summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2022-05-25configtest: T4382: missing 'ipv4-options' in 'interfaces openvpn'John Estabrook
As a result of the firewall/5-to-6 migration script, 'firewall options interface vtun0 adjust-mss' is moved to: 'interfaces openvpn vtun0 ip adjust-mss 1380' however, interfaces-openvpn.xml.in is missing the include file ipv4-options.xml.i. Add missing include file.
2022-05-25configtest: T4382: inconsistent ipsec component versionJohn Estabrook
The pki-ipsec sagitta-era config contains 'vpn ipsec ipsec-interfaces interface eth0' with ipsec component version ipsec@6, however, this construction is successfully moved by migration script ipsec/5-to-6. Consequently, this must have been an error in translation of the config file. Note that this is unrelated to the corrected error regarding an empty 'ipsec-interfaces' node. Move config to configs.no-load for review.
2022-05-25configtest: T4382: bgp_small_as has a nonsensical entryJohn Estabrook
bgp_small_as contains set commands such as: 'protocols static route 10.0.0.0/8 MY-NAS distance 254' which would appear to have no meaning, in any VyOS version. Move to config.no-load for analysis.
2022-05-25configtest: T4382: 'nat ... log' takes no 'enable' argumentJohn Estabrook
The component version in bgp-dmvpn-spoke is nat@5, however, 4-to-5 removes the boolean argument. It is confirmed that the migration script works correctly, hence, it must be a typo in translation; remove argument 'enable'.
2022-05-25configtest: T4382: system@20 cannot have 'user level' (16-to-17)John Estabrook
The config file isis-small has system@20, but 'user level' which was migrated in system/16-to-17; remove the line in the config, as there is no problem with the migration script in question.
2022-05-25configtest: T4382: remove typoJohn Estabrook
This is a typo in vrf-ospf: 'system nt' on the line before 'system ntp'.
2022-05-25configtest: T4382: bgp migration scripts need to follow quagga scriptsJohn Estabrook
The configs bgp_bfd_communities and bgp_big_as_cloud reveal a counterexample to the independence of component migration scripts: quagga migration scripts must precede those of bgp; explicitly reorder from lexical order.
2022-05-25configtest: T4382: fix missing delete of 'ipsec-interfaces' nodeJohn Estabrook
Migration of bgp-azure-ipsec-gateway and bgp_dmvpn_hub reveals that migration script ipsec/5-to-6 leaves the empty node 'ipsec-interfaces' after moving the interface; fix the migration script, as it is not yet in 1.3.
2022-05-25Merge pull request #1319 from goodNETnick/ocserv_sh_otp_keyViacheslav Hletenko
ocserv: T4420: show configured 2FA OTP key
2022-05-25Merge pull request #1088 from zdc/T4020-sagittaDaniil Baturin
FRR: T4020: Added CLI options for FRR daemons
2022-05-21smoketest: flow-accounting: T4437: adjust smoketest to new generated config ↵Christian Poessinger
syntax
2022-05-21flow-accounting: T4099: "source-address" must exist locallyChristian Poessinger
2022-05-21xml: flow-accounting: T4437: fix node helpChristian Poessinger
2022-05-21xml: nhrp: fix CLI descriptionChristian Poessinger
2022-05-21nhrp: T4353: use ".service" suffix on systemd nameChristian Poessinger
2022-05-21op-mode: T4390: add nhrp and flow-accounting loggingChristian Poessinger
2022-05-21flow-accounting: T4437: also install rule to IPv6 VYOS_CT_PREROUTING_HOOKChristian Poessinger
2022-05-21flow-accounting: T4437: bugfix IPv6 flow collector addressChristian Poessinger
2022-05-20Merge pull request #1317 from sever-sever/T4418Christian Poessinger
monitoring: T4418: Add output plugin azure-data-explorer
2022-05-20monitoring: T4418: Add output plugin azure-data-explorerViacheslav Hletenko
Add output telegraf Plugin Azure Data Explorer set service monitoring telegraf azure-data-explorer authentication client-id 'x' set service monitoring telegraf azure-data-explorer authentication client-secret 'x' set service monitoring telegraf azure-data-explorer authentication tenant-id 'x' set service monitoring telegraf azure-data-explorer database 'x' set service monitoring telegraf azure-data-explorer group-metrics 'single-table' set service monitoring telegraf azure-data-explorer url 'http://localhost.loc'
2022-05-19ipsec: T2816: add completion help for IP addresses to local-address nodeChristian Poessinger
2022-05-19dmvpn: nhrp: T4434: secret length can not exceed 8 charactersChristian Poessinger
2022-05-19Merge pull request #1329 from dmbaturin/T4432John Estabrook
T4432: display load averages normalized for the number of CPU cores
2022-05-19T4432: display load averages normalized for the number of CPU coresDaniil Baturin
2022-05-16Merge pull request #1290 from sever-sever/T4373Christian Poessinger
ppppoe-server: T4373: Add option multiplier for correct shaping
2022-05-16pppoe-server: T4373: Add option multiplier for correct shapingViacheslav Hletenko
Multiplier option is required by some vendors for correct shaping For RADIUS based rate-limits edit service pppoe-server set authentication radius rate-limit multiplier '0.001'
2022-05-16ocserv: T4420: show configured 2FA OTP keygoodNETnick
2022-05-13smoketest: add sshguard allow-from caseChristian Poessinger
2022-05-13sshguard: T4408: rename whitelist-address -> allow-fromChristian Poessinger
We do not only allow individual host addresses but also prefixes.
2022-05-13Debian: T4408: add missing sshguard dependencyChristian Poessinger
2022-05-13Merge pull request #1320 from sever-sever/T4408Christian Poessinger
sshguard: T4408: Add service ssh dynamic-protection
2022-05-12sshguard: T4408: Add service ssh dynamic-protectionViacheslav Hletenko
Sshguard protects hosts from brute-force attacks Can inspect logs and block "bad" addresses by threshold Auto-generate rules for nftables When service stopped all generated rules are deleted nft "type filter hook input priority filter - 10" set service ssh dynamic-protection set service ssh dynamic-protection block-time 120 set service ssh dynamic-protection detect-time 1800 set service ssh dynamic-protection threshold 30 set service ssh dynamic-protection whitelist-address 192.0.2.1
2022-05-12vrrp: T4417: bugfix service startup priorityChristian Poessinger
2022-05-12conntrack: T3535: use "reload-or-restart" from systemdChristian Poessinger
2022-05-12vrrp: T3944: use "reload-or-restart" over individual code pathsChristian Poessinger
systemd has its internal reload or restart logic - we do not need to programm it on our own.
2022-05-12container: T2216: use warning over exception when container image does not existChristian Poessinger
2022-05-12Merge pull request #1323 from sever-sever/T4399Christian Poessinger
Revert "NHRP : T4399: fix issues restart nhrp when add or del tunnel"
2022-05-12Merge pull request #1325 from sever-sever/T4424Christian Poessinger
policy: T4424: Fix incorrect format for IPv6 prefixes
2022-05-12policy: T4424: Fix incorrect format for IPv6 prefixesViacheslav Hletenko
2022-05-12Revert "NHRP : T4399: fix issues restart nhrp when add or del tunnel"Viacheslav Hletenko
This reverts commit d1455f936ca721633fcc04d5c84169b4ccf2f447. New spokes can't register on hub with 'reload-or-restart' option And requires option 'restart' for opennhrp.service
2022-05-11Merge pull request #1321 from sever-sever/T4405Christian Poessinger
T4405: Fix administrative distance of DHCP routes
2022-05-10T4405: Fix administrative distance of DHCP routesDmitri Toubelis
- Default dhclient script only uses value of `$IF_MERIC` envvar for default route recived via `router` option. - This variable has no effect on rotes received via `rfc3442-classless-static-routes` option - Considering that Vyos overrrides `ip` command originating from `dhclient` this can be easily fixed in `iptovtysh()` function by using the `$IF_METRIC` envvar directly in the dhclient hook. (cherry picked from commit 0c00e7bf8b6e68814607fde4ff0cd70ce9f4b486)
2022-05-09Merge pull request #1279 from nicolas-fort/T990Christian Poessinger
Firewall: T990: Add snat and dnat connection status on firewall
2022-05-08container: T4000: use unique storage for container imageChristian Poessinger
Do no longer store container images which are pulled from any registry to /config/containers. Instead save them to a unified location that is the same accross all images on the system: /usr/lib/live/mount/persistence/container/storage Reason for this change is, while living under /config/containers a VyOS image upgrade copied all downloaded container images to the new image - doubling the used space per image on every upgrade. With the new location the images are all the same for every VyOS image running. Container userdata can still be stored under /config and copied to a newer image making rollbacks still efficient.
2022-05-08container: op-mode: T3852: use XML inline podman commandsChristian Poessinger
Reduce bloat of containers_op.py wrapper script. All commands can be passed directly to podman via the XML script. This also makes the execution faster, as no Python environment needs to be build up.
2022-05-08container: T4353: fix conf-mode script nameChristian Poessinger
2022-05-08smoketest: policy-route: use setUpClass()Christian Poessinger
2022-05-08policy: evpn: T3739: support "set evpn gateway-ip"Christian Poessinger
2022-05-07vrf: T4419: support to disable IP forwarding within a given VRFChristian Poessinger
2022-05-06ocserv: T4231: XML OTP support must not be added globally - only for openconnectChristian Poessinger