Age | Commit message (Collapse) | Author |
|
Add ppp-options IPv6 interface id for vpn L2TP
- fixed or random interface identifier for IPv6
- peer interface identifier for IPv6
- whether to accept peer’s interface identifier
set vpn l2tp remote-access ppp-options ipv6-accept-peer-intf-id
set vpn l2tp remote-access ppp-options ipv6-intf-id 'random'
set vpn l2tp remote-access ppp-options ipv6-peer-intf-id 'calling-sid'
|
|
overlay2 is the preferred storage driver for all currently supported Linux
distributions, and requires no extra configuration.
|
|
container: T4870: Update podman to use overlay storage driver
|
|
Commit 13071a4a ("T4809: radvd: Allow the use of AdvRASrcAddress") added a new
feature to set the RA source-address. Unfortunately it missed a semicolon.
|
|
|
|
T4832: dhcp: Add IPv6-only dhcp option support (RFC 8925)
|
|
T4780: Firewall: add firewall groups in firewall. Extend matching cri…
|
|
T4884: snmpd: add community6 fallback
|
|
1. Added in script update webproxy blacklists generation of all DBs
2. Fixed: if the blacklist category does not have generated db,
the template generates an empty dest category
in squidGuard.conf and a Warning message.
3. Added template generation for local's categories
in the rule section.
4. Changed syntax in the generation dest section for blacklist's
categories
4. Fixed generation dest local sections in squidGuard.conf
5. Fixed bug in syntax. The word 'allow' changed to the word 'any'
in acl squidGuard.conf
|
|
T4809: radvd: Allow the use of AdvRASrcAddress
|
|
routing: T1237: Add new feature failover route
|
|
This add the AdvRASrcAddress configuration option to configure
a source address for the router advertisements. The source
address still must be configured on the system. This is useful
for VRRP setups where you want fe80::1 on the VRRP interface
for cleaner VRRP failovers.
|
|
If no client and network is defined only a `community` config
is created. This also adds the `community6` part
|
|
Failover route allows to install static routes to the kernel routing
table only if required target or gateway is alive
When target or gateway doesn't respond for ICMP/ARP checks this route
deleted from the routing table
Routes are marked as protocol 'failover' (rt_protos)
cat /etc/iproute2/rt_protos.d/failover.conf
111 failover
ip route add 203.0.113.1 metric 2 via 192.0.2.1 dev eth0 proto failover
$ sudo ip route show proto failover
203.0.113.1 via 192.0.2.1 dev eth0 metric 1
So we can safely flush such routes
|
|
vyos@vyos# show interfaces sstpc
sstpc sstpc10 {
authentication {
password vyos
user vyos
}
server sstp.vyos.net
ssl {
ca-certificate VyOS-CA
}
}
|
|
|
|
L2TP 'ppp-options ipv6 x' can work without declaring IPv6 pool
As we can get addresses via RADIUS attributes:
- Framed-IPv6-Prefix
- Delegated-IPv6-Prefix
|
|
Fix l2tp dae server template and python config dict for correctlly
handling Dynamic Authorization Extension server configuration
|
|
Added the generation in the config file /etc/squid/squid.conf
for command: set service webroxy domain-block <domain>
|
|
|
|
Adding the parameters that were missing to the OSPF FRR template.
|
|
The variable 'client' was accidently used where 'network should
have been used. This lead to missing community6 string when
an IPv6 network was defined instead of an IPv6 client.
|
|
Remote TS for transport mode GRE must be remote-address and
not peer name
|
|
Clients supporting this DHCP option (DHCP option 108, RFC 8925) will
disable its IPv4 network stack for configured number of seconds
and operate in IPv6-only mode.
This option is known to work on iOS 15+ and macOS 12.0.1+.
Example command:
```sh
set service dhcp-server shared-network-name LAN6 subnet 192.168.64.0/24 ipv6-only-preferred 0
```
|
|
so this new group can be used in inbound and outbound matcher
|
|
policy: T2199: T4605: Migrate policy route interface node
|
|
|
|
<name> interface <ifname>`
* Include refactor to policy route to allow for deletion of mangle table instead of complex cleanup
* T4605: Rename mangle table to vyos_mangle
|
|
|
|
firewall: T970: T1877: Add source/destination fqdn, refactor domain resolver, firewall groups in NAT
|
|
|
|
`fqdn` node
|
|
This enabled users to also use 2FA/MFA authentication with a radius backend as
there is enough time to enter the second factor.
|
|
* ExecStop action with defined timeout allows for quicker reboot/shutdown with containers
|
|
|
|
Ability to configure SSH-server HostKeyAlgorithms.
Specifies the host key signature algorithms that the server
offers. Can accept multiple values.
|
|
Move default values of TOTP configuration from a global to a per user setting.
This makes the entire code easier as no global configuration must be blended
into the per user config dict.
Also it should be possible to set the authentication window "multiple concurrent
keys" individual per user.
set system login user vyos authentication otp key 'gzkmajid7na2oltajs4kbuq7lq'
set system login user vyos authentication plaintext-password 'vyos'
|
|
|
|
no-php-flag
The nested if statement was not properly evaluated during smoketests making
them fail. There is no need to nest the if's - as a simple string can be
appended by {{ 'foo' if bar is vyos_defined }}
|
|
system login: T874: add 2FA support for local and ssh authentication
|
|
|
|
Due to monitoring telegraf was rewritten - fix template for
inputs.exec plugin
We do not use 'influxdb_configured' in the dictionary anymore and
use just 'influxdb'
|
|
isis: T4739: ISIS segment routing being refactored
|
|
This is to refactor ISIS segment routing to match up with OSPF segment routing.
|
|
firewall: policy: T4741: T4742: Verify zone `from` is defined, autocomplete policy route tables
|
|
ssh: T4716: Ability to configure RekeyLimit data and time
|
|
|
|
Listen address has option 'multi'
As resulte we have incorrect template value for listen address
- conntrack-sync listen-address '192.0.2.11' in template
It looks like "IPv4_address ['192.0.2.11']" in the conntrackd.conf
but the correct string expected without brackets
Fix it
|
|
Ability to configure SSH RekeyLimit data (in Megabytes) and
time (in Minutes)
set service ssh rekey data 1024
set service ssh rekey time 60
|
|
When log-level was introduced node `state-policy x log` was removed without migrator. This commit adds it back and improves log handling.
|