Age | Commit message (Collapse) | Author |
|
Ability to get and parse RADIUS attributes via a shell script and
then execute commands
Ane of the usecases is to create a custom shaper with some smart
Extended scripts receive from PPPoE daemon the following variables:
$1 - Interface name
$4 - Tunnel GW IP address
$5 - Delegated IP address to the client
$6 - Calling Station ID (MAC)
if [ -f /run/accel-pppd/radattr.$1 ]; then
true
fi
|
|
http-api: T5006: add explicit async to retrieve operation
|
|
|
|
Fix for adding IPv6 link-local address for container interfaces
set container network NET01 prefix '10.0.0.0/24'
set container network NET01 prefix '2001:db8:2222::/64'
% ip -6 addr show scope link dev pod-NET01
17: pod-NET01: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet6 fe80::d89c:dfff:fe1a:8689/64 scope link
|
|
wifi: T5470: improve error message
|
|
(cherry picked from commit ffb798b4678f3b1bd0a40cc42b1f0477470346dc)
|
|
T5486: smoketest: adjust to new process_named_running() implementation
|
|
T5223: Fix removing key id for GRE tunnel
|
|
After commit 9c677c8 ("vyos.util: extend process_named_running() signature
with cmdline") we need an exact match for the process name. In the past
we used a in b and now we test for a == b.
Process name doesn't march 'ddclient'
psutil.Process(pid=10987, name='ddclient - sleeping for 20 seconds', started='13:12:47'
It cause smoketest fail
|
|
Fix for removing key id from GRE tunnel
Before fix:
del interfaces tunnel tun10 parameters ip key
commit
sudo ip tunnel show tun10
tun10: gre/ip remote 203.0.113.254 local 192.168.122.11 ttl 64 tos inherit key 1234
After the fix:
sudo ip tunnel show tun10
tun10: gre/ip remote 203.0.113.254 local 192.168.122.11 ttl 64 tos inherit
|
|
T2298: vyos.util: extend process_named_running() signature with cmdline
|
|
T5329 : priority: tunnel config is committed before wireguard
|
|
process_named_running() was introduced in commit 16b2fc8fc4ca ("dns-forwarding:
T2298: fix path to control file") and thus remained more or less unchanged.
Smoketests use process_named_running() heavily and might spawn multiple
processes with the same name but ifferent options (e.g. dhcp6c or dhclient) and
it was yet not possible to properly filter on the "real-deal" like the process
bound to a given interface.
One can now optionally specify a string that is searched inside the command
line argument list of the process.
Example:
>>> process_named_running('dhcp6c', 'veth0')
['/usr/sbin/dhcp6c', '-D', '-k', '/run/dhcp6c/dhcp6c.veth0.sock', '-c',
'/run/dhcp6c/dhcp6c.veth0.conf', '-p', '/run/dhcp6c/dhcp6c.veth0.pid', 'veth0']
4215
>>> process_named_running('dhcp6c', 'veth1')
['/usr/sbin/dhcp6c', '-D', '-k', '/run/dhcp6c/dhcp6c.veth1.sock', '-c',
'/run/dhcp6c/dhcp6c.veth1.conf', '-p', '/run/dhcp6c/dhcp6c.veth1.pid', 'veth1']
4253
Where the debug list returned is the commandline searched.
(cherry picked from commit 9c677c81be6a6e62958c73b038c2a36f1f629108)
|
|
(cherry picked from commit 3d5aba0775ff0d858d6c75d6aa37183be73c15aa)
|
|
login: T4790: Added check of the sum of radius timeouts
|
|
T5258: git Actions use ubuntu-22.04 for PR conflicts checker
|
|
git Actions use ubuntu-22.04 instead of deprecated ubuntu-18.04
for PR conflicts checker
https://github.com/actions/runner-images/issues/6002
|
|
Added check of the sum of login radius timeouts.
It has to be less or eq 50 sec.
Added check of a number of login radius servers.
It has to be less or eq 8
Otherwise, log in to the device can be discarded.
Backported from 1.4
|
|
sshguard: T5354: Add service ssh dynamic-protection
|
|
remote: T4412: fixed upload via SSH
|
|
- added timeout to socket creating
- added skipping SSH fingerprint check with a negative result if a
console is not interactive
- replaced tracebacks with human-readable error messages
- suppressed warnings from `cryptography` used by `paramiko`
|
|
Sshguard protects hosts from brute-force attacks
It can inspect logs and block "bad" addresses by threshold
Auto-generates own tables and rules for nftables, so they are not
intercept with VyOS firewall rules.
When service stops, all generated tables are deleted.
set service ssh dynamic-protection
set service ssh dynamic-protection allow-from '192.0.2.1'
set service ssh dynamic-protection block-time '120'
set service ssh dynamic-protection detect-time '1800'
set service ssh dynamic-protection threshold '30'
|
|
bcast-relay: T5313: verify() relay interfaces have IPv4 address configured
|
|
(cherry picked from commit a409b255acc3dc0a67058593e31b3614e20714f0)
|
|
vrrp: T5315: add support to explicitly specify version (backport)
|
|
(cherry picked from commit 90c0c2c4c81cdbf2ec3f928499f3e1719bfd6f9a)
|
|
set high-availability vrrp group <name> version 2|3
(cherry picked from commit 6ca308182a7891e600a2e8749f7b12b566005576)
|
|
(cherry picked from commit ca7c063666c038d104082542f04ead6062e79246)
|
|
router-advert: T5240: verify() that no more then 3 IPv6 name-servers configured
|
|
This is a radvd limitation.
(cherry picked from commit 8ef017a3496467433c311af63116af7657c58037)
|
|
syslog: T2769: add VRF support (backport)
|
|
Allow syslog messages to be sent through a VRF (e.g. management).
(cherry picked from commit 46d2bcdb0b500b4d1b9d973ab5b9ca3c6cf44e51)
|
|
cloud-init: T5190: Added Cloud-init pre-configurator
|
|
vyos.ifconfig: T2104: support adding and removing VLANs in one call.
|
|
Users might add the podman network interface to a zone based firewall. This
could cuase breaking configs on upgrades to 1.4.
As container support is not yet released for 1.3 LTS version (will be 1.3.3),
we once rename the network interface to match the schema in VyOS 1.4.
|
|
VLANIf('eth0.10').remove() will create and remove the VLAN in one command.
Thus one can ensure when calling remove() on a VLAN it will always
succeed.
(cherry picked from commit 7700da10b8d1d1b3d0db914ab48aebf8ff536da1)
|
|
Added a new service that starts before Cloud-init, waits for all network
interfaces initialization, and if requested by config, checks which interfaces
can get configuration via DHCP server and creates a corresponding Cloud-init
network configuration.
This protects from two situations:
* when Cloud-init tries to get meta-data via eth0 (default and fallback variant
for any data source which depends on network), but the real network is connected
to another interface
* when Cloud-init starts simultaneously with udev and initializes the first
interface to get meta-data before it is renamed to eth0 by udev
|
|
http-api: T5175: check value of attribute for FastAPI>=0.91.0
|
|
FastAPI v0.92.0 (starlette v0.24.0) sets default attribute
Request._form; check for value == None instead of existence when
overriding Request class.
(cherry picked from commit cac55a066e1f7d7d4c0eec5ada76570a326b5ac9)
|
|
T4727: Add RADIUS rate-limit attribute for vpn pptp
|
|
T5152: Get default hostname for telegraf from FQDN or hostname
|
|
T4939: backport VRRP startup delay
|
|
Fix for Telegraf agent hostname isn't qualified
Try to get the hostname from FQDN and then from the hostname
Used for metrics
You may have more than one machine with different domain names
r1 domain-name foo.local, hostname myhost
r2 domain-name bar.local, hostname myhost
It helps to detect from which exactly host we get metrics for
InfluxDB2
|
|
|
|
Add rate-limit attribute, multiplier, vendor specific attribute
for the [shaper] section
|
|
|
|
T4959: Add container registry authentication config for containers (backport)
|
|
Container registry CLI node changed from leafNode to tagNode with the same
defaults. In addition we can now configure an authentication option per
registry.
(cherry picked from commit fe82d86d3e87cb8d92ebc9d0652c08e3dd79a12c)
|
|
(cherry picked from commit b4af532dd531c23bc1ad84cca290916be55357bf)
|
|
container: T5047: restart only containers that changed (backport)
|