Age | Commit message (Collapse) | Author |
|
Add accounting-interim-interval option for PPPoE-server
set service pppoe-server authentication radius accounting-interim-interval '60'
|
|
T5594: vrrp: extend function is_ipv6_tentative
|
|
|
|
system: T5555: Fix time-zone migrator changing valid time-zones to UTC
|
|
|
|
T5533: Fix VRRP IPv6 FAULT state due to IPv6 tentative state
|
|
T5545: fix sflow configuration
|
|
Checks if an IPv6 address on a specific network interface is
in the tentative state. IPv6 tentative addresses are not fully configured
and are undergoing Duplicate Address Detection (DAD) to ensure they are
unique on the network.
inet6 2001:db8::3/125 scope global tentative
It tentative state the group enters in FAULT state. Fix it.
|
|
|
|
T5428: fix DHCP client running in VRF context
|
|
(cherry picked from commit 8daf7f95d832550cc31ab22a65aabe969ecae813)
|
|
|
|
T738: add CLI option for PowerDNS local-port
|
|
T3546: PPPoE-server add extended scripts for RADIUS attributes
|
|
T5506: Add link-local IPv6 address for container interfaces
|
|
vyos.util: T4933: informative error for bad colon-separated lines
|
|
in vyos.util.colon_separated_to_dict
(cherry picked from commit fb7f162f61522127ca72adffd6802797b136a99a)
|
|
set service dns forwarding allow-from '192.0.2.0/24'
set service dns forwarding listen-address '192.0.2.11'
set service dns forwarding port '5353'
|
|
|
|
This is a workaround for the priority inversion from T5492 ("CLI node priority
is not inversed on node deletion"). As this is a corner case bug that's only
triggered if an interface is removed from a VRF and also the VRF is removed in
one commit, priorities are not honored.
Thus we implement this workaround which stop the DHCP(v6) client processes on
the VRF associated interfaces to get out the DHCP RELEASE message before
interfaces are shut down.
(cherry picked from commit 005151f77be5cf999689cfd03620bbc39df59018)
|
|
T4825: Add interface type veth
|
|
Add interface type veth (Virtual ethernet)
One of the usecases it's interconnect different vrf's and
default vrf via bridge
set interfaces virtual-ethernet veth0 peer-name 'veth1010'
set interfaces virtual-ethernet veth1010 address '10.0.0.10/24'
set interfaces virtual-ethernet veth1010 peer-name 'veth0'
set interfaces virtual-ethernet veth1010 vrf 'foo'
set interfaces bridge br0 address '10.0.0.1/24'
set interfaces bridge br0 member interface veth0
vyos@r1:~$ ping 10.0.0.10 count 1
PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.
64 bytes from 10.0.0.10: icmp_seq=1 ttl=64 time=0.082 ms
|
|
Ability to get and parse RADIUS attributes via a shell script and
then execute commands
Ane of the usecases is to create a custom shaper with some smart
Extended scripts receive from PPPoE daemon the following variables:
$1 - Interface name
$4 - Tunnel GW IP address
$5 - Delegated IP address to the client
$6 - Calling Station ID (MAC)
if [ -f /run/accel-pppd/radattr.$1 ]; then
true
fi
|
|
http-api: T5006: add explicit async to retrieve operation
|
|
|
|
Fix for adding IPv6 link-local address for container interfaces
set container network NET01 prefix '10.0.0.0/24'
set container network NET01 prefix '2001:db8:2222::/64'
% ip -6 addr show scope link dev pod-NET01
17: pod-NET01: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet6 fe80::d89c:dfff:fe1a:8689/64 scope link
|
|
wifi: T5470: improve error message
|
|
(cherry picked from commit ffb798b4678f3b1bd0a40cc42b1f0477470346dc)
|
|
T5486: smoketest: adjust to new process_named_running() implementation
|
|
T5223: Fix removing key id for GRE tunnel
|
|
After commit 9c677c8 ("vyos.util: extend process_named_running() signature
with cmdline") we need an exact match for the process name. In the past
we used a in b and now we test for a == b.
Process name doesn't march 'ddclient'
psutil.Process(pid=10987, name='ddclient - sleeping for 20 seconds', started='13:12:47'
It cause smoketest fail
|
|
Fix for removing key id from GRE tunnel
Before fix:
del interfaces tunnel tun10 parameters ip key
commit
sudo ip tunnel show tun10
tun10: gre/ip remote 203.0.113.254 local 192.168.122.11 ttl 64 tos inherit key 1234
After the fix:
sudo ip tunnel show tun10
tun10: gre/ip remote 203.0.113.254 local 192.168.122.11 ttl 64 tos inherit
|
|
T2298: vyos.util: extend process_named_running() signature with cmdline
|
|
T5329 : priority: tunnel config is committed before wireguard
|
|
process_named_running() was introduced in commit 16b2fc8fc4ca ("dns-forwarding:
T2298: fix path to control file") and thus remained more or less unchanged.
Smoketests use process_named_running() heavily and might spawn multiple
processes with the same name but ifferent options (e.g. dhcp6c or dhclient) and
it was yet not possible to properly filter on the "real-deal" like the process
bound to a given interface.
One can now optionally specify a string that is searched inside the command
line argument list of the process.
Example:
>>> process_named_running('dhcp6c', 'veth0')
['/usr/sbin/dhcp6c', '-D', '-k', '/run/dhcp6c/dhcp6c.veth0.sock', '-c',
'/run/dhcp6c/dhcp6c.veth0.conf', '-p', '/run/dhcp6c/dhcp6c.veth0.pid', 'veth0']
4215
>>> process_named_running('dhcp6c', 'veth1')
['/usr/sbin/dhcp6c', '-D', '-k', '/run/dhcp6c/dhcp6c.veth1.sock', '-c',
'/run/dhcp6c/dhcp6c.veth1.conf', '-p', '/run/dhcp6c/dhcp6c.veth1.pid', 'veth1']
4253
Where the debug list returned is the commandline searched.
(cherry picked from commit 9c677c81be6a6e62958c73b038c2a36f1f629108)
|
|
(cherry picked from commit 3d5aba0775ff0d858d6c75d6aa37183be73c15aa)
|
|
login: T4790: Added check of the sum of radius timeouts
|
|
T5258: git Actions use ubuntu-22.04 for PR conflicts checker
|
|
git Actions use ubuntu-22.04 instead of deprecated ubuntu-18.04
for PR conflicts checker
https://github.com/actions/runner-images/issues/6002
|
|
Added check of the sum of login radius timeouts.
It has to be less or eq 50 sec.
Added check of a number of login radius servers.
It has to be less or eq 8
Otherwise, log in to the device can be discarded.
Backported from 1.4
|
|
sshguard: T5354: Add service ssh dynamic-protection
|
|
remote: T4412: fixed upload via SSH
|
|
- added timeout to socket creating
- added skipping SSH fingerprint check with a negative result if a
console is not interactive
- replaced tracebacks with human-readable error messages
- suppressed warnings from `cryptography` used by `paramiko`
|
|
Sshguard protects hosts from brute-force attacks
It can inspect logs and block "bad" addresses by threshold
Auto-generates own tables and rules for nftables, so they are not
intercept with VyOS firewall rules.
When service stops, all generated tables are deleted.
set service ssh dynamic-protection
set service ssh dynamic-protection allow-from '192.0.2.1'
set service ssh dynamic-protection block-time '120'
set service ssh dynamic-protection detect-time '1800'
set service ssh dynamic-protection threshold '30'
|
|
bcast-relay: T5313: verify() relay interfaces have IPv4 address configured
|
|
(cherry picked from commit a409b255acc3dc0a67058593e31b3614e20714f0)
|
|
vrrp: T5315: add support to explicitly specify version (backport)
|
|
(cherry picked from commit 90c0c2c4c81cdbf2ec3f928499f3e1719bfd6f9a)
|
|
set high-availability vrrp group <name> version 2|3
(cherry picked from commit 6ca308182a7891e600a2e8749f7b12b566005576)
|
|
(cherry picked from commit ca7c063666c038d104082542f04ead6062e79246)
|