Age | Commit message (Collapse) | Author |
|
pppoe: T5630: allow to specify MRU in addition to already configurable MTU (backport #2335)
|
|
Since introducing the XML <defaultValue> node it was common, but redundant,
practice to also add a help string indicating which value would be used as
default if the node is unset.
This makes no sense b/c it's duplicated code/value/characters and prone to
error. The node.def scripts should be extended to automatically render the
appropriate default value into the CLI help string.
For e.g. SSH the current PoC renders:
$ cat templates-cfg/service/ssh/port/node.def
multi:
type: txt
help: Port for SSH service (default: 22)
val_help: u32:1-65535; Numeric IP port
...
Not all subsystems are already migrated to get_config_dict() and make use of
the defaults() call - those subsystems need to be migrated, first before the new
default is added to the CLI help.
(cherry picked from commit a68c9238111c6caee78bb28f8054b8f0cfa0e374)
|
|
(cherry picked from commit e357258e645cf85de0035d4ecfbf99db4dd90f7e)
|
|
Set the MRU (Maximum Receive Unit) value to n. PPPd will ask the peer to send
packets of no more than n bytes. The value of n must be between 128 and 16384,
the default was always 1492 to match PPPoE MTU.
A value of 296 works well on very slow links (40 bytes for TCP/IP header + 256
bytes of data). Note that for the IPv6 protocol, the MRU must be at least 1280.
CLI:
set interfaces pppoe pppoe0 mru 1280
(cherry picked from commit e062a8c11856f213983f5b41f50d4f9dbc0dde0f)
|
|
Add accounting-interim-interval option for PPPoE-server
set service pppoe-server authentication radius accounting-interim-interval '60'
|
|
AgentX does not work stable. From time to time we see the system
service crashing/degrading if something is wrong with SNMP from
util net-snmp.
We should disable it by default and enable it only if configured.
set high-availability vrrp snmp
|
|
T5594: vrrp: extend function is_ipv6_tentative
|
|
|
|
system: T5555: Fix time-zone migrator changing valid time-zones to UTC
|
|
|
|
T5533: Fix VRRP IPv6 FAULT state due to IPv6 tentative state
|
|
T5545: fix sflow configuration
|
|
Checks if an IPv6 address on a specific network interface is
in the tentative state. IPv6 tentative addresses are not fully configured
and are undergoing Duplicate Address Detection (DAD) to ensure they are
unique on the network.
inet6 2001:db8::3/125 scope global tentative
It tentative state the group enters in FAULT state. Fix it.
|
|
|
|
T5428: fix DHCP client running in VRF context
|
|
(cherry picked from commit 8daf7f95d832550cc31ab22a65aabe969ecae813)
|
|
|
|
T738: add CLI option for PowerDNS local-port
|
|
T3546: PPPoE-server add extended scripts for RADIUS attributes
|
|
T5506: Add link-local IPv6 address for container interfaces
|
|
vyos.util: T4933: informative error for bad colon-separated lines
|
|
in vyos.util.colon_separated_to_dict
(cherry picked from commit fb7f162f61522127ca72adffd6802797b136a99a)
|
|
set service dns forwarding allow-from '192.0.2.0/24'
set service dns forwarding listen-address '192.0.2.11'
set service dns forwarding port '5353'
|
|
|
|
This is a workaround for the priority inversion from T5492 ("CLI node priority
is not inversed on node deletion"). As this is a corner case bug that's only
triggered if an interface is removed from a VRF and also the VRF is removed in
one commit, priorities are not honored.
Thus we implement this workaround which stop the DHCP(v6) client processes on
the VRF associated interfaces to get out the DHCP RELEASE message before
interfaces are shut down.
(cherry picked from commit 005151f77be5cf999689cfd03620bbc39df59018)
|
|
T4825: Add interface type veth
|
|
Add interface type veth (Virtual ethernet)
One of the usecases it's interconnect different vrf's and
default vrf via bridge
set interfaces virtual-ethernet veth0 peer-name 'veth1010'
set interfaces virtual-ethernet veth1010 address '10.0.0.10/24'
set interfaces virtual-ethernet veth1010 peer-name 'veth0'
set interfaces virtual-ethernet veth1010 vrf 'foo'
set interfaces bridge br0 address '10.0.0.1/24'
set interfaces bridge br0 member interface veth0
vyos@r1:~$ ping 10.0.0.10 count 1
PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.
64 bytes from 10.0.0.10: icmp_seq=1 ttl=64 time=0.082 ms
|
|
Ability to get and parse RADIUS attributes via a shell script and
then execute commands
Ane of the usecases is to create a custom shaper with some smart
Extended scripts receive from PPPoE daemon the following variables:
$1 - Interface name
$4 - Tunnel GW IP address
$5 - Delegated IP address to the client
$6 - Calling Station ID (MAC)
if [ -f /run/accel-pppd/radattr.$1 ]; then
true
fi
|
|
http-api: T5006: add explicit async to retrieve operation
|
|
|
|
Fix for adding IPv6 link-local address for container interfaces
set container network NET01 prefix '10.0.0.0/24'
set container network NET01 prefix '2001:db8:2222::/64'
% ip -6 addr show scope link dev pod-NET01
17: pod-NET01: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet6 fe80::d89c:dfff:fe1a:8689/64 scope link
|
|
wifi: T5470: improve error message
|
|
(cherry picked from commit ffb798b4678f3b1bd0a40cc42b1f0477470346dc)
|
|
T5486: smoketest: adjust to new process_named_running() implementation
|
|
T5223: Fix removing key id for GRE tunnel
|
|
After commit 9c677c8 ("vyos.util: extend process_named_running() signature
with cmdline") we need an exact match for the process name. In the past
we used a in b and now we test for a == b.
Process name doesn't march 'ddclient'
psutil.Process(pid=10987, name='ddclient - sleeping for 20 seconds', started='13:12:47'
It cause smoketest fail
|
|
Fix for removing key id from GRE tunnel
Before fix:
del interfaces tunnel tun10 parameters ip key
commit
sudo ip tunnel show tun10
tun10: gre/ip remote 203.0.113.254 local 192.168.122.11 ttl 64 tos inherit key 1234
After the fix:
sudo ip tunnel show tun10
tun10: gre/ip remote 203.0.113.254 local 192.168.122.11 ttl 64 tos inherit
|
|
T2298: vyos.util: extend process_named_running() signature with cmdline
|
|
T5329 : priority: tunnel config is committed before wireguard
|
|
process_named_running() was introduced in commit 16b2fc8fc4ca ("dns-forwarding:
T2298: fix path to control file") and thus remained more or less unchanged.
Smoketests use process_named_running() heavily and might spawn multiple
processes with the same name but ifferent options (e.g. dhcp6c or dhclient) and
it was yet not possible to properly filter on the "real-deal" like the process
bound to a given interface.
One can now optionally specify a string that is searched inside the command
line argument list of the process.
Example:
>>> process_named_running('dhcp6c', 'veth0')
['/usr/sbin/dhcp6c', '-D', '-k', '/run/dhcp6c/dhcp6c.veth0.sock', '-c',
'/run/dhcp6c/dhcp6c.veth0.conf', '-p', '/run/dhcp6c/dhcp6c.veth0.pid', 'veth0']
4215
>>> process_named_running('dhcp6c', 'veth1')
['/usr/sbin/dhcp6c', '-D', '-k', '/run/dhcp6c/dhcp6c.veth1.sock', '-c',
'/run/dhcp6c/dhcp6c.veth1.conf', '-p', '/run/dhcp6c/dhcp6c.veth1.pid', 'veth1']
4253
Where the debug list returned is the commandline searched.
(cherry picked from commit 9c677c81be6a6e62958c73b038c2a36f1f629108)
|
|
(cherry picked from commit 3d5aba0775ff0d858d6c75d6aa37183be73c15aa)
|
|
login: T4790: Added check of the sum of radius timeouts
|
|
T5258: git Actions use ubuntu-22.04 for PR conflicts checker
|
|
git Actions use ubuntu-22.04 instead of deprecated ubuntu-18.04
for PR conflicts checker
https://github.com/actions/runner-images/issues/6002
|
|
Added check of the sum of login radius timeouts.
It has to be less or eq 50 sec.
Added check of a number of login radius servers.
It has to be less or eq 8
Otherwise, log in to the device can be discarded.
Backported from 1.4
|
|
sshguard: T5354: Add service ssh dynamic-protection
|
|
remote: T4412: fixed upload via SSH
|
|
- added timeout to socket creating
- added skipping SSH fingerprint check with a negative result if a
console is not interactive
- replaced tracebacks with human-readable error messages
- suppressed warnings from `cryptography` used by `paramiko`
|
|
Sshguard protects hosts from brute-force attacks
It can inspect logs and block "bad" addresses by threshold
Auto-generates own tables and rules for nftables, so they are not
intercept with VyOS firewall rules.
When service stops, all generated tables are deleted.
set service ssh dynamic-protection
set service ssh dynamic-protection allow-from '192.0.2.1'
set service ssh dynamic-protection block-time '120'
set service ssh dynamic-protection detect-time '1800'
set service ssh dynamic-protection threshold '30'
|
|
bcast-relay: T5313: verify() relay interfaces have IPv4 address configured
|