Age | Commit message (Collapse) | Author |
|
openvpn: T3214: fix server-ipv6 and nopool handling (backport #1637)
|
|
The --server directive will already create a pool automatically.
For this reason noppol should be used only when an explicit
client-ip-pool was configured by the user.
If that's not the case, then the nopool flag should not be
specified and no manual pool should be configured.
Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
(cherry picked from commit 0ccbbca01b22232b5cba63d64ab00eb54af7b068)
|
|
exclude-throttle-address
This fixes commit 199ceb1f0a ("dns: T5900: add dont-throttle-netmasks and
serve-stale-extensions powerdns features") where after the latest review round
the Jinja2 template was inconsitently changed and smoketests were not re-run.
(cherry picked from commit 9baeafa890f7b1d3829df633322fb4288e9ea882)
|
|
features
(cherry picked from commit 199ceb1f0a820c838dea6862371a3121b3d9f3a9)
|
|
Rewritten PPTP to get_config_dict
Fixed 'dynamic-author' commands. These commands did not create
anything in accel-ppp config.
(cherry picked from commit f39eb894d991d296a82c69d1ab783011b5d0ed2f)
|
|
Rewritten L2TP to get_config_dict
Rewritten L2TP xml to accel-ppp patterns
Migrated 'idle' to 'ppp-options.lcp-echo-timeout'
Migrated 'authentication.mppe' to 'ppp-options.mppe'
Migrated 'authentication.radius.dae-server' to
'authentication.radius.dynamic-author'
Migrated 'authentication.require' to 'authentication.protocol'
Added 'authentication.radius.acct-interim-jitter'
Added 'authentication.radius.preallocate-vif'
Added 'authentication.radius.server.<IP>.acct-port'
Added 'ppp-options.ipv4'
Added smoke-tests
Fixed 'preallocate-vif' in SSTP
(cherry picked from commit 09e0a2ca035ee39a68a510b28cc74560669d0420)
|
|
We will use _ as CLI level divider. The XML definition filename and also
the Python helper should match the CLI node.
Example:
set interfaces ethernet -> interfaces_ethernet.xml.in
set interfaces bond -> interfaces_bond.xml.in
set service dhcp-server -> service_dhcp-server-xml.in
(cherry picked from commit 4ef110fd2c501b718344c72d495ad7e16d2bd465)
|
|
firewall: T5834: Rename 'enable-default-log' to 'default-log' (backport #2651)
|
|
(cherry picked from commit 656934e85cee799dba5b495d143f6be445ac22d5)
|
|
One can now do `set policy route foo default-log` which will add log
to the policy route chain.
(cherry picked from commit 6278ce9b7cb2060c8226a60ccbdb580a0d8a3fb5)
|
|
Fixed format of ipv4 pool range from 'x.x.x.x-x.x.x.y'
to 'x.x.x.x-y'
(cherry picked from commit 714a6b1dd5e4de6c85911fa64f4b5f37b44979cf)
|
|
Standardized pool configuration for all accel-ppp services.
1. Only named pools are used now.
2. Allows all services to use range in x.x.x.x/mask
and x.x.x.x-x.x.x.y format
3. next-pool can be used in all services
2. Allows to use in ipoe gw-ip-address without pool configuration
which allows to use Fraimed-IP-Address attribute by radius.
3. Default pool name should be explicidly configured
with default-pool.
4. In ipoe netmask and range subnet can be different.
(cherry picked from commit 422eb463d413da812eabc28706e507a9910d7b53)
|
|
(cherry picked from commit a9201e77110ce0695e2ba879304aef41b7ac9a0c)
|
|
VyOS CLI command
set service ndp-proxy interface eth0 prefix 2001:db8::/64 mode 'static'
Will generate the following NDP proxy configuration
$ cat /run/ndppd/ndppd.conf
# autogenerated by service_ndp-proxy.py
# This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route
route-ttl 30000
# This sets up a listener, that will listen for any Neighbor Solicitation
# messages, and respond to them according to a set of rules
proxy eth0 {
# Turn on or off the router flag for Neighbor Advertisements
router no
# Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds)
timeout 500
# Control how long a valid or invalid entry remains in the cache (milliseconds)
ttl 30000
# This is a rule that the target address is to match against. If no netmask
# is provided, /128 is assumed. You may have several rule sections, and the
# addresses may or may not overlap.
rule 2001:db8::/64 {
static
}
}
(cherry picked from commit 4d721a58020971d00ab854c37b68e88359999f9c)
|
|
(cherry picked from commit 42614633901713e6472b43f95065d215344843b1)
|
|
Add ability to configure multiple SSL certificates for
frontend/service
set load-balancing reverse-proxy service web mode http
set load-balancing reverse-proxy service web port 443
set load-balancing reverse-proxy service web ssl certificate cert1
set load-balancing reverse-proxy service web ssl certificate cert2
(cherry picked from commit fe99c45e05fd5794905145ddca80e6078145c2e8)
|
|
Add BMP feature.
BMP (BGP Monitoring Protocol, RFC 7854) is used to send monitoring
data from BGP routers to network management entities
https://docs.frrouting.org/en/latest/bmp.html
Example:
set system frr bmp
commit
run restart bgp
set protocols bgp system-as '65001'
set protocols bgp neighbor 192.0.2.11 address-family ipv4-unicast
set protocols bgp neighbor 192.0.2.11 remote-as '65001'
set protocols bgp bmp mirror-buffer-limit '256000000'
set protocols bgp bmp target foo address '127.0.0.1'
set protocols bgp bmp target foo port '5000'
set protocols bgp bmp target foo min-retry '1000'
set protocols bgp bmp target foo max-retry '2000'
set protocols bgp bmp target foo mirror
set protocols bgp bmp target foo monitor ipv4-unicast post-policy
set protocols bgp bmp target foo monitor ipv4-unicast pre-policy
set protocols bgp bmp target foo monitor ipv6-unicast post-policy
set protocols bgp bmp target foo monitor ipv6-unicast pre-policy
(cherry picked from commit 5523fccf4f7d05444c36c568128e94cd7b08c34f)
|
|
(cherry picked from commit bd701768796d6ebb03ca943faf96d1dbea030edd)
|
|
Note that this was updated for the fix in T5739.
(cherry picked from commit 424c9b19fd54598081e965c3364b082c5ef984de)
|
|
This commit allows management of system images with either new or legacy
tools: 'add/delete/rename system image' and 'set default' are translated
appropriately on booting between images with the old and new tools.
Consequently, the warning of the initial commit of T4516 is dropped.
(cherry picked from commit 96b65e90fbfa1fe63d97929ac86fc910abb0caa9)
|
|
This commit adds the whole set of system image tools written from the scratch in
Python that allows performing all the operations on images:
* check information
* perform installation and deletion
* versions management
Also, it contains a new service that will update the GRUB menu and keep tracking
its version in the future.
WARNING: The commit contains non-reversible changes. Because of boot menu
changes, it will not be possible to manage images from older VyOS versions after
an update.
(cherry picked from commit 8f94262e8fa2477700c50303ea6e2c6ddad72adb)
|
|
(cherry picked from commit 1c82e661e04e0979e09e487a58a801ffa9f438e8)
|
|
OCserv manual recommended HTTP headers tobe included in the configuration.
(cherry picked from commit ad65d37ddf92ec8416c84707d7d41e63346b550c)
(cherry picked from commit 24f449cc099703df95646c719e9d3f308ed1a3f0)
|
|
|
|
included in <set firewall global-options state-policy> node.
|
|
This allows the operator to control the number of open file descriptors each
daemon is allowed to start with. The current assumed value on most operating
systems is 1024.
If the operator plans to run bgp with several thousands of peers then this is
where we would modify FRR to allow this to happen.
set system frr descriptors <n>
(cherry picked from commit 892c28ccf634173d4c4952c248cb03974c560793)
|
|
VyOS CLI
set protocols segment-routing srv6 locator bar prefix '2001:b::/64'
set protocols segment-routing srv6 locator foo behavior-usid
set protocols segment-routing srv6 locator foo prefix '2001:a::/64'
Will generate in FRR
segment-routing
srv6
locators
locator bar
prefix 2001:b::/64 block-len 40 node-len 24 func-bits 16
exit
!
locator foo
prefix 2001:a::/64 block-len 40 node-len 24 func-bits 16
behavior usid
exit
!
exit
!
exit
!
exit
(cherry picked from commit ca301cdd4746187f96ff84e411fda6a84e33f237)
|
|
set protocols bgp sid vpn per-vrf export '99'
set protocols bgp srv6 locator 'foo'
set protocols bgp system-as '100'
Will generate in FRR config
router bgp 100
no bgp ebgp-requires-policy
no bgp default ipv4-unicast
no bgp network import-check
!
segment-routing srv6
locator foo
exit
sid vpn per-vrf export 99
exit
(cherry picked from commit af46fe54e56cf85d13b62ee771bec3d80f225ac5)
|
|
Apply baseline defaults for `.gitattributes` and `.vscode/settings.json`
for improved developer experience.
The `.gitattrbutes` settings are based on:
Git documentation (https://git-scm.com/docs/gitattributes#_effects)
GitHub documentation (https://docs.github.com/en/get-started/getting-started-with-git/configuring-git-to-handle-line-endings)
Community templates (https://github.com/gitattributes/gitattributes)
Since editor-agnostic line-ending specific settings are applied to
`.gitattributes`, they can be removed from `.vscode/settings.json`.
The global VSCode defaults have also been removed to avoid duplication.
(cherry picked from commit c30002208d392177cb1ffc1a5c714f7ad6d573b6)
|
|
|
|
Modify the configuration path to be consistent with the usual dialects
of VyoS configuration (wireguard, dns, firewall, etc.)
This would also shorten the configuration path and have a unified
treatment for RFC2136-based updates and other 'web-service' based updates.
While at it, add support for per-service web-options. This would allow
for probing different external URLs on a per-service basis.
|
|
(cherry picked from commit db51546edd653d3637cb26d6957ce5222d44d395)
|
|
ddclient: T5573,T5574,T5612,T5708: Backport ddclient related changes
|
|
Additionally, templatize system service override and move it to the
runtime path.
(cherry picked from commit eb906739047187c322b6ce9efe7c9479bed9a024)
|
|
Migration to 3.11.1 follow-up: This should make `ddclient.conf` parsing
more resilient to edge cases (particularly when `password` isn't the
last option right before the host parameter).
ddclient config parser applies special treatment to the password field
and would unwrap the quotes automatically.
Also, switch from now deprecated `use=no` to `use=disabled`.
|
|
Time interval in seconds to wait between DNS updates would be a bit
more intuitive as `interval` than `timeout`.
|
|
Add support for per-service cache management for ddclient providers
via `wait-time` and `expiry-time` options. This allows for finer-grained
control over how often a service is updated and how long the hostname
will be cached before being marked expired in ddclient's cache.
More specifically, `wait-time` controls how often ddclient will attempt
to check for a change in the hostname's IP address, and `expiry-time`
controls how often ddclient to a forced update of the hostname's IP
address.
These options intentionally don't have any default values because they
are provider-specific. They get treated similar to the other provider-
specific options in that they are only used if defined.
|
|
Adjust the jinja template to avoid generating incorrect ddclient.conf in
some cases. The template is reformatted to guarantee whitespacing and
empty line separation.
|
|
Enable TTL support for web-service based protocols in addition to
RFC2136 based (nsupdate) protocol.
Since TTL is not supported by all protocols, and thus cannot have a
configuration default, the existing XML snippet `include/dns/time-to-live.xml.i`
does not have common `<defaultValue>300</defaultValue>` anymore and is
instead added explicitly whenever necessary.
|
|
Fix VRF support interface definition and configuration mode for ddclient
to actually capture the VRF name and pass it to the template.
|
|
Now that the caching fixes are in place, we can update the config to
remove legacy treatment of ipv4 related properties.
|
|
T5767: HTTPS API add reboot and poweroff endpoints (backport #2516)
|
|
T5419: firewall: backport firewall flowtable to Sagitta.
|
|
dhcp-client: T5760: add CLI option to pass user-class parameter (backport #2506)
|
|
Add ability to reboot and poweroff the system via API
curl -k --location --request POST 'https://vyos/reboot' \
--form data='{"op": "reboot", "path": ["now"]}' \
--form key='apikey'
curl -k --location --request POST 'https://vyos/poweroff' \
--form data='{"op": "poweroff", "path": ["now"]}' \
--form key='apikey'
(cherry picked from commit 36f3c329c2df0e78f2f5da933d9729a872fb2a11)
|
|
|
|
Why: Smoketests fail as they can not establish IPv6 connection to uvicorn
backend server.
https://github.com/vyos/vyos-1x/pull/2481 added a bunch of new smoketests.
While debugging those failing, it was uncovered, that uvicorn only listens on
IPv4 connections
vyos@vyos# netstat -tulnp | grep 8080
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -
As the CLI already has an option to move the API communication from an IP to a
UNIX domain socket, the best idea is to make this the default way of
communication, as we never directly talk to the API server but rather use the
NGINX reverse proxy.
(cherry picked from commit f5e43b1361fb59a9c260739bdb28729d5119507c)
|
|
Example:
set interfaces ethernet eth0 dhcp-options user-class VyOS
or
set interfaces ethernet eth0 dhcp-options user-class 56:79:4f:53
(cherry picked from commit 260645d0c6ff078cc89601f3a586195902f9c18e)
|
|
The string data type specifies either an NVT ASCII string enclosed in double
quotes, or a series of octets specified in hexadecimal, separated by colons.
For example:
set interfaces ethernet eth0 dhcp-options client-id CLIENT-FOO
or
set interfaces ethernet eth0 dhcp-options client-id 43:4c:49:45:54:2d:46:4f:4f
As of now there was no input validation performed.
(cherry picked from commit bed1cd01904ef89b5d31bd47de0f230214900f16)
|
|
frr: T5733: enable pim6 daemon
|