| Age | Commit message (Collapse) | Author |
|
T8454: fix VRF-bind port availability check in service_https
|
|
T8502: Add exclusion mask to config-sync
|
|
|
|
|
|
|
|
|
|
python: T8857: replace bare except clauses with except Exception in config scripts
|
|
When service https is configured with a listen-address on a VRF
interface, adding or changing the vrf option causes the commit to
fail with "TCP port 443 is used by another service!" even though
no conflict exists.
Root cause: check_port_availability() performs a socket.bind() in
the default network namespace. When the listen-address belongs to
a VRF interface the address is unreachable from the default
namespace, so the bind fails with OSError which is misinterpreted
as "port in use". The secondary check via is_listen_port_bind_service()
also fails because psutil cannot see sockets bound inside a VRF.
Fix: add an optional vrf parameter to check_port_availability().
When set, the test socket is bound to the VRF master device via
SO_BINDTODEVICE before the bind() call, so that the address is
resolved in the correct L3 domain. This is done in-process (no
subprocess) and works for both IPv4 and IPv6.
service_https verify() now passes the configured VRF (if any) to
check_port_availability(). Non-VRF configurations are unaffected.
Add smoke test for HTTPS with listen-address inside a VRF.
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
snmp: T8538: Persist engineBoots counter across reboots
|
|
When setting 'vpn ipsec logging log-level 0', DPD informational
messages (log level 1) were still appearing in the system journal.
The root cause is that charon-systemd reads both `charon-systemd.conf`
and `charon-logging.conf` and applies the higher of the two log levels
to the journal. The VyOS only managed `charon-systemd.conf`, leaving
`charon-logging.conf` at its default level of 1, which silently overrode
the user-configured level.
Fix this by rendering `charon-logging.conf` on every commit with
syslog backend set to -1 (silent), making `charon-systemd.conf`
the sole authoritative source for journal log verbosity.
This also eliminates duplicate log entries in the journal that occurred
when both backends were active and writing to the same destination.
|
|
geoip: T8590: fix initialization failure and set clobbering on boot and commit
|
|
ipsec: T7555: Implement `ikev2-reauth` for site-to-site peers
|
|
openvpn: T6478: Skip restart service when only client config changed
|
|
pki: T8877: Add ability to show private key in pem format
|
|
Policy: T8823: validation of GE and LE according FRR instructions
|
|
wan: T8480: add suppress_prefixlength ip rules for internal routing
|
|
wwan: T8924: add UDEV configuration for USB modeswitch
|
|
conntrack: T8909: Remove connection id column from output table
|
|
wwan: T8412: Fix commit failure when modem is absent or not connected
|
|
This cleanup enhances readability and aligns the output
with the actual data being displayed.
|
|
OpenVPN server reads per-client files from `--client-config-dir` at connect
time. When only `interfaces openvpn vtunN server client <client>`
entries are modified there is no need to send SIGHUP or restart
the service - the new CCD files written by `generate()` will
be picked up automatically on the next client connection.
|
|
When using WWAN interfaces, the Linux kernel selects configuration 2 by
default, but that does not work with ModemManager - configuration 3 (MBIM mode)
is a better choice.
Add UDEV rules for Huawei ME906s-158 and HP LT4132 which is a re-brand of
Huawei ME906s-158 to properly set MBIM mode on system startup.
|
|
T8883: Fix restart PPPoE-server service when RADIUS settings change
|
|
Per RFC 3414 section 2.2 (Replay Protection), the `snmpEngineBoots`
counter must be stored in non-volatile storage and incremented on
every snmpd restart. VyOS was not persisting this value, causing
it to reset to 1 after every reboot.
SNMP managers cache the engineBoots value from previous sessions.
When VyOS resets the counter to 1 after reboot, managers reject
incoming SNMPv3 trap packets as "too old", producing errors such as:
```
usm: Message too old.
reboot count invalid
```
This change introduces `/config/snmp/engineboots.count` as a disk-backed
persist file and it uses to sync the counter into snmpd's conf
before the daemon starts.
|
|
`mmcli --simple-disconnect` can be called when the modem bearer is not active.
This causes cmd() to raise a `PermissionError` and abort the commit.
Handle the case gracefully so the configuration can be committed before the modem
is physically present or fully connected.
|
|
dhcpv6: T8862: Allow multiple addresses and prefixes for reservations
|
|
|
|
wireguard: T8509: Add fwmark ip rules for VRF-bound interfaces
|
|
Restart the PPPoE server when RADIUS configuration is modified.
Previously, changes to settings such as `priority` and `backup`
were not applied until the service was restarted manually.
|
|
Generation of the firmware configuration file can be made contitional only if
the card is present/driver is loaded. The firmware configuration file itself
must not be explicitly set to be owned as root as the default is user root and
group vyattacfg.
|
|
|
|
(#5186)
The port availability check in `verify()` was using `front_config.get('address')`
which always resolved to `None`, causing the validator to treat any process
holding a given port number as a conflict regardless of which IP it was
bound to.
|
|
Add a check to determine whether the NIC supports hardware
timestamp receive filters required for NTP timestamping.
Implement the query in a new python/vyos/netlink/timestamp.py module
using pyroute2 generic netlink ETHTOOL_MSG_TSINFO_GET,
avoiding ethtool output parsing.
|
|
firewall (#5206)
sysctl values written by firewall global-options are overwritten when using
"system option performance" configuration on VyOS CLI. This is caused by a
missing dependency fall from system_option.py to the firewall CLI helper script.
|
|
IKEv2 reauthentication was configurable via CLI but never translated
into `swanctl.conf`. Add `reauth_time` to the peer connection template,
driven by the `ikev2-reauth` flag on the ike-group and the per-peer
override (yes/no/inherit).
|
|
Three related bugs prevented GeoIP nftables sets from being populated
correctly at boot and when incrementally modifying firewall or policy
route rules.
1. geoip_updated() always returned False
The previous implementation called node_changed() and then searched
the result with dict_search_recursive(changes, 'geoip'). This could
never match: node_changed() is annotated `-> list` and returns a flat
list of the immediate top-level child names whose subtree changed
(e.g. ['ipv4'] for the firewall path, or route names for policy
route). The 'geoip' key sits several levels deeper than those names,
so dict_search_recursive — which only walks dicts and lists for a
matching dict key — never yielded a hit, and geoip_updated() always
returned False. As a consequence, geoip_update() was never triggered
by an incremental add or change of a GeoIP rule; the only path that
ever populated /run/nftables-geoip.conf was the explicit \"update
geoip\" command or the fallback when geoip_refresh() failed.
Fix: bypass node_changed() and call get_config_diff() /
get_child_nodes_diff() directly with expand_nodes=Diff.ADD|Diff.DELETE
and recursive=True. In that mode, the 'add' and 'delete' values in
the returned dict are full nested subtrees of the config diff, so
dict_search_recursive correctly finds 'geoip' wherever it appears in
the change set.
2. GeoIP block executed unconditionally, breaking the boot sequence
geoip_sets() always returns {'name': [], 'ipv6_name': []}. A
non-empty dict is truthy in Python regardless of whether its values
are empty lists, so the guards \"if geoip_sets:\" and
\"if 'name' in geoip_sets:\" were always True.
On boot, when policy_route.py is invoked as a dependent of
firewall.py (triggered by group_resync), it entered the GeoIP block
even with no policy route GeoIP rules configured. Because
/run/nftables-geoip.conf did not yet exist, geoip_refresh() returned
False and geoip_update(policy=policy) was called with an empty
policy. This created /run/nftables-geoip.conf containing only empty
table stubs. When firewall.py subsequently called geoip_refresh(),
the file existed and nft loaded it successfully — so the
geoip_update(firewall) call was never reached and the firewall GeoIP
sets stayed empty for the entire uptime of the router.
Fix: check the actual list contents instead of the container dict:
if geoip_sets['name'] or geoip_sets['ipv6_name'].
3. geoip_update() clobbered the other caller's sets
geoip_update() renders /run/nftables-geoip.conf from both
firewall_sets and policy_sets in a single pass. When called with
only one argument (as firewall.py and policy_route.py each do), the
other argument defaulted to None and that half of the file was
rendered empty, erasing whatever the other script had written. The
geoip-update helper used by \"update geoip\" and the weekly cron was
unaffected because it always passes both arguments, which masked
this bug in normal manual operation.
Fix: when either argument is absent, read the missing config from
the live Config session before building the set tables, so every
invocation writes the complete combined firewall + policy file.
|
|
Add op-mode command having ability to show private
key in pem format as part of PKI configuration.
This is needed for users who want to render the
certificate and its private key.
|
|
Not all pyroute2 versions which ship IPRoute() support subscribing to RTNL
multicast groups. If subscribing fails, fallback to all messages.
|
|
|
|
Add support for allowing DHCPv6 to assign reservations for multiple
addresses and prefixes to a single client simultaneously.
|
|
Move to the re-implementation of the commit in progress check added in
commit 002d45b70efd ("vyos.commit: T8781: move from O(n) to O(1) for
commit_in_progress() checks").
|
|
message (#5199)
* vyos-netlinkd: T8781: do not call commit_in_progress() for EVERY netlink message
Signed-off-by: Fabrizzio Petrucci <fabrizziopm@compumundohipermegared.one>
* vyos-netlinkd: T8781: restrict netlink subscription to link multicast group
Bind IPRoute with RTMGRP_LINK only so route/rule/neighbour/address updates
(e.g. full-table BGP) are not delivered to this socket.
Add a match wildcard so unexpected message types do not raise MatchError and
get logged as generic errors.
---------
Signed-off-by: Fabrizzio Petrucci <fabrizziopm@compumundohipermegared.one>
Co-authored-by: Fabrizzio Petrucci <fabrizziopm@compumundohipermegared.one>
|
|
T8831: smoketests: irregular PermissionError caused by systemctl stop
|
|
Failures appear during PPPoEIf.remove() -> flush_addrs() -> set_dhcpv6(False),
where disable uses self._cmd(f'systemctl stop ...'), which raises on any
non-zero exit code of cmd().
PermissionError: [Errno 1] is misleading: cmd() raises OSError(exit_code,
feedback); exit code 1 maps to PermissionError in Python 3, so logs point at
"permissions" while the real signal is systemctl stop returned 1 (job failure,
timeout, restart contention with Restart=always on dhcp6c@.service.
Add a small systemd teardown helper stop_systemd_unit() validating the return
codes from the "systemctl stop" calls.
|
|
|
|
|
|
|
|
|
|
|
|
scripts
Bare except: catches everything derived from BaseException, including
SystemExit and KeyboardInterrupt. Config scripts must not silently
continue past sys.exit(), so replace bare except: with except Exception:
in the three config-mode scripts that contained one.
Library code (python/vyos/configverify.py, python/vyos/config.py) and
op-mode scripts are intentionally out of scope: those cases require
case-by-case design review (e.g. MTU lookups should accept defaults as
arguments rather than rely on exception handling; reset-style op-mode
scripts may legitimately want to ignore KeyboardInterrupt).
Sites changed:
- src/conf_mode/interfaces_ethernet.py (MTU adapter lookup)
- src/conf_mode/vpp_interfaces_bonding.py (MAC validation)
- src/conf_mode/container.py x2 (IPv4 / IPv6 prefix lookup)
|