Age | Commit message (Collapse) | Author |
|
rpki: T6023: add support for CLI knobs expire-interval and retry-interval
|
|
T5960: Rewritten authentication node in PPTP to a single view
|
|
* set protocols bgp parameters labeled-unicast <explicit-null | ipv4-explicit-null | ipv6-explicit-null>
* set protocols bgp parameters allow-martian-nexthop
* set protocols bgp parameters no-hard-administrative-reset"
|
|
|
|
Rewritten authentication node in accel-ppp services
to a single view. In particular - PPTP authentication.
|
|
rpki: T6011: known-hosts-file is no longer supported by FRR
|
|
|
|
The replay_window for child SA will always be 32 (hence enabled). Add a CLI node
to explicitly change this.
* set vpn ipsec site-to-site peer <name> replay-window <0-2040>
|
|
dhcpv6: T3771: Installation of routes for delegated prefixes, add excluded-prefix to PD
|
|
T5971: Rewritten ppp options in accel-ppp services
|
|
|
|
T4839: firewall: Add dynamic address group in firewall configuration
|
|
ddclient: T5966: Adjust dynamic dns config address subpath
|
|
dns forwarding: T5687: Implement ECS settings for PowerDNS recursor
|
|
vrf: T5973: multiple bugfixes and improvements
|
|
|
|
Rewritten 'ppp-options' to the same view in all accel-ppp services.
Adding IPv6 support to PPTP.
|
|
appropiate commands to populate such groups using source and destination address of the packet.
|
|
|
|
|
|
* set protocols bfd peer <x.x.x.x> minimum-ttl <1-254>
* set protocols bfd profile <name> minimum-ttl <1-254>
|
|
There is no need to add and remove this table during runtime - it can lurk
in the standard firewall init code.
|
|
sflow: T5968: add VRF support
|
|
Add support to run hsflowd in a dedicated (e.g. management) VRF.
Command will be "set system sflow vrf <name>" like with any other service
|
|
Modify the dynamic dns configuration 'address' subpath for better
clarity on how the address is obtained.
Additionally, remove `web-options` and fold those options under the
path `address web`.
|
|
Streamline configuration and operation of dns forwarding service in
following ways:
- Remove `dns_forwarding_reset.py` as its functionality is now covered
by `dns.py`
- Adjust function names in `dns.py` to disambiguate between DNS
forwarding and dynamic DNS
- Remove `dns_forwarding_restart.sh` as its functionality is inlined in
`dns-forwarding.xml`
- Templatize systemd override for `pdns-recursor.service` and move the
generated override files in /run. This ensures that the override files
are always generated afresh after boot
- Simplify the systemd override file by removing the redundant overrides
- Relocate configuration path for pdns-recursor to `/run/pdns-recursor`
and utilize the `RuntimeDirectory` default that pdns-recursor expects
- We do not need to use custom `--socket-dir` path anymore, the default
path (viz., `/run/pdns-recursor` is fine)
|
|
* set service ntp leap-second [ignore|smear|system|timezone]
Where timezone is the new and old default resulting in adding "leapsectz right/UTC"
to chrony.conf. The most prominent new option is "smear" which will add
leapsecmode slew
maxslewrate 1000
smoothtime 400 0.001 leaponly
to chrony.
See https://chrony-project.org/doc/4.3/chrony.conf.html leapsecmode for
additional information
|
|
Changed the value from 'hold' to 'trap' in the 'close-action'
option in the IKE group.
Changed the value from 'restart' to 'start' in the 'close-action'
option in the IKE group.
|
|
T5865: Moved ipv6 pools to named ipv6 pools in accel-ppp
|
|
image-tools: T5923: update system_console.py for new GRUB file structure
|
|
Renamed DPD action value from 'hold' to 'trap'
|
|
Moved ipv6 pools to named ipv6 pools in accel-ppp services
|
|
set protocols bgp address-family ipv4-unicast nexthop vpn export <ipv4-address|ipv6-address>
set protocols bgp address-family ipv6-unicast nexthop vpn export <ipv4-address|ipv6-address>
|
|
set protocols bgp address-family ipv4-unicast sid vpn export <auto|1-1048575>
set protocols bgp address-family ipv6-unicast sid vpn export <auto|1-1048575>
|
|
dhcpv6: T3316: Extend scope of DHCP options, bugfixes
|
|
Add util function to set serial console speed in accordance with revised
GRUB file structure; in keeping with the intentions of the config_mode
script, adjust the GRUB var 'console_speed' to only modify ttyS0.
|
|
|
|
By default we use mode `none` for containers
Unit uses KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update the
service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
|
|
T5922: firewall: fix intra-zone filtering parsing rules; update firew…
|
|
image-tools: T5910: explicitly set transmission speed of serial console
|
|
smoketest
|
|
This reverts commit 800c85a20a00278ab07bbcccd85b753b1ca31e21.
|
|
GRUB defaults to 9600 in case of serial console; explicitly set to
115200.
|
|
This is useful to send the journal logs to external syslog servers
|
|
T5688: Changed 'range' to multi in 'client-ip-pool' for accell-ppp
|
|
dhcp: T3316: T5787: T5912: Extend scope of DHCP options, bugfixes
|
|
supported by Kea
|
|
Changed node 'range' to multi in 'client-ip-pool' for accell-ppp
services.
Added completionHelp to default-pool and next-pool.
Fixed verification in vpn l2tp config script.
|
|
We have not seen the adoption of the https virtual-host CLI option.
What it did?
* Create multiple webservers each listening on a different IP/port
(but in the same VRF)
* All webservers shared one common document root
* All webservers shared the same SSL certificates
* All webservers could have had individual allow-client configurations
* API could be enabled for a particular virtual-host but was always enabled on
the default host
This configuration tried to provide a full webserver via the CLI but VyOS is a
router and the Webserver is there for an API or to serve files for a local-ui.
Changes
Remove support for virtual-hosts as it's an incomplete and thus mostly useless
"thing". Migrate all allow-client statements to one top-level allow statement.
|
|
pki: T5886: add support for ACME protocol (LetsEncrypt)
|