Age | Commit message (Collapse) | Author |
|
T5559: Add static neighbor-proxy feature (backport #2240)
|
|
T5702: SNMP add interface-mib max-interfaces-number and prefix (backport #2434)
|
|
Ability to set ip neigbhor proxy
set protocols static neighbor-proxy arp 192.0.2.1 interface 'eth0'
set protocols static neighbor-proxy arp 192.0.2.2 interface 'eth0'
set protocols static neighbor-proxy nd 2001:db8::1 interface 'eth1'
(cherry picked from commit c56af995b6e3d867c2a67deeb4be79e498f0a7cf)
|
|
- Allow to configure only required interface prefixes
set service snmp mib interface 'eth'
set service snmp mib interface 'bond'
include_ifmib_iface_prefix eth bond
Sets the interface name prefixes to include in the IF-MIB data collection.
For servers with a large number of interfaces (ppp, dummy, bridge, etc)
the IF-MIB processing will take a large chunk of CPU for ioctl calls.
A set of space separated interface name prefixes will reduce the CPU
load for IF-MIB processing. For example, configuring
"include_ifmib_iface_prefix eth dummy lo" will include only interfaces
with these prefixes and ignore all others for IF-MIB processing.
- Allow to configure maximum interface number
set service snmp mib interface-max '100'
ifmib_max_num_ifaces NUM
Sets the maximum number of interfaces included in IF-MIB data collection.
For servers with a large number of interfaces (ppp, dummy, bridge, etc)
the IF-MIB processing will take a large chunk of CPU for ioctl calls
(on Linux). Setting a reasonable maximum for the CPU used will
reduce the CPU load for IF-MIB processing. For example, configuring
"ifmib_max_num_ifaces 500" will include only the first 500 interfaces
based on ifindex and ignore all others for IF-MIB processing.
(cherry picked from commit 30a05ee1d447c6f92627162a506225f833a80f8c)
|
|
T5713: Strip string after "secret" in IPSEC configs (backport #2437)
|
|
T5706: Add custom systemd udev rules to exclude dynamic interfaces (backport #2436)
|
|
Add custom systemd udev rules to exclude some regular and dynamic
interfaces from "systemd-sysctl" calls.
It fixes high CPU utilization (100%) as we have a lot of calls per
interface for dynamic interfaces like ppp|ipoe|sstp etc.
/lib/systemd/systemd-udevd should not be called for those interfaces
(cherry picked from commit ca9cc86233520eb495c17602bf7a110094c1d8e7)
|
|
T5720: Fix for PPPoE-server adding new interfaces (backport #2453)
|
|
Commit 30eb308149 ("T5713: Strip string after "secret" in IPSEC config") had
good intention but this will happen:
use-secret foo CLI node will become " secret xxxxxx" so the output of
strip-private invalidates the configuration.
This has been changed to an exact match of "secret" only
(cherry picked from commit 863af115df853987dd8ad25ecef3f0ea58485e83)
|
|
Make "strip-private" strip the string after "secret"
(cherry picked from commit 30eb308149f24b7f15aa3e40ced6918a8a3a04b8)
|
|
If we add a new interface for PPPoe-server we MUST restart the
`accel-ppp@pppoe.service` as `reload` is not implemented for
accel-ppp daemon
Otherwise we have listen interface in the /run/accel-pppd/pppoe.conf
which does not work
(cherry picked from commit ffda9068b22e2d8a6841fcd8cdf62bbe266ea02c)
|
|
T5716: Fix smoketest for accel-ppp limiter tbf (backport #2451)
|
|
Limiter in the commit cf92295 was changed to `tbf`
Fix smoketest
(cherry picked from commit d8ffbbe72c791ec5516d029e85619678b2841402)
|
|
T5716: Fix accel-ppp template down-limiter does not rely on fwmark (backport #2440)
|
|
ldpd: T5648: Fix ldpd template errors (backport #2357)
|
|
mdns: T5719: Add op-mode commands to mDNS repeater (backport #2447)
|
|
accel-ppp template shaper `down-limiter` does not rely on `fwmark`
Fix it
(cherry picked from commit cf9229544a30e5aa47e307c021d4798a0162d291)
|
|
Bug introduced in https://github.com/vyos/vyos-1x/commit/8fb6e715d32e7eff77e413d8577059dd55b24c0a
(cherry picked from commit df6ced3811ebe6446039277ff3fc301a83776dc1)
|
|
The following ones are available now:
- restart mdns repeater
- show log mdns repeater
- monitor log mdns repeater
(cherry picked from commit ace8a25552fa7f2b2369a385ed8933feb66f355b)
|
|
T5698 EVPN ESI Multihoming (backport #2416)
|
|
vxlan: T3700: add bridge dependency call when altering member interfaces (backport #2439)
|
|
(cherry picked from commit 1d67620e656766731ad6825fd8961140eb50d8a7)
|
|
set interfaces bonding bond10 evpn es-df-pref '50'
set interfaces bonding bond10 evpn es-id '10'
set interfaces bonding bond10 evpn es-sys-mac '01:23:45:67:89:ab'
set interfaces bonding bond10 member interface 'eth3'
set interfaces bonding bond10 mode '802.3ad'
(cherry picked from commit 937685608e61151275c4f60c6d00c0154f2ca06d)
|
|
Commit 7f6624f5a6f8bd ("vxlan: T3700: support VLAN tunnel mapping of VLAN aware
bridges") added support for Single VXLAN Device (SVD) containers supported by
the Linux Kernel.
When working with bridge VIFs it turned out that when deleting a VIF all the
VXLAN tunnel mappings got deleted, too. In order to avoid this, if the bridge
has a VXLAN member interface which vlan-to-vni mapping enabled, we add a
dependency that we call VXLAN conf-mode script after messing arround with the
bridge VIFs and re-create tunnel mappings.
(cherry picked from commit fdf7f3a05edbaaf8aeca7e24a9980d5af67dca18)
|
|
T5541: firewall: fix ZBF template and ruleset generation for local-zone rules
|
|
|
|
T4726: Remove accel-ppp RADIUS vendor validators (backport #2423)
|
|
T5513: firewall - op-mode command backport
|
|
wireguard: T5707: remove previously deconfigured peer (backport #2431)
|
|
Changing the public key of a peer (updating the key material) left the old
WireGuard peer in place, as the key removal command used the new key.
WireGuard only supports peer removal based on the configured public-key, by
deleting the entire interface this is the shortcut instead of parsing out all
peers and removing them one by one.
Peer reconfiguration will always come with a short downtime while the WireGuard
interface is recreated.
(cherry picked from commit 2fc8738bc9c2fb6364a22d86079e8635cee91949)
|
|
|
|
T5704: PPPoE L2TP SSTP IPoE add option max-concurrent-sessions (backport #2427)
|
|
T5700: Fix deprecate telegraf plugin input net (backport #2425)
|
|
Add `max-starting` option:
[common]
max-starting=N
Specifies maximum concurrent session attempts which server may processed
set service pppoe-server max-concurrent-sessions '30'
Useful to prevent high CPU utilization and compat execution
scripts per time.
(cherry picked from commit 47645f9d0243ce48a473ab7f8cdbd22c19f69f28)
|
|
The vendor name could contain Uppercase or lowercase symbols and
not rely on the dictionary name but on dictionary value
/ # cat /usr/share/freeradius/dictionary.cisco | grep -i vendor
VENDOR Cisco 9
Another example
VENDOR Alcatel-IPD 6527
This way if we use `vendor=cisco` instead of `vendor=Cisco` it
will not work at all
Delete vendor validators
(cherry picked from commit bbc7cabc6be0d5f8629724e9b0025e425168e1a8)
|
|
DeprecationWarning: Value "false" for option "ignore_protocol_stats"
of plugin "inputs.net" deprecated since version 1.27.3 and will be
removed in 1.36.0: use the 'inputs.nstat' plugin instead
(cherry picked from commit 5476daef7f0fc271089189239599fc8077acba00)
|
|
T5705: rsyslog: fix error when level=al (backport #2424)
|
|
as it's done with facility. Create basic smoketest for syslog
(cherry picked from commit c5ae7c9e2a141d92b8a716b3dbe3e5b41ee4aaba)
|
|
T5681: Firewall,Nat and Nat66: simplified and standarize interface ma…
|
|
firewal, nat and nat66.
(cherry picked from commit 51abbc0f1b2ccf4785cf7f29f1fe6f4af6007ee6)
|
|
After commit cc7ba8824 ('vxlan: T5699: migrate "external" CLI know to
"parameters external"') We also need to adjust the testcase for ARP/ND
suppression.
(cherry picked from commit cb2f72dbd10a11f99913cc60044460f18381f770)
|
|
vxlan: T5668: add CLI knob to enable ARP/ND suppression (backport #2413)
|
|
In order to minimize the flooding of ARP and ND messages in the VXLAN network,
EVPN includes provisions [1] that allow participating VTEPs to suppress such
messages in case they know the MAC-IP binding and can reply on behalf of the
remote host. In Linux, the above is implemented in the bridge driver using a
per-port option called "neigh_suppress" that was added in kernel version 4.15.
[1] https://www.rfc-editor.org/rfc/rfc7432#section-10
(cherry picked from commit ec9a95502daa88b9632af12524e7cefebf86bab6)
|
|
vxlan: T5699: migrate "external" CLI know to "parameters external" (backport #2417)
|
|
As we have a bunch of options under "paramteres" already and "external" is
clearly one of them it should be migrated under that node as well.
(cherry picked from commit cc7ba8824a5e9ec818f0bbe7fb85e1713a591527)
|
|
T5643: nat: add interface-groups to nat. Use same cli structure for i… (backport #2355)
|
|
T5661: Add show ssh dynamic-protection and show log ssh dynamic-protection
|
|
logfile
(cherry picked from commit 78e00bf4099bfac2164ef2075acce8169c40c9c3)
|
|
Try to have as few calls to sudo in the op-mode scripts as possible. The XML
definitions can deal with it.
(cherry picked from commit 428dee29d36cc3629990ec41afef887821886834)
|
|
This makes the code more easy to maintain in the future if everyone uses the
same structure when calling journalctl.
(cherry picked from commit e1b4e972b40941acec76c97e714767214cefe426)
|