summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-11-07T5713: only strip "secret" CLI node and nothing elseChristian Breunig
Commit 30eb308149 ("T5713: Strip string after "secret" in IPSEC config") had good intention but this will happen: use-secret foo CLI node will become " secret xxxxxx" so the output of strip-private invalidates the configuration. This has been changed to an exact match of "secret" only (cherry picked from commit 863af115df853987dd8ad25ecef3f0ea58485e83)
2023-11-07T5713: Strip string after "secret" in IPSEC configRageLtMan
Make "strip-private" strip the string after "secret" (cherry picked from commit 30eb308149f24b7f15aa3e40ced6918a8a3a04b8)
2023-11-07Merge pull request #2452 from vyos/mergify/bp/sagitta/pr-2451Christian Breunig
T5716: Fix smoketest for accel-ppp limiter tbf (backport #2451)
2023-11-07T5716: Fix smoketest for accel-ppp limiter tbfViacheslav Hletenko
Limiter in the commit cf92295 was changed to `tbf` Fix smoketest (cherry picked from commit d8ffbbe72c791ec5516d029e85619678b2841402)
2023-11-07Merge pull request #2450 from vyos/mergify/bp/sagitta/pr-2440Christian Breunig
T5716: Fix accel-ppp template down-limiter does not rely on fwmark (backport #2440)
2023-11-07Merge pull request #2449 from vyos/mergify/bp/sagitta/pr-2357Christian Breunig
ldpd: T5648: Fix ldpd template errors (backport #2357)
2023-11-07Merge pull request #2448 from vyos/mergify/bp/sagitta/pr-2447Christian Breunig
mdns: T5719: Add op-mode commands to mDNS repeater (backport #2447)
2023-11-07T5716: Fix accel-ppp template down-limiter does not rely on fwmarkViacheslav Hletenko
accel-ppp template shaper `down-limiter` does not rely on `fwmark` Fix it (cherry picked from commit cf9229544a30e5aa47e307c021d4798a0162d291)
2023-11-07ldpd: T5648: Fix ldpd template errorsDevon Mar
Bug introduced in https://github.com/vyos/vyos-1x/commit/8fb6e715d32e7eff77e413d8577059dd55b24c0a (cherry picked from commit df6ced3811ebe6446039277ff3fc301a83776dc1)
2023-11-07mdns: T5719: Add op-mode commands to mDNS repeaterIndrajit Raychaudhuri
The following ones are available now: - restart mdns repeater - show log mdns repeater - monitor log mdns repeater (cherry picked from commit ace8a25552fa7f2b2369a385ed8933feb66f355b)
2023-11-07Merge pull request #2444 from vyos/mergify/bp/sagitta/pr-2416Christian Breunig
T5698 EVPN ESI Multihoming (backport #2416)
2023-11-06Merge pull request #2443 from vyos/mergify/bp/sagitta/pr-2439Christian Breunig
vxlan: T3700: add bridge dependency call when altering member interfaces (backport #2439)
2023-11-06bgp: T5698: add support for EVPN MultihomingChristian Breunig
(cherry picked from commit 1d67620e656766731ad6825fd8961140eb50d8a7)
2023-11-06bond: T5698: add support for EVPN MultihomingChristian Breunig
set interfaces bonding bond10 evpn es-df-pref '50' set interfaces bonding bond10 evpn es-id '10' set interfaces bonding bond10 evpn es-sys-mac '01:23:45:67:89:ab' set interfaces bonding bond10 member interface 'eth3' set interfaces bonding bond10 mode '802.3ad' (cherry picked from commit 937685608e61151275c4f60c6d00c0154f2ca06d)
2023-11-06vxlan: T3700: add bridge dependency call when altering member interfacesChristian Breunig
Commit 7f6624f5a6f8bd ("vxlan: T3700: support VLAN tunnel mapping of VLAN aware bridges") added support for Single VXLAN Device (SVD) containers supported by the Linux Kernel. When working with bridge VIFs it turned out that when deleting a VIF all the VXLAN tunnel mappings got deleted, too. In order to avoid this, if the bridge has a VXLAN member interface which vlan-to-vni mapping enabled, we add a dependency that we call VXLAN conf-mode script after messing arround with the bridge VIFs and re-create tunnel mappings. (cherry picked from commit fdf7f3a05edbaaf8aeca7e24a9980d5af67dca18)
2023-11-06Merge pull request #2441 from nicolas-fort/T5541-fix-zbf-sagiitaChristian Breunig
T5541: firewall: fix ZBF template and ruleset generation for local-zone rules
2023-11-06T5541: firewall: fix ZBF template and ruleset generation for loca-zone rules.Nicolas Fort
2023-11-03Merge pull request #2429 from vyos/mergify/bp/sagitta/pr-2423Viacheslav Hletenko
T4726: Remove accel-ppp RADIUS vendor validators (backport #2423)
2023-11-03Merge pull request #2432 from nicolas-fort/T5513-fwall-show-sagittaDaniil Baturin
T5513: firewall - op-mode command backport
2023-11-03Merge pull request #2433 from vyos/mergify/bp/sagitta/pr-2431Daniil Baturin
wireguard: T5707: remove previously deconfigured peer (backport #2431)
2023-11-03wireguard: T5707: remove previously deconfigured peerChristian Breunig
Changing the public key of a peer (updating the key material) left the old WireGuard peer in place, as the key removal command used the new key. WireGuard only supports peer removal based on the configured public-key, by deleting the entire interface this is the shortcut instead of parsing out all peers and removing them one by one. Peer reconfiguration will always come with a short downtime while the WireGuard interface is recreated. (cherry picked from commit 2fc8738bc9c2fb6364a22d86079e8635cee91949)
2023-11-02T5513: opmode command show firewall - Manual backportNicolas Fort
2023-11-02Merge pull request #2430 from vyos/mergify/bp/sagitta/pr-2427Viacheslav Hletenko
T5704: PPPoE L2TP SSTP IPoE add option max-concurrent-sessions (backport #2427)
2023-11-02Merge pull request #2428 from vyos/mergify/bp/sagitta/pr-2425Viacheslav Hletenko
T5700: Fix deprecate telegraf plugin input net (backport #2425)
2023-11-02T5704: PPPoE L2TP SSTP IPoE add option max-concurrent-sessionsViacheslav Hletenko
Add `max-starting` option: [common] max-starting=N Specifies maximum concurrent session attempts which server may processed set service pppoe-server max-concurrent-sessions '30' Useful to prevent high CPU utilization and compat execution scripts per time. (cherry picked from commit 47645f9d0243ce48a473ab7f8cdbd22c19f69f28)
2023-11-02T4726: Remove accel-ppp RADIUS vendor validatorsViacheslav Hletenko
The vendor name could contain Uppercase or lowercase symbols and not rely on the dictionary name but on dictionary value / # cat /usr/share/freeradius/dictionary.cisco | grep -i vendor VENDOR Cisco 9 Another example VENDOR Alcatel-IPD 6527 This way if we use `vendor=cisco` instead of `vendor=Cisco` it will not work at all Delete vendor validators (cherry picked from commit bbc7cabc6be0d5f8629724e9b0025e425168e1a8)
2023-11-02T5700: Fix deprecate telegraf plugin input netViacheslav Hletenko
DeprecationWarning: Value "false" for option "ignore_protocol_stats" of plugin "inputs.net" deprecated since version 1.27.3 and will be removed in 1.36.0: use the 'inputs.nstat' plugin instead (cherry picked from commit 5476daef7f0fc271089189239599fc8077acba00)
2023-11-02Merge pull request #2426 from vyos/mergify/bp/sagitta/pr-2424Christian Breunig
T5705: rsyslog: fix error when level=al (backport #2424)
2023-11-02T5705: rsyslog: fix error when level=all. Replace <all> with wildcard <*>, ↵Nicolas Fort
as it's done with facility. Create basic smoketest for syslog (cherry picked from commit c5ae7c9e2a141d92b8a716b3dbe3e5b41ee4aaba)
2023-11-01Merge pull request #2421 from sever-sever/T5681-sagittaDaniil Baturin
T5681: Firewall,Nat and Nat66: simplified and standarize interface ma…
2023-11-01T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher ↵Nicolas Fort
firewal, nat and nat66. (cherry picked from commit 51abbc0f1b2ccf4785cf7f29f1fe6f4af6007ee6)
2023-11-01smoketest: vxlan: T5699: fix "external" CLI optionChristian Breunig
After commit cc7ba8824 ('vxlan: T5699: migrate "external" CLI know to "parameters external"') We also need to adjust the testcase for ARP/ND suppression. (cherry picked from commit cb2f72dbd10a11f99913cc60044460f18381f770)
2023-10-31Merge pull request #2419 from vyos/mergify/bp/sagitta/pr-2413Christian Breunig
vxlan: T5668: add CLI knob to enable ARP/ND suppression (backport #2413)
2023-10-31vxlan: T5668: add CLI knob to enable ARP/ND suppressionChristian Breunig
In order to minimize the flooding of ARP and ND messages in the VXLAN network, EVPN includes provisions [1] that allow participating VTEPs to suppress such messages in case they know the MAC-IP binding and can reply on behalf of the remote host. In Linux, the above is implemented in the bridge driver using a per-port option called "neigh_suppress" that was added in kernel version 4.15. [1] https://www.rfc-editor.org/rfc/rfc7432#section-10 (cherry picked from commit ec9a95502daa88b9632af12524e7cefebf86bab6)
2023-10-31Merge pull request #2418 from vyos/mergify/bp/sagitta/pr-2417Christian Breunig
vxlan: T5699: migrate "external" CLI know to "parameters external" (backport #2417)
2023-10-30vxlan: T5699: migrate "external" CLI know to "parameters external"Christian Breunig
As we have a bunch of options under "paramteres" already and "external" is clearly one of them it should be migrated under that node as well. (cherry picked from commit cc7ba8824a5e9ec818f0bbe7fb85e1713a591527)
2023-10-30Merge pull request #2400 from vyos/mergify/bp/sagitta/pr-2355Viacheslav Hletenko
T5643: nat: add interface-groups to nat. Use same cli structure for i… (backport #2355)
2023-10-29Merge pull request #2412 from JeffWDH/sagittaChristian Breunig
T5661: Add show ssh dynamic-protection and show log ssh dynamic-protection
2023-10-29op-mode: T5661: add "monitor ssh dynamic-protection" command to follow the ↵Christian Breunig
logfile (cherry picked from commit 78e00bf4099bfac2164ef2075acce8169c40c9c3)
2023-10-29op-mode: T5661: remove call to sudo in ssh.py and move it to XML definitionChristian Breunig
Try to have as few calls to sudo in the op-mode scripts as possible. The XML definitions can deal with it. (cherry picked from commit 428dee29d36cc3629990ec41afef887821886834)
2023-10-29op-mode: T5661: use common journalctl syntax for sshguardChristian Breunig
This makes the code more easy to maintain in the future if everyone uses the same structure when calling journalctl. (cherry picked from commit e1b4e972b40941acec76c97e714767214cefe426)
2023-10-28T5661: Add show ssh dynamic-protection and show log ssh dynamic-protectionJeffWDH
2023-10-28Merge pull request #2410 from JeffWDH/sagittaViacheslav Hletenko
T5653: Command to display SSH server fingerprint
2023-10-28T5653: Command to display SSH server fingerprintJeffWDH
2023-10-26Merge pull request #2407 from vyos/mergify/bp/sagitta/pr-2405Viacheslav Hletenko
T5683: Fix reverse-proxy PKI filenames mismatch (backport #2405)
2023-10-25T5683: Fix reverse-proxy PKI filenames mismatchViacheslav Hletenko
The current named for certificates are hardcoded in generated config to: - ca.pem - cert.pem.key - cert.pem It cause a generated config certificates and certificates itself are different (test-cert-1.pem and ca.pem) bind :::8080 v4v6 ssl crt /run/haproxy/test-cert-1.pem /run/haproxy/ca.pem It is a bug of initial impelemtation. Fix required correct names from PKI certificates (cherry picked from commit 0431f1b32c1fc90de82adea5a7e63dad1416c340)
2023-10-25Merge pull request #2401 from c-po/sagitta-t3829-t31Daniil Baturin
vrf: netns: T3829: T31: priority needs to be after netns
2023-10-25Merge pull request #2404 from vyos/mergify/bp/sagitta/pr-2323Daniil Baturin
T5497: Add ability to resequence rule numbers for firewall (backport #2323)
2023-10-25T5497: Add ability to resequence rule numbers for firewallJeffWDH
Updated spacing. (cherry picked from commit f39a35338ac967381356f8b9b499ec1d730653fc)
2023-10-25T5497: Add ability to resequence rule numbers for firewallJeffWDH
(cherry picked from commit 5180622cd6c928812a644f427d65acae763c37cc)