summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2022-12-30T4898: Add mtu config option for dummy interfacesYuxiang Zhu
I use dummy interfaces in a VRF as source-interfaces for VXLAN in order to force VXLAN send underlay UDP traffic through the VRF where the dummy interface resides. However dummy interface has no mtu option so it always gets an MTU of 1500. This will cause an error when the mtu of dummy is not large enough for the VXLAN traffic. Adding this option in the config template will solve this. (cherry picked from commit 1440ef93e13d15e2247cbfc2cb4ea2afb266fc9e)
2022-12-26Merge pull request #1717 from roedie/1.3-T4809Christian Poessinger
T4809: radvd: (Backport) Allow the use of AdvRASrcAddress
2022-12-26smoketest: radvd: T4809: add test case for RA source addressChristian Poessinger
(cherry picked from commit 65b104d6e0608e229aa36d948fabddaf3f4a0a8b)
2022-12-26radvd: T4809: fix AdvRASrcAddress missing semicolonChristian Poessinger
Commit 13071a4a ("T4809: radvd: Allow the use of AdvRASrcAddress") added a new feature to set the RA source-address. Unfortunately it missed a semicolon. (cherry picked from commit 4e61fb1f0fd075c5b1a67165204e13f88a7d3015)
2022-12-22Merge pull request #1722 from aapostoliuk/webproxybackportChristian Poessinger
T3810: Fixed all issues in T3810
2022-12-22T3810: Fixed all issues in T3810aapostoliuk
1. Added in script update webproxy blacklists generation of all DBs 2. Fixed: if the blacklist category does not have generated db, the template generates an empty dest category in squidGuard.conf and a Warning message. 3. Added template generation for local's categories in the rule section. 4. Changed syntax in the generation dest section for blacklist's categories 5. Fixed generation dest local sections in squidGuard.conf 6. Fixed bug in syntax. The word 'allow' changed to the word 'any' in acl squidGuard.conf 7. Backported all changes from 1.4 to 1.3 which were made in T3810 8. Fixed webproxy smoketest
2022-12-17T4809: radvd: Allow the use of AdvRASrcAddressSander Klein
This add the AdvRASrcAddress configuration option to configure a source address for the router advertisements. The source address still must be configured on the system. This is useful for VRRP setups where you want fe80::1 on the VRRP interface for cleaner VRRP failovers.
2022-12-17Merge pull request #1716 from c-po/equuleusViacheslav Hletenko
GitHub: sync to author assign workflow changed from current
2022-12-17GitHub: sync to author assign workflow changed from currentChristian Poessinger
Use the vyos/reviewers team instead of individuals.
2022-12-17Merge pull request #1259 from hensur/equuleus-ipv6-local-routeChristian Poessinger
backport: T4515: T4219: policy local-route6 and inbound-interface support
2022-12-17Merge pull request #1557 from initramfs/equuleus-fix-tcp-mssChristian Poessinger
firewall: T4709: fix firewall MSS clamping issues
2022-12-13Merge pull request #1704 from aapostoliuk/T4874-equuleusViacheslav Hletenko
T4874: Added Warning message
2022-12-10T4874: Added Warning messageaapostoliuk
Added the ability to call Warning messages
2022-11-21Merge pull request #1672 from sever-sever/T4812-eqChristian Poessinger
T4812: Add op-mode Show vpn ipsec connections
2022-11-21T4812: Add op-mode Show vpn ipsec connectionsViacheslav Hletenko
Add op-mode CLI "show vpn ipsec connections" Add the ability to show all configured connections/tunnels and their states.
2022-11-15Merge pull request #1659 from vfreex/fix-ns-config-equuleusChristian Poessinger
backport: T4815: Fix various name server config issues
2022-11-15backport: T4815: Fix various name server config issuesYuxiang Zhu
This is a backport of https://github.com/vyos/vyos-1x/pull/1656. Note I also changed `ip-down.script.tmpl` to not wait for `systemctl stop dhcp6c@$iface.service`, because that command is slow and pppd will kill the ip-down script if it times out. I didn't see `ip-down.script.tmpl` or its equivalent in the 1.4 branch. Not sure if there is another mechanism to handle that functionality or it is missed.
2022-11-05Merge pull request #1640 from initramfs/equuleus-fix-pdns-reloadChristian Poessinger
backport: dns: T4799: fixed powerdns not being reloaded by vyos-hostsd
2022-11-05dns: T4799: fix bug with not reloading powerdns configinitramfs
PowerDNS version 4.7 and above has changed the main process name from 'pdns-r/worker' to 'pdns_recursor'. This commit updates the process name check to use the new name. (cherry picked from commit ff09d4f47e5f54fad8258cd27fb0adfaa4c552b3)
2022-11-01Merge pull request #1634 from c-po/t4177-equuleusChristian Poessinger
strip-private: T4177: Fix for hiding private data token/url/bucket
2022-11-01strip-private: T4177: Fix for hiding private data token/url/bucketViacheslav
Add URL, token and bucket hidind data when is used function "strip-private" (cherry picked from commit f12d8b5a575f4b454426fe11f65b5add966ca53c)
2022-10-31Merge pull request #1630 from roedie/1.3-T4526Christian Poessinger
keepalived: T4526: keepalived-fifo.py unable to load config
2022-10-31Merge pull request #1629 from c-po/t4785-snmp-equuleusChristian Poessinger
snmp: T4785: allow !, @, * and # in SNMP community name (equuleus)
2022-10-30keepalived: T4526: keepalived-fifo.py unable to load configSander Klein
keepalived-fifo.py cannot load the VyOS config because the script is started before the commit is completely finished. This change makes sure the script waits for the commit to be completed. It retries every 0.5 seconds. If the commit is still not completed it will continue as did the original implementation.
2022-10-30snmp: T4785: allow @, * and # in SNMP community nameChristian Poessinger
(cherry picked from commit 3f91033927d80748b70e1ef58b2941643d1aca33)
2022-10-29snmp: T4785: allow ! in community nameChristian Poessinger
(cherry picked from commit dda62226353ebc198b4dbbd319412bb5d1d1ece2)
2022-10-15Merge pull request #1579 from sever-sever/T4743Viacheslav Hletenko
ddclient: T4743: Add option for IPv6 Dynamic DNS
2022-10-13Merge pull request #1593 from sever-sever/T4312-eqViacheslav Hletenko
monitoring: T4312: Ability to set IP address in the URL
2022-10-13monitoring: T4312: Ability to set IP address in the URLViacheslav Hletenko
Use common "url.xml" which allow URL as domain name or IP entrie
2022-10-12Merge pull request #1582 from sever-sever/T4730-eqViacheslav Hletenko
conntrack-sync: T4730: Fix listen-address jinja2 template
2022-10-11Merge pull request #1583 from sever-sever/T4680-eqChristian Poessinger
monitoring: T4680: Bracketize prometheus listen-address
2022-10-11monitoring: T4680: Bracketize prometheus listen-addressViacheslav Hletenko
Fix correct format for prometheus listen-address when we use IPv6 address, we must use square 'brackets' http://[2001:db8::11e]:9273
2022-10-11conntrack-sync: T4730: Fix listen-address jinja2 templateViacheslav Hletenko
Listen address has option 'multi' As result we have an incorrect template value for listen-address - conntrack-sync listen-address '192.0.2.11' in template It looks like "IPv4_address ['192.0.2.11']" in the conntrackd.conf but the correct string expected without brackets Fix it
2022-10-10ddclient: T4743: Add option for IPv6 Dynamic DNSViacheslav Hletenko
Allow to set IPv6 address for Dynamic DNS set service dns dynamic interface eth2 ipv6-enable
2022-10-03Merge pull request #1548 from c-po/t4702-equuleus-wireguardChristian Poessinger
wireguard: T4702: actively revoke peer if it gets disabled
2022-10-03Merge pull request #1520 from c-po/t4652-equuleus-pdns-47Christian Poessinger
smoketest: T4652: upgrade PowerDNS recursor to 4.7 series
2022-10-03Merge pull request #1556 from c-po/equules-t3171Daniil Baturin
ethernet: T3171: enable RPS (Receive Packet Steering) for all RX queues
2022-09-26firewall: T4709: adjust TCP MSS clamping ranges and optionsinitramfs
This commit fixes MSS clamping ranges as well as reintroduces the clamp-mss-to-pmtu option value to clamp to PMTU instead.
2022-09-24ethernet: T3171: enable RPS (Receive Packet Steering) for all RX queuesChristian Poessinger
The initial implementation in commit 9fb9e5cade ("ethernet: T3171: add CLI option to enable RPS (Receive Packet Steering)" only changed the CPU affinity for RX queue 0. This commit takes all RX queues into account. (cherry picked from commit 13645bc2cfd31f1525078469f23e89491987e0ea)
2022-09-20policy: local-route(6): set priority propertyHenning Surmeier
Co-authored-by: initramfs <initramfs@initramfs.io>
2022-09-20local-route6: use ipv6 value help for sourceHenning Surmeier
2022-09-17wireguard: T4702: actively revoke peer if it gets disabledChristian Poessinger
When any configured peer is set to `disable` while the Wireguard tunnel is up and running it does not get actively revoked and removed. This poses a security risk as connections keep beeing alive. Whenever any parameter of a peer changes we actively remove the peer and fully recreate it on the fly. (cherry picked from commit a4feb96af9ac45aff41ded1744cf302b5c5a9e7e)
2022-09-15Merge pull request #1519 from c-po/t4630-equuleus-peth-macsecDaniil Baturin
T4630: disallow same source-interface for macsec and pseudo-ethernet
2022-09-15Merge pull request #1539 from sever-sever/T4679-eqDaniil Baturin
openvpn: T4679: Fix incorrect verify local and remote address 1.3
2022-09-14openvpn: T4679: Fix incorrect verify local and remote addressViacheslav Hletenko
In the OpenVPN site-to-site config we can use IPv6 peers without IPv4 configurations but "verify()" checks also local and remote IPv4 addresses that in this case will be empty lists For example: set interfaces openvpn vtun2 local-address 2001:db8::1 set interfaces openvpn vtun2 remote-address 2001:db8::2 Check in the commit (v4loAddr == v4remAddr) <= both empty lists commit DEBUG: [] == [] or ['2001:db8::2'] == [] So we should also check v4loAddr, v4remAddr, v6loAddr, v6remAddr are not empty
2022-09-05smoketest: T4652: upgrade PowerDNS recursor to 4.7 seriesChristian Poessinger
(cherry picked from commit f3420a967ad5597c57093b5279a844dca4c516c0)
2022-09-04T4630: can not use same source-interface for macsec and pseudo-ethernetChristian Poessinger
A macsec interface requires a dedicated source interface, it can not be shared with another macsec or a pseudo-ethernet interface. set interfaces macsec macsec10 address '192.168.2.1/30' set interfaces macsec macsec10 security cipher 'gcm-aes-256' set interfaces macsec macsec10 security encrypt set interfaces macsec macsec10 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4232e44b7fda6f8e2d88a07bf78a7aff4' set interfaces macsec macsec10 security mka ckn '09924585a6f3010208cf5222ef24c821405b0e34f4b4f63b1f0ced474b9bb6e6' set interfaces macsec macsec10 source-interface 'eth1' commit set interfaces pseudo-ethernet peth0 source-interface eth1 commit Reuslts in FileNotFoundError: [Errno 2] failed to run command: ip link add peth0 link eth1 type macvlan mode private returned: exit code: 2 noteworthy: cmd 'ip link add peth0 link eth1 type macvlan mode private' returned (out): returned (err): RTNETLINK answers: Device or resource busy [[interfaces pseudo-ethernet peth0]] failed Commit failed (cherry picked from commit eb4a7ee3afc0765671ce0fa379ab5e3518e9e49e)
2022-09-04Merge pull request #1518 from initramfs/equuleus-fix-bond-members1.3.2Christian Poessinger
backport: bonding: T4668: Fix bond members not adding/interface state incorrect
2022-09-04Merge pull request #1498 from initramfs/fix-v6-default-routeChristian Poessinger
pppoe: T4648: fix incorrect installation of IPv6 default route even when default-route is set to none
2022-09-02bonding: T4668: fix live bonding member add or removeinitramfs
Fixes several bugs around bonding member interface states not matching the committed configuration, including: - Disabled removed interfaces coming back up - Newly added disabled interfaces not staying down - Newly added interfaces not showing up in the bond