summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-11-14T5729: T5590: T5616: backport to sagita fwall marks, fix on firewall logs ↵Nicolas Fort
parsing, and migration to valueless node for log and state matchers
2023-11-13Merge pull request #2445 from c-po/sagittaChristian Breunig
op-mode: bgp: T5698: add "es-vrf" and "next-hops" CLI commands (backport)
2023-11-13Merge pull request #2466 from sever-sever/T1797-sagDaniil Baturin
T1797: Remove vpp packages and mentions
2023-11-12op-mode: T5658: fix "monitor traceroute" completion helperChristian Breunig
(cherry picked from commit c0de93d37354ec89f44dde7f1b5a4c8af550a019)
2023-11-12op-mode: T5658: reduce amount of exposed optionsChristian Breunig
Example: we should focus on JSON output and not expose XML and CSV. (cherry picked from commit b8e9daf12eaef46747e7379042f8acd575e5b1d6)
2023-11-12T5658: add common methods interface_list() and vrf_list() to vyos.utils.networkChristian Breunig
Reduce amount of duplicated (3 times) code in op-mode scripts for ping, traceroute and mtr. (cherry picked from commit 7b27a20c8664460482301cc8d7554048f152485e)
2023-11-12op-mode: T5658: adjust "monitor traceroute" CLI argument indexChristian Breunig
(cherry picked from commit 709c578e123bcf258eba1d15842b63eb63413523)
2023-11-12op-mode: T5658: add VRF support for "monitor traceroute"bbabich
(cherry picked from commit 07ecc0c33fb32878cac25ec84f2f3a977588f0dd)
2023-11-11Merge pull request #2473 from vyos/mergify/bp/sagitta/pr-2472Christian Breunig
dhclient: T5724: run user hooks using run_hookdir (backport #2472)
2023-11-11dhclient: T5724: run user hooks using run_hookdirgavol
User hooks are executed using run_hookdir (defined in the /sbin/dhclient-script script) instead of run-parts. That allows user hooks to modify variables set by the dhcp client (e.g., the new_routers variable to avoid the installation of the default routes). (cherry picked from commit 645a0e768e27912a3f46d00de31d0fc79b6fd463)
2023-11-09T1797: Remove vpp packages and mentionsViacheslav Hletenko
2023-11-09Merge pull request #2463 from vyos/mergify/bp/sagitta/pr-2370John Estabrook
T1797: Delete VPP from vyos-1x as it is implemented in addon (backport #2370)
2023-11-09T1797: Delete VPP from vyos-1x as it is implemented in addonViacheslav Hletenko
(cherry picked from commit 59c8d5febb2b1333643372f8956fa8f219d022cb)
2023-11-07Merge pull request #2458 from vyos/mergify/bp/sagitta/pr-2240Christian Breunig
T5559: Add static neighbor-proxy feature (backport #2240)
2023-11-07Merge pull request #2457 from vyos/mergify/bp/sagitta/pr-2434Christian Breunig
T5702: SNMP add interface-mib max-interfaces-number and prefix (backport #2434)
2023-11-07T5559: Add static neighbor-proxy featureViacheslav Hletenko
Ability to set ip neigbhor proxy set protocols static neighbor-proxy arp 192.0.2.1 interface 'eth0' set protocols static neighbor-proxy arp 192.0.2.2 interface 'eth0' set protocols static neighbor-proxy nd 2001:db8::1 interface 'eth1' (cherry picked from commit c56af995b6e3d867c2a67deeb4be79e498f0a7cf)
2023-11-07T5702: SNMP add interface-mib max-interfaces-number and prefixViacheslav Hletenko
- Allow to configure only required interface prefixes set service snmp mib interface 'eth' set service snmp mib interface 'bond' include_ifmib_iface_prefix eth bond Sets the interface name prefixes to include in the IF-MIB data collection. For servers with a large number of interfaces (ppp, dummy, bridge, etc) the IF-MIB processing will take a large chunk of CPU for ioctl calls. A set of space separated interface name prefixes will reduce the CPU load for IF-MIB processing. For example, configuring "include_ifmib_iface_prefix eth dummy lo" will include only interfaces with these prefixes and ignore all others for IF-MIB processing. - Allow to configure maximum interface number set service snmp mib interface-max '100' ifmib_max_num_ifaces NUM Sets the maximum number of interfaces included in IF-MIB data collection. For servers with a large number of interfaces (ppp, dummy, bridge, etc) the IF-MIB processing will take a large chunk of CPU for ioctl calls (on Linux). Setting a reasonable maximum for the CPU used will reduce the CPU load for IF-MIB processing. For example, configuring "ifmib_max_num_ifaces 500" will include only the first 500 interfaces based on ifindex and ignore all others for IF-MIB processing. (cherry picked from commit 30a05ee1d447c6f92627162a506225f833a80f8c)
2023-11-07Merge pull request #2455 from vyos/mergify/bp/sagitta/pr-2437Christian Breunig
T5713: Strip string after "secret" in IPSEC configs (backport #2437)
2023-11-07Merge pull request #2456 from vyos/mergify/bp/sagitta/pr-2436Christian Breunig
T5706: Add custom systemd udev rules to exclude dynamic interfaces (backport #2436)
2023-11-07T5706: Add custom systemd udev rules to exclude dynamic interfacesViacheslav Hletenko
Add custom systemd udev rules to exclude some regular and dynamic interfaces from "systemd-sysctl" calls. It fixes high CPU utilization (100%) as we have a lot of calls per interface for dynamic interfaces like ppp|ipoe|sstp etc. /lib/systemd/systemd-udevd should not be called for those interfaces (cherry picked from commit ca9cc86233520eb495c17602bf7a110094c1d8e7)
2023-11-07Merge pull request #2454 from vyos/mergify/bp/sagitta/pr-2453Christian Breunig
T5720: Fix for PPPoE-server adding new interfaces (backport #2453)
2023-11-07T5713: only strip "secret" CLI node and nothing elseChristian Breunig
Commit 30eb308149 ("T5713: Strip string after "secret" in IPSEC config") had good intention but this will happen: use-secret foo CLI node will become " secret xxxxxx" so the output of strip-private invalidates the configuration. This has been changed to an exact match of "secret" only (cherry picked from commit 863af115df853987dd8ad25ecef3f0ea58485e83)
2023-11-07T5713: Strip string after "secret" in IPSEC configRageLtMan
Make "strip-private" strip the string after "secret" (cherry picked from commit 30eb308149f24b7f15aa3e40ced6918a8a3a04b8)
2023-11-07T5720: Fix for PPPoE-server adding new interfacesViacheslav Hletenko
If we add a new interface for PPPoe-server we MUST restart the `accel-ppp@pppoe.service` as `reload` is not implemented for accel-ppp daemon Otherwise we have listen interface in the /run/accel-pppd/pppoe.conf which does not work (cherry picked from commit ffda9068b22e2d8a6841fcd8cdf62bbe266ea02c)
2023-11-07Merge pull request #2452 from vyos/mergify/bp/sagitta/pr-2451Christian Breunig
T5716: Fix smoketest for accel-ppp limiter tbf (backport #2451)
2023-11-07T5716: Fix smoketest for accel-ppp limiter tbfViacheslav Hletenko
Limiter in the commit cf92295 was changed to `tbf` Fix smoketest (cherry picked from commit d8ffbbe72c791ec5516d029e85619678b2841402)
2023-11-07Merge pull request #2450 from vyos/mergify/bp/sagitta/pr-2440Christian Breunig
T5716: Fix accel-ppp template down-limiter does not rely on fwmark (backport #2440)
2023-11-07Merge pull request #2449 from vyos/mergify/bp/sagitta/pr-2357Christian Breunig
ldpd: T5648: Fix ldpd template errors (backport #2357)
2023-11-07Merge pull request #2448 from vyos/mergify/bp/sagitta/pr-2447Christian Breunig
mdns: T5719: Add op-mode commands to mDNS repeater (backport #2447)
2023-11-07T5716: Fix accel-ppp template down-limiter does not rely on fwmarkViacheslav Hletenko
accel-ppp template shaper `down-limiter` does not rely on `fwmark` Fix it (cherry picked from commit cf9229544a30e5aa47e307c021d4798a0162d291)
2023-11-07ldpd: T5648: Fix ldpd template errorsDevon Mar
Bug introduced in https://github.com/vyos/vyos-1x/commit/8fb6e715d32e7eff77e413d8577059dd55b24c0a (cherry picked from commit df6ced3811ebe6446039277ff3fc301a83776dc1)
2023-11-07mdns: T5719: Add op-mode commands to mDNS repeaterIndrajit Raychaudhuri
The following ones are available now: - restart mdns repeater - show log mdns repeater - monitor log mdns repeater (cherry picked from commit ace8a25552fa7f2b2369a385ed8933feb66f355b)
2023-11-07Merge pull request #2444 from vyos/mergify/bp/sagitta/pr-2416Christian Breunig
T5698 EVPN ESI Multihoming (backport #2416)
2023-11-06op-mode: bgp: T5698: add "es-vrf" and "next-hops" CLI commandsChristian Breunig
show bgp l2vpn evpn es-vrf show bgp l2vpn evpn next-hops (cherry picked from commit f4b1df3c84072624060e13a6099d2032e0a4ee47)
2023-11-06op-mode: bgp: T5698: fix "rd" route-distinguisher help stringChristian Breunig
(cherry picked from commit 43288b57d8dc79a12a9bedd6386d81c85bd00149)
2023-11-06Merge pull request #2443 from vyos/mergify/bp/sagitta/pr-2439Christian Breunig
vxlan: T3700: add bridge dependency call when altering member interfaces (backport #2439)
2023-11-06bgp: T5698: add support for EVPN MultihomingChristian Breunig
(cherry picked from commit 1d67620e656766731ad6825fd8961140eb50d8a7)
2023-11-06bond: T5698: add support for EVPN MultihomingChristian Breunig
set interfaces bonding bond10 evpn es-df-pref '50' set interfaces bonding bond10 evpn es-id '10' set interfaces bonding bond10 evpn es-sys-mac '01:23:45:67:89:ab' set interfaces bonding bond10 member interface 'eth3' set interfaces bonding bond10 mode '802.3ad' (cherry picked from commit 937685608e61151275c4f60c6d00c0154f2ca06d)
2023-11-06vxlan: T3700: add bridge dependency call when altering member interfacesChristian Breunig
Commit 7f6624f5a6f8bd ("vxlan: T3700: support VLAN tunnel mapping of VLAN aware bridges") added support for Single VXLAN Device (SVD) containers supported by the Linux Kernel. When working with bridge VIFs it turned out that when deleting a VIF all the VXLAN tunnel mappings got deleted, too. In order to avoid this, if the bridge has a VXLAN member interface which vlan-to-vni mapping enabled, we add a dependency that we call VXLAN conf-mode script after messing arround with the bridge VIFs and re-create tunnel mappings. (cherry picked from commit fdf7f3a05edbaaf8aeca7e24a9980d5af67dca18)
2023-11-06Merge pull request #2441 from nicolas-fort/T5541-fix-zbf-sagiitaChristian Breunig
T5541: firewall: fix ZBF template and ruleset generation for local-zone rules
2023-11-06T5541: firewall: fix ZBF template and ruleset generation for loca-zone rules.Nicolas Fort
2023-11-03Merge pull request #2429 from vyos/mergify/bp/sagitta/pr-2423Viacheslav Hletenko
T4726: Remove accel-ppp RADIUS vendor validators (backport #2423)
2023-11-03Merge pull request #2432 from nicolas-fort/T5513-fwall-show-sagittaDaniil Baturin
T5513: firewall - op-mode command backport
2023-11-03Merge pull request #2433 from vyos/mergify/bp/sagitta/pr-2431Daniil Baturin
wireguard: T5707: remove previously deconfigured peer (backport #2431)
2023-11-03wireguard: T5707: remove previously deconfigured peerChristian Breunig
Changing the public key of a peer (updating the key material) left the old WireGuard peer in place, as the key removal command used the new key. WireGuard only supports peer removal based on the configured public-key, by deleting the entire interface this is the shortcut instead of parsing out all peers and removing them one by one. Peer reconfiguration will always come with a short downtime while the WireGuard interface is recreated. (cherry picked from commit 2fc8738bc9c2fb6364a22d86079e8635cee91949)
2023-11-02T5513: opmode command show firewall - Manual backportNicolas Fort
2023-11-02Merge pull request #2430 from vyos/mergify/bp/sagitta/pr-2427Viacheslav Hletenko
T5704: PPPoE L2TP SSTP IPoE add option max-concurrent-sessions (backport #2427)
2023-11-02Merge pull request #2428 from vyos/mergify/bp/sagitta/pr-2425Viacheslav Hletenko
T5700: Fix deprecate telegraf plugin input net (backport #2425)
2023-11-02T5704: PPPoE L2TP SSTP IPoE add option max-concurrent-sessionsViacheslav Hletenko
Add `max-starting` option: [common] max-starting=N Specifies maximum concurrent session attempts which server may processed set service pppoe-server max-concurrent-sessions '30' Useful to prevent high CPU utilization and compat execution scripts per time. (cherry picked from commit 47645f9d0243ce48a473ab7f8cdbd22c19f69f28)
2023-11-02T4726: Remove accel-ppp RADIUS vendor validatorsViacheslav Hletenko
The vendor name could contain Uppercase or lowercase symbols and not rely on the dictionary name but on dictionary value / # cat /usr/share/freeradius/dictionary.cisco | grep -i vendor VENDOR Cisco 9 Another example VENDOR Alcatel-IPD 6527 This way if we use `vendor=cisco` instead of `vendor=Cisco` it will not work at all Delete vendor validators (cherry picked from commit bbc7cabc6be0d5f8629724e9b0025e425168e1a8)