Age | Commit message (Collapse) | Author |
|
Changing the public key of a peer (updating the key material) left the old
WireGuard peer in place, as the key removal command used the new key.
WireGuard only supports peer removal based on the configured public-key, by
deleting the entire interface this is the shortcut instead of parsing out all
peers and removing them one by one.
Peer reconfiguration will always come with a short downtime while the WireGuard
interface is recreated.
(cherry picked from commit 2fc8738bc9c2fb6364a22d86079e8635cee91949)
|
|
T5704: PPPoE L2TP SSTP IPoE add option max-concurrent-sessions (backport #2427)
|
|
T5700: Fix deprecate telegraf plugin input net (backport #2425)
|
|
Add `max-starting` option:
[common]
max-starting=N
Specifies maximum concurrent session attempts which server may processed
set service pppoe-server max-concurrent-sessions '30'
Useful to prevent high CPU utilization and compat execution
scripts per time.
(cherry picked from commit 47645f9d0243ce48a473ab7f8cdbd22c19f69f28)
|
|
DeprecationWarning: Value "false" for option "ignore_protocol_stats"
of plugin "inputs.net" deprecated since version 1.27.3 and will be
removed in 1.36.0: use the 'inputs.nstat' plugin instead
(cherry picked from commit 5476daef7f0fc271089189239599fc8077acba00)
|
|
T5705: rsyslog: fix error when level=al (backport #2424)
|
|
as it's done with facility. Create basic smoketest for syslog
(cherry picked from commit c5ae7c9e2a141d92b8a716b3dbe3e5b41ee4aaba)
|
|
T5681: Firewall,Nat and Nat66: simplified and standarize interface ma…
|
|
firewal, nat and nat66.
(cherry picked from commit 51abbc0f1b2ccf4785cf7f29f1fe6f4af6007ee6)
|
|
After commit cc7ba8824 ('vxlan: T5699: migrate "external" CLI know to
"parameters external"') We also need to adjust the testcase for ARP/ND
suppression.
(cherry picked from commit cb2f72dbd10a11f99913cc60044460f18381f770)
|
|
vxlan: T5668: add CLI knob to enable ARP/ND suppression (backport #2413)
|
|
In order to minimize the flooding of ARP and ND messages in the VXLAN network,
EVPN includes provisions [1] that allow participating VTEPs to suppress such
messages in case they know the MAC-IP binding and can reply on behalf of the
remote host. In Linux, the above is implemented in the bridge driver using a
per-port option called "neigh_suppress" that was added in kernel version 4.15.
[1] https://www.rfc-editor.org/rfc/rfc7432#section-10
(cherry picked from commit ec9a95502daa88b9632af12524e7cefebf86bab6)
|
|
vxlan: T5699: migrate "external" CLI know to "parameters external" (backport #2417)
|
|
As we have a bunch of options under "paramteres" already and "external" is
clearly one of them it should be migrated under that node as well.
(cherry picked from commit cc7ba8824a5e9ec818f0bbe7fb85e1713a591527)
|
|
T5643: nat: add interface-groups to nat. Use same cli structure for i… (backport #2355)
|
|
T5661: Add show ssh dynamic-protection and show log ssh dynamic-protection
|
|
logfile
(cherry picked from commit 78e00bf4099bfac2164ef2075acce8169c40c9c3)
|
|
Try to have as few calls to sudo in the op-mode scripts as possible. The XML
definitions can deal with it.
(cherry picked from commit 428dee29d36cc3629990ec41afef887821886834)
|
|
This makes the code more easy to maintain in the future if everyone uses the
same structure when calling journalctl.
(cherry picked from commit e1b4e972b40941acec76c97e714767214cefe426)
|
|
|
|
T5653: Command to display SSH server fingerprint
|
|
|
|
T5683: Fix reverse-proxy PKI filenames mismatch (backport #2405)
|
|
The current named for certificates are hardcoded in generated config to:
- ca.pem
- cert.pem.key
- cert.pem
It cause a generated config certificates and certificates itself
are different (test-cert-1.pem and ca.pem)
bind :::8080 v4v6 ssl crt /run/haproxy/test-cert-1.pem
/run/haproxy/ca.pem
It is a bug of initial impelemtation. Fix required correct names
from PKI certificates
(cherry picked from commit 0431f1b32c1fc90de82adea5a7e63dad1416c340)
|
|
vrf: netns: T3829: T31: priority needs to be after netns
|
|
T5497: Add ability to resequence rule numbers for firewall (backport #2323)
|
|
Updated spacing.
(cherry picked from commit f39a35338ac967381356f8b9b499ec1d730653fc)
|
|
(cherry picked from commit 5180622cd6c928812a644f427d65acae763c37cc)
|
|
|
|
A network namespace can have VRFs assigned, thus we need to get the priorities
right. This lowers both priorities in general as a VRF or NETNS needs to be
available very early as services can run on top of them.
(cherry picked from commit 9dd5ff064a37b4e884f7bd9fb7630bf7829fa1ad)
|
|
T5637: Firewall: add new rule at the end of base chains for default-a…
|
|
interface-name|interface-group as in firewall.
(cherry picked from commit 2f2c3fa22478c7ba2e116486d655e07df878cdf4)
|
|
This enables logs capabilities for default-action in base chains.
|
|
T5675: Use addr_prefix instead of addr in NAT66 source rule prefix parsing (backport #2395)
|
|
T5677: show lldp neighbors shows empty platform if descr not in lldpctl output (backport #2396)
|
|
(cherry picked from commit 0c046a1f5a020af30c9522011aa5c86524874a47)
|
|
(cherry picked from commit fca8cce1c114f28cf2db8a0fe2ed7f8b37ea010c)
|
|
T5299: Add missed option ceiling for QoS shaper (backport #2391)
|
|
vxlan: T5671: change port to IANA assigned default port (backport #2386)
|
|
|
|
bonding: T5254: Fixed changing ethernet when it is a bond member (backport #2277)
|
|
Add missed option `ceil` for QoS class 'trafficshaper'
(cherry picked from commit 5218241e6293317f8837b3f7c3893d653d960993)
|
|
If ethernet interface is a bond memeber:
1. Allow for changing only specific parameters which are specified
in EthernetIf.get_bond_member_allowed_options function.
2. Added inheritable parameters from bond interface to ethernet
interface which are scpecified
in BondIf.get_inherit_bond_options.
Users can change inheritable options under ethernet interface
but in commit it will be copied from bond interface.
3. All other parameters are denied for changing.
Added migration script. It deletes all denied parameters under
ethernet interface if it is a bond member.
(cherry picked from commit aa0282ceb379df1ab3cc93e4bd019134d37f0d89)
|
|
(cherry picked from commit 719a3622f35a0596ffd8a0bd28c071fdaf930153)
|
|
Currently VyOS VXLAN implementation uses the Linux assigned port 8472 that
predates the IANA assignment. As Most other vendors use the IANA assigned port,
follow this guideline and use the new default port 4789.
Existing configuration not defining an explicit port number will be migrated
to the old default port number of 8472, keeping existing configurations work!
(cherry picked from commit 6db8d3ded19f652b99231be0d705d76b598ac72a)
# Conflicts:
# interface-definitions/include/version/interfaces-version.xml.i
|
|
T5667: BGP label-unicast enable ecmp (backport #2385)
|
|
T5541: firewall: re-add zone-based firewall.
|
|
T5642: op-cmd: correction of generated file name (backport #2384)
|
|
(cherry picked from commit e7cdf855ddce7dfe45af8b4b75eeee9de09f2451)
|
|
|