Age | Commit message (Collapse) | Author |
|
show bgp l2vpn evpn es-vrf
show bgp l2vpn evpn next-hops
|
|
|
|
Commit 30eb308149 ("T5713: Strip string after "secret" in IPSEC config") had
good intention but this will happen:
use-secret foo CLI node will become " secret xxxxxx" so the output of
strip-private invalidates the configuration.
This has been changed to an exact match of "secret" only
|
|
vxlan: T3700: add bridge dependency call when altering member interfaces
|
|
ddclient: T5708: Upgrade to ddclient 3.11.1
|
|
accel-ppp template shaper `down-limiter` does not rely on `fwmark`
Fix it
|
|
- Allow to configure only required interface prefixes
set service snmp mib interface 'eth'
set service snmp mib interface 'bond'
include_ifmib_iface_prefix eth bond
Sets the interface name prefixes to include in the IF-MIB data collection.
For servers with a large number of interfaces (ppp, dummy, bridge, etc)
the IF-MIB processing will take a large chunk of CPU for ioctl calls.
A set of space separated interface name prefixes will reduce the CPU
load for IF-MIB processing. For example, configuring
"include_ifmib_iface_prefix eth dummy lo" will include only interfaces
with these prefixes and ignore all others for IF-MIB processing.
- Allow to configure maximum interface number
set service snmp mib interface-max '100'
ifmib_max_num_ifaces NUM
Sets the maximum number of interfaces included in IF-MIB data collection.
For servers with a large number of interfaces (ppp, dummy, bridge, etc)
the IF-MIB processing will take a large chunk of CPU for ioctl calls
(on Linux). Setting a reasonable maximum for the CPU used will
reduce the CPU load for IF-MIB processing. For example, configuring
"ifmib_max_num_ifaces 500" will include only the first 500 interfaces
based on ifindex and ignore all others for IF-MIB processing.
|
|
Commit 7f6624f5a6f8bd ("vxlan: T3700: support VLAN tunnel mapping of VLAN aware
bridges") added support for Single VXLAN Device (SVD) containers supported by
the Linux Kernel.
When working with bridge VIFs it turned out that when deleting a VIF all the
VXLAN tunnel mappings got deleted, too. In order to avoid this, if the bridge
has a VXLAN member interface which vlan-to-vni mapping enabled, we add a
dependency that we call VXLAN conf-mode script after messing arround with the
bridge VIFs and re-create tunnel mappings.
|
|
- Migrate to ddclient 3.11.1 and enforce debian/control dependency
- Add dual stack support for additional protocols
- Restrict usage of `porkbun` protocol, VyOS configuration structure
isn't compatible with porkbun yet
- Improve and cleanup error messages
|
|
`web-options` is only applicable when using HTTP(S) web request to
obtain the IP address. Apply guard for that.
|
|
Time interval in seconds to wait between DNS updates would be a bit
more intuitive as `interval` than `timeout`.
|
|
Make "strip-private" strip the string after "secret"
|
|
Add custom systemd udev rules to exclude some regular and dynamic
interfaces from "systemd-sysctl" calls.
It fixes high CPU utilization (100%) as we have a lot of calls per
interface for dynamic interfaces like ppp|ipoe|sstp etc.
/lib/systemd/systemd-udevd should not be called for those interfaces
|
|
wireguard: T5707: remove previously deconfigured peer
|
|
Changing the public key of a peer (updating the key material) left the old
WireGuard peer in place, as the key removal command used the new key.
WireGuard only supports peer removal based on the configured public-key, by
deleting the entire interface this is the shortcut instead of parsing out all
peers and removing them one by one.
Peer reconfiguration will always come with a short downtime while the WireGuard
interface is recreated.
|
|
T5698 EVPN ESI Multihoming
|
|
T5704: PPPoE L2TP SSTP IPoE add option max-concurrent-sessions
|
|
T5700: Fix deprecate telegraf plugin input net
|
|
T4726: Remove accel-ppp RADIUS vendor validators
|
|
Add `max-starting` option:
[common]
max-starting=N
Specifies maximum concurrent session attempts which server may processed
set service pppoe-server max-concurrent-sessions '30'
Useful to prevent high CPU utilization and compat execution
scripts per time.
|
|
T5705: rsyslog: fix error when level=al
|
|
DeprecationWarning: Value "false" for option "ignore_protocol_stats"
of plugin "inputs.net" deprecated since version 1.27.3 and will be
removed in 1.36.0: use the 'inputs.nstat' plugin instead
|
|
as it's done with facility. Create basic smoketest for syslog
|
|
The vendor name could contain Uppercase or lowercase symbols and
not rely on the dictionary name but on dictionary value
/ # cat /usr/share/freeradius/dictionary.cisco | grep -i vendor
VENDOR Cisco 9
Another example
VENDOR Alcatel-IPD 6527
This way if we use `vendor=cisco` instead of `vendor=Cisco` it
will not work at all
Delete vendor validators
|
|
Ability to set ip neigbhor proxy
set protocols static neighbor-proxy arp 192.0.2.1 interface 'eth0'
set protocols static neighbor-proxy arp 192.0.2.2 interface 'eth0'
set protocols static neighbor-proxy nd 2001:db8::1 interface 'eth1'
|
|
After commit cc7ba8824 ('vxlan: T5699: migrate "external" CLI know to
"parameters external"') We also need to adjust the testcase for ARP/ND
suppression.
|
|
T1797: Delete VPP from vyos-1x as it is implemented in addon
|
|
Fix commit 51abbc0f1b2 ("T5681: Firewall,Nat and Nat66: simplified and
standarize interface matcher (valid for interfaces and groups) in firewal, nat
and nat66") that added a migrator but did not bump the version number.
|
|
This extends commit 6248b2ae1 ("T5558: smoketest: fix nat definitions on
dialup-router-medium-vpn") that missed out eth1 interface.
|
|
vxlan: T5668: add CLI knob to enable ARP/ND suppression
|
|
vxlan: T5699: migrate "external" CLI know to "parameters external"
|
|
As we have a bunch of options under "paramteres" already and "external" is
clearly one of them it should be migrated under that node as well.
|
|
In order to minimize the flooding of ARP and ND messages in the VXLAN network,
EVPN includes provisions [1] that allow participating VTEPs to suppress such
messages in case they know the MAC-IP binding and can reply on behalf of the
remote host. In Linux, the above is implemented in the bridge driver using a
per-port option called "neigh_suppress" that was added in kernel version 4.15.
[1] https://www.rfc-editor.org/rfc/rfc7432#section-10
|
|
|
|
set interfaces bonding bond10 evpn es-df-pref '50'
set interfaces bonding bond10 evpn es-id '10'
set interfaces bonding bond10 evpn es-sys-mac '01:23:45:67:89:ab'
set interfaces bonding bond10 member interface 'eth3'
set interfaces bonding bond10 mode '802.3ad'
|
|
T5558: smoketest: fix nat definitions on dialup-router-medium-vpn.
|
|
|
|
T5513: firewall: update op-mode command show firewall.
|
|
logfile
|
|
Try to have as few calls to sudo in the op-mode scripts as possible. The XML
definitions can deal with it.
|
|
This makes the code more easy to maintain in the future if everyone uses the
same structure when calling journalctl.
|
|
T5661: Add show show ssh dynamic-protection attacker and show log ssh…
|
|
default actions and extend references for firewall groups
|
|
T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher
|
|
T5683: Fix reverse-proxy PKI filenames mismatch
|
|
(valid for interfaces and groups) in firewal, nat and nat66.
|
|
The current named for certificates are hardcoded in generated config to:
- ca.pem
- cert.pem.key
- cert.pem
It cause a generated config certificates and certificates itself
are different (test-cert-1.pem and ca.pem)
bind :::8080 v4v6 ssl crt /run/haproxy/test-cert-1.pem
/run/haproxy/ca.pem
It is a bug of initial impelemtation. Fix required correct names
from PKI certificates
|
|
T5643: nat: add interface-groups to nat. Use same cli structure for i…
|
|
T5675: Use addr_prefix instead of addr in NAT66 source rule prefix parsing
|
|
T5677: show lldp neighbors shows empty platform if descr not in lldpctl output
|