaces (vif/vif-s) of a VPP-managed interface. Apply the same feature toggles to each vif/vif-s using its own address configuration. vif-c is intentionally excluded, as Q-in-Q sub-interfaces are not currently functional under VPP.
7 daysMerge pull request #5275 from BradKollmyer/remote-T8829-head-fallbackJohn Estabrook
remote: T8829: fall back to GET when HEAD is not supported
7 daysvpp: T9018: Auto-enable promiscuous mode for interfaces with VLANsNataliia Solomko
VPP drops VLAN-tagged frames unless the parent interface has promiscuous mode enabled, causing VLAN sub-interfaces to lose connectivity. Automatically enable promiscuous mode on VPP interfaces that have VLAN sub-interfaces (vif/vif-s) configured.
8 daysMerge pull request #5308 from natali-rs1985/T8344Viacheslav Hletenko
T8344: Preserve symlinks when copying config to/from TPM encrypted volume
11 daysMerge pull request #5307 from natali-rs1985/T9002Daniil Baturin
T9002: grant CAP_NET_RAW to blackbox-exporter when ICMP modules are configured
11 daysT8344: Preserve symlinks when copying config to/from TPM encrypted volumeNataliia Solomko
shutil.copytree() defaults to symlinks=False, so it recurses into symlinked directories and recreates them as real directories instead of preserving the symlink. cloud-init creates /opt/vyatta/etc/config/cloud/instance as a symlink to instances/i-<id>. Enabling/disabling config encryption copied this tree with copytree() and silently turned that symlink into a real directory, causing cloud-init to fail on later runs with: IsADirectoryError: [Errno 21] Is a directory: '.../cloud/instance' Pass symlinks=True to preserve symlinks during the copy.
12 daysT9002: grant CAP_NET_RAW to blackbox-exporter when ICMP modules are configuredNataliia Solomko
The blackbox-exporter runs as node_exporter user which cannot create ICMP sockets due to restricted ping_group_range. Add CAP_NET_RAW capability to the systemd service when ICMP modules are configured. In non-VRF mode, use systemd AmbientCapabilities/CapabilityBoundingSet. In VRF mode, replace runuser with setpriv to preserve the capability across the UID change.
13 daysfirewall: T8761: re-introduce VRF interface names in generated firewall configDavid Vølker
This change re-implements the intended behaviour from T4180 aswell as from T4506, it ensures that both the vrf-member interface aswell as the vrf itself is added as an oifname -> meaning that traffic traversing and originating from withing VyOS is matches outbound. Changes done by c-po: * re-sort dependency list to keep diff low * vyos.configdict.is_vrf_changed() should return early and not carry over the to-be return value * keep common coding style (dict by . separation) in nftables-zone.j2 Co-authored-by: Christian Breunig <christian@breunig.cc>
14 daysMerge pull request #5254 from jd82k/domain-groupChristian Breunig
T8963: policy-route: trigger domain resolver for domain groups
2026-06-30T9031: Fix updating pppoe server protocolsKyrylo Yatsenko
Authentication protocols are implemented as modules in accel-ppp-ng. The CLI setting configures which modules need to be loaded, for this change to take effect pppoe server must be restarted.
2026-06-29Merge pull request #5296 from statio/https-full-ca-chainChristian Breunig
https: T9022: serve the full CA certificate chain
2026-06-29Merge pull request #5298 from vyos/ci/T8490-typos-vyos-1xDaniil Baturin
ci: T8490: fix typos in comments, strings, and local identifiers
2026-06-29Merge pull request #5285 from c-po/cmdlDaniil Baturin
utils: T9003: add list-argument variant of cmd() for safer subprocess execution
2026-06-29ci: T8490: fix typos in comments, strings, and local identifiersYuriy Andamasov
Reaches a clean typos baseline for the T8490 ruleset pilot. Categories: - Comments/docs: recursivly, taret, passsed, characted, arhive, AtrributeError; "ned" -> "new" (migration comments). - Messages/strings: writeable -> writable (x5); OCaml log "Commandis" -> "Command is". - Local variables (all refs in-function): commited, formating, presistent; inpt_range -> input_range; tz_datas -> tz_data_raw (avoids the tz_data collision). - Self-contained renames (definition + all references in-file): formated_stats, _get_formatted_output_conections -> ..._connections, expension_failure -> expansion_failure (ping + traceroute), snmpd_restart_reqired -> ..._required. False positives are allowlisted centrally (vyos/.github, separate PR), NOT changed here: mke2fs, Maya-calendar "Mak", RFC 4122 "IDentifier" (hostapd), and VPP's "U-Forwrd" bridge-domain column header (op_mode/vpp.py + the VPP smoketest assert the real upstream `vppctl` output). Verified: typos clean, py_compile of every edited .py, zero remaining old-identifier references. 🤖 Generated by [robots](https://vyos.io)
2026-06-27https: T9022: serve the full CA certificate chainLee Clements
When a certificate is assigned to the HTTPS service, nginx was only sent the leaf certificate. An intermediate CA was included only when an operator manually configured "ca-certificate", and even then just that single CA - the rest of the issuer chain was never followed. As a result, clients that do not already trust the issuing intermediate CA (for example Let's Encrypt's newer E- and R-series intermediates) could not build a path to a trusted root and rejected the connection. Build the complete chain from the CA certificates present in the PKI using find_chain(), the same helper already used by HAProxy, OpenConnect, stunnel and the other PKI consumers. The intermediate chain is now discovered automatically, so configuring "ca-certificate" is no longer required; it remains accepted for backwards compatibility.
2026-06-26Merge pull request #5297 from alexandr-san4ez/T8865-rollingChristian Breunig
bgp: T8865: Reject `vni` sub-block in VRF l2vpn-evpn when `advertise-all-vni` is globally active
2026-06-26Merge pull request #5282 from sarthurdev/T8987Christian Breunig
geoip: T8987: Support updates via source-address/vrf
2026-06-26bgp: T8865: Reject `vni` sub-block in VRF l2vpn-evpn when ↵Oleksandr Kuchmystyi
`advertise-all-vni` is globally active When `advertise-all-vni` is configured in the global/default BGP instance, VyOS generated a `vni <id>` sub-block under each VRF BGP `address-family l2vpn evpn` context. This conflicts with advertise-all-vni: FRR already owns all kernel VNIs and returns `% Failed to create VNI` when frr-reload.py attempts to apply the VRF-level vni sub-block. FRR then performs an early exit from config processing, silently dropping the entire l2vpn evpn address-family for all subsequent VRF BGP instances.
2026-06-25Merge pull request #5289 from natali-rs1985/T9011Christian Breunig
T9011: enable proxy_ndp sysctl for static IPv6 neighbor proxy
2026-06-25Merge pull request #5272 from natali-rs1985/T5526Christian Breunig
bgp: T5526: Fix BGP neighbor validation not raising when interface does not exist
2026-06-25geoip: T8987: Support updates via source-address/vrfsarthurdev
2026-06-25Merge pull request #5294 from jestabro/configtree-thread-safe-initJohn Estabrook
T9015: fix thread safety of configtree read/write_cache
2026-06-25Merge pull request #5155 from sarthurdev/geoipViacheslav Hletenko
geoip: T5746: Add GeoIP ASN support
2026-06-25bgp: T5526: Fix BGP neighbor validation not raising when interface does not ↵Nataliia Solomko
exist Validation of interface-based BGP neighbors relied on checking physical interface existence, which silently skipped the check when interface didn't exist yet, letting invalid config reach FRR. Fix by checking whether the neighbor is not an IP address instead, and improve the error messages to show the correct command.
2026-06-24T9015: add nosetestJohn Estabrook
2026-06-24T9011: enable proxy_ndp sysctl for static IPv6 neighbor proxyNataliia Solomko
2026-06-23ipsec: T8975: add unit tests for vti_updown_db lock wiringRobert Navarro
The module previously had no tests. Cover the DB logic (add/remove, multiple connections per interface, removeAllOtherInterfaces, setPersistentInterfaces, seed-from-file) and assert each open_* helper acquires the serialising lock, exercised with vyos.utils.locking.Lock patched out.
2026-06-23ipsec: T8975: lock vti-up-down state DB to prevent lost updates under ↵Robert Navarro
concurrent rekey The vti-up-down hook and vpn_ipsec.py modify a flat-file DB (/tmp/ipsec_vti_interfaces) through three context managers that do an unlocked read-modify-write. During a coordinated rekey, strongSwan fires the hook for many VTIs concurrently, so the writers lost-update each other: an interface whose up-client add is overwritten is left admin-down while its CHILD_SA stays installed. Serialise all DB access by reusing vyos.utils.locking.Lock. A new _vti_updown_db_lock() context manager wraps the three public context managers, and remove_vti_updown_db() holds the lock across both the DB processing and the os.unlink() to close the create/delete race. Make the helpers absence-safe under the lock so callers no longer compose a separate existence check with a locked operation: open_vti_updown_db_readonly() yields None when the DB does not exist and remove_vti_updown_db() is a no-op when it is absent. Drop the now-redundant unlocked vti_updown_db_exists() pre-checks in vti.py and vpn_ipsec.py and handle the None yield.
2026-06-23Merge pull request #5226 from indrajitr/haproxy-websocketViacheslav Hletenko
haproxy: T8931: Improve WebSocket support for HAProxy
2026-06-23Merge pull request #5252 from natali-rs1985/T8913Daniil Baturin
vpp: T8913: Skip bond teardown for non-structural config changes
2026-06-23Merge pull request #5156 from alexandr-san4ez/T8540-currentViacheslav Hletenko
pseudo-ethernet: T8540: Add anycast-gateway support for EVPN
2026-06-23Merge pull request #5220 from opswill/currentViacheslav Hletenko
qos: T7965: Fix qos fails to reapply on dynamic interfaces after reconnection
2026-06-22vyos-netlink: T7965: only re-apply QoS configuration to individual interfaceChristian Breunig
The previous vyos-netlinkd implementation for QoS policy re-apply was very heavy. It conducted a full CLI validation and re-apply on every interface. Instead we do not only re-apply the QoS configuration to the interface which has had an address change detected by vyos-netlinkd. This can be tested by checking "tc qdisc show" before disconnecting a PPPoE interface and during/after reconnect. There will be no qdisc until the dynamic interface has received an IP address - then the qdisc will be re-applied.
2026-06-22pseudo-ethernet: T8540: Add anycast-gateway support for EVPNOleksandr Kuchmystyi
Introduce 'anycast-gateway' leafNode for pseudo-ethernet interfaces. When set, a local FDB entry is installed on the parent bridge to prevent the shared anycast MAC from leaking over the VXLAN overlay.
2026-06-22Merge pull request #5280 from natali-rs1985/T8603Viacheslav Hletenko
vpp: T8603: Expand ACL support to logical interfaces
2026-06-21remote: T8829: fall back to GET when HEAD is not supportedBrad Kollmyer
HttpC.download() always probed remote URLs with HEAD before GET to discover redirects and Content-Length. Some APIs (e.g. AbuseIPDB) reject HEAD with 405 Method Not Allowed, causing firewall remote-group downloads to fail and leave empty cached list files. Treat HEAD 405/501 as unsupported and proceed with GET using the original URL. When HEAD does not provide Content-Length, read it from the GET response headers instead. Validate available storage after determining file size and before opening the destination file. Log sanitized download errors in vyos-domain-resolver when a remote- group list-file fetch fails. Add unit tests with mock servers that return 405 or 501 on HEAD and 200 on GET.
2026-06-20vyos-netlink: T7965: re-apply QoS configuration on dynamic interfacesopswill
Re-apply QoS after dynamic interfaces get addresses after connect/disconnect. When PPPoE interfaces re-connect we need to re-do QoS settings.
2026-06-20utils: T9003: add list-argument variant of cmd() for safer subprocess executionChristian Breunig
A list-argument variant of cmd() for safer subprocess execution named cmdl(). Command must be a list of strings; no shell interpolation is performed, which eliminates a class of command-injection risks present when building commands with f-strings or other string formatting.
2026-06-19haproxy: T8931: Add option http-server-close in backend sectionsIndrajit Raychaudhuri
2026-06-18Merge pull request #5237 from indrajitr/dhcp-leases-extended-optionsChristian Breunig
dhcp: T8941: Support filter and sorting combination on DHCPv4/v6 server lease entries in op mode
2026-06-18Merge pull request #5256 from natali-rs1985/T8524Daniil Baturin
dhcp-server: T8524: Validate DDNS key-name references defined tsig-key
2026-06-18Merge pull request #5273 from alexandr-san4ez/T8985-rollingChristian Breunig
password-reset: T8985: Fix unbounded `sed` ranges corrupting other user blocks
2026-06-18Merge pull request #5276 from c-po/certbot-exception-handlingChristian Breunig
pki: T8994: add graceful error handling in case certbot fails
2026-06-18pki: T8994: add graceful error handling in case certbot failsChristian Breunig
If ACME and certbot are used for PKI and e.g. haproxy it can become an issue if certbot is blocked by the firewall. The renewal service will fail and tear-down the production service - even if the certificate is yet not expired. The production service was not restarted. This has been changed as every service which is stopped prior to the renew is later restarted even upon failure of renewing said certificate.
2026-06-17vpp: T8603: Expand ACL support to logical interfacesNataliia Solomko