summaryrefslogtreecommitdiff
path: root/data/templates
AgeCommit message (Collapse)Author
2023-09-28mdns: T5615: Allow controlling IP version to use for mDNS repeaterIndrajit Raychaudhuri
This commit adds a new configuration option to the mDNS repeater service to allow controlling which IP version to use for mDNS repeater. Additionally, publishing AAAA record over IPv4 and A record over IPv6 is disabled as suggested. See: - https://github.com/lathiat/avahi/issues/117#issuecomment-1651475104 - https://bugzilla.redhat.com/show_bug.cgi?id=669627#c2 (cherry picked from commit e66f7075ee12ae3107d29efaf683442c3535e8b9)
2023-09-26rpki: T2044: add to daemons Jinja2 templateChristian Breunig
This is a combined backport of commits: * a4aad1120 - frr: T5591: hint about daemons that always run and can't be disabled * d9d2b2b96 - frr: T5591: cleanup of daemons file * 40503a9d7 - T2044: RPKI doesn't boot properly
2023-09-22Merge pull request #2291 from vyos/mergify/bp/sagitta/pr-2284Christian Breunig
bgp: T5596: add new features from FRR 9 (backport #2284)
2023-09-21T5602: Reverse-proxy add option backup for backend serverViacheslav Hletenko
A `backup` server can be defined to take over in the case of all other backends failing set load-balancing reverse-proxy backend <tag> server <tag> address '192.0.2.3' set load-balancing reverse-proxy backend <tag> server <tag> port '8883' set load-balancing reverse-proxy backend <tag> server <tag> backup (cherry picked from commit cb297aea56da91144c53be1f396b64a26a8e5b04)
2023-09-19bgp: T5596: add new features from FRR 9Christian Breunig
* Add BGP Software Version capability (draft-abraitis-bgp-version-capability) set protocols bgp neighbor 192.0.2.1 capability software-version * Add BGP neighbor path-attribute treat-as-withdraw command set protocols bgp neighbor 192.0.2.1 path-attribute treat-as-withdraw (cherry picked from commit d285355716708a46767c18661976906812da8a3c)
2023-09-19isis: T5597: add new features from FRR 9Christian Breunig
* Add support for IS-IS advertise-high-metrics set protocols isis advertise-high-metrics * Add support for IS-IS advertise-passive-only set protocols isis advertise-passive-only (cherry picked from commit f7d35c15256ea74ab32c9b978a5c6fdbd659a7a0)
2023-09-16frr: T2472: disable eigrp daemonChristian Breunig
There is no EIGRP support in VyOS 1.4/sagitta
2023-09-15T5586: Disable by default SNMP for Keeplived VRRP serviceViacheslav Hletenko
AgentX does not work stable. From time to time we see the system service crashing/degrading if something is wrong with SNMP from util net-snmp. We should disable it by default and enable it only if configured. set high-availability vrrp snmp (cherry picked from commit 47875457cd8b176f7f23a3141175d745aeb14d8a)
2023-09-14Merge pull request #2212 from sever-sever/T5480-sagDaniil Baturin
T5480: Ability to disable SNMP for keepalived service VRRP
2023-09-13T5576: Add BGP remove-private-as all optionViacheslav Hletenko
Add the ability to use the option all for remove-private-as. Remove private ASNs in outbound updates. all - Apply to all AS numbers set protocols bgp neighbor <tag> address-family ipv4-unicast remove-private-as all (cherry picked from commit d72024b11e127cc11931cfaee4d07944dceb1ea9)
2023-09-10T3655: Fix NAT problem with VRFYuxiang Zhu
Linux netfilter patch https://patchwork.ozlabs.org/project/netfilter-devel/patch/d0f84a97f9c86bec4d537536a26d0150873e640d.1439559328.git.daniel@iogearbox.net/ adds direction support for conntrack zones, which makes it possible to do NAT with conflicting IP address/port tuples from multiple, isolated tenants on a host. According to the description of the kernel patch: > ... overlapping tuples can be made unique with the zone identifier in original direction, where the NAT engine will then allocate a unique tuple in the commonly shared default zone for the reply direction. I did some basic tests in my lab and it worked fine to forward packets from eth0 to pppoe0. - eth0 192.168.1.1/24 in VRF red - pppoe0 dynamic public IP from ISP VRF default - set vrf name red protocols static route 0.0.0.0/0 interface pppoe0 vrf 'default' - set protocols static route 192.168.1.0/24 interface eth0 vrf 'red' `conntrack -L` shows something like: ``` tcp 6 113 ESTABLISHED src=192.168.1.2 dst=1.1.1.1 sport=58946 dport=80 zone-orig=250 packets=6 bytes=391 src=1.1.1.1 dst=<my-public-ip> sport=80 dport=58946 packets=4 bytes=602 [ASSURED] mark=0 helper=tns use=1 ``` It would be much appreciated if someone could test this with more complex VRF setup.
2023-09-06T5480: Ability to disable SNMP for keepalived service VRRPViacheslav Hletenko
By default we enable `--snmp` for keepalived unit service Add ability to disable it set high-availability vrrp disable-snmp (cherry picked from commit 5ae730a52de2f284e45cd433bb0cf66c8508f2f7)
2023-09-06firewall: T3509: Split IPv4 and IPv6 reverse path filtering like on interfacessarthurdev
2023-09-06interface: T5550: Interface source-validation priority over global valuesarthurdev
- Migrate IPv4 source-validation to nftables - Interface source-validation value takes priority, fallback to global value
2023-09-05Merge pull request #2210 from sever-sever/T5548-sagViacheslav Hletenko
T5548: Fix load-balancing reverse-proxy timeouts
2023-09-05T5548: Fix load-balancing reverse-proxy timeoutsViacheslav Hletenko
By default haproxy uses timeouts in millisecond but we set timeouts in seconds from CLI Fix template to use 'seconds' units (cherry picked from commit 257019520c49c20824b7e5cad01d2d29ef5f62e6)
2023-09-05T2958: Refactor DHCP-server systemd unit and leaseViacheslav Hletenko
Render isc-dhcp-server systemd unit from configuration
2023-09-03T5543: IGMP: fix source address handling in static joinsYuxiang Zhu
The following command expects to join source-specific multicast group 239.1.2.3 on interface eth0, where the source address is 192.0.2.1. set protocols igmp interface eth0 join 239.1.2.3 source 192.0.2.1 This command should generate FRR config: interface eth0 ip igmp ip igmp join 239.1.2.3 192.0.2.1 exit However, there is a bug in the Jinja template where `if ifaces[iface].gr_join[group]` is mostly evaluated as `false` because `iface` is a loop variable from another loop.
2023-09-03ipoe: T5542: fix Jinja2 template and add missing dhcp relay configNiklas Polte
2023-09-03wireless: T5540: use elif in Jinja2 template for VHT channel widthChristian Breunig
2023-09-02wireless: T5540: fix VHT capability settings for 802.11acalainlamar
2023-08-26firewall: T5080: Disable conntrack unless required by rulessarthurdev
2023-08-25firewall: T5160: Remove unused zone templatesarthurdev
2023-08-25interface: T3509: Add per-interface IPv6 source validationsarthurdev
2023-08-25firewall: T3509: Add support for IPv6 return path filteringsarthurdev
2023-08-23Merge pull request #2159 from c-po/t5491-wifiChristian Breunig
wifi: T5491: allow white-/blacklisting station MAC addresses for security
2023-08-23T5448: Add configuration host-name for zabbix-agentViacheslav Hletenko
Ability to configure host-name for zabbix-agent set service monitoring zabbix-agent host-name 'r-vyos'
2023-08-20wifi: T5491: allow white-/blacklisting station MAC addresses for securityChristian Breunig
Station MAC address-based authentication means: * 'allow' accept all clients except the one on the deny list * 'deny' accept only clients listed on the accept list New CLI commands: * set interfaces wireless wlan0 security station-address mode <accept|deny> * set interfaces wireless wlan0 security station-address accept mac <mac> * set interfaces wireless wlan0 security station-address deny mac <mac>
2023-08-19bgp: T5466: rename type on CLI per-nexhop -> per-nexthop for l3vpn MPLS labelsChristian Breunig
This fixes a CLI typo added in commit 77ef9f800 ("T5466: L3VPN label allocation mode").
2023-08-17Revert: dhcp: T5428: always release lease from default VRFChristian Breunig
This reverts commit 9afcea251bdc895ffd49cb11f455fd636fdf817b A DHCP relese must also be originated from the VRF where the dhclient program is running, else the RELEASE message can not be send through the interface towards the DHCP server. The reason it did not work in the past was because of https://vyos.dev/T5476
2023-08-16 T5466: L3VPN label allocation modefett0
2023-08-15T5271: correct dict path in the template for OpenVPN peer fingerprintDaniil Baturin
2023-08-15T5270: generate 'dh none' unconditionally when dh-params is no presentDaniil Baturin
The condition is useless since OpenVPN simply switches to ECDH in all modes when the classic DH prime is not specified
2023-08-11T5160: firewall refactor: move <set firewall ipv6 ipv6-name ...> to <set ↵Nicolas Fort
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip.
2023-08-11T5160: firewall refactor: fix firewall template for correct rule parsing ↵Nicolas Fort
that contains fqnd and/or geo-ip in base chains. Fix mig script
2023-08-11T5160: firewall refactor: change firewall ip to firewall ipv4Nicolas Fort
2023-08-11T5160: firewall refactor: new cli structure. Update jinja templates, python ↵Nicolas Fort
scripts and src firewall
2023-08-10Merge pull request #2140 from sever-sever/T5448Daniil Baturin
T5448: Add service zabbix-agent
2023-08-09openvpn: T5271: add peer certificate fingerprint optionDaniil Baturin
2023-08-09T5448: Add service zabbix-agent version 2Viacheslav Hletenko
Add service zabbix-agent set service zabbix-agent directory '/config/zabbix/' set service zabbix-agent limits buffer-flush-interval '8' set service zabbix-agent limits buffer-size '120' set service zabbix-agent log debug-level 'warning' set service zabbix-agent log size '1' set service zabbix-agent server '192.0.2.5' set service zabbix-agent server-active 192.0.2.5 port '10051' set service zabbix-agent server-active 2001:db8::123
2023-08-07dhcp: T5428: always release lease from default VRFChristian Breunig
Otherwise packet can be received in a VRF that was already deleted. Image of the following CLI commands: del interface ethernet eth0 address dhcp del interface ethernet eth0 vrf red del vrf name red VRF could be deleted even if dhclient release was not yet completely processed.
2023-08-07T5446: BGP: change <bgp paramater bestpath med> from node to leafNode, in ↵Nicolas Fort
order to avoid empty value and problems when removing such parameters
2023-08-06dyndns: T5445: add possibility to specify update interval (timeout)Christian Breunig
set service dns dynamic timeout <60-3600>
2023-08-05dhcpv6: T5428: client renewal fails when running inside VRFChristian Breunig
2023-08-05dhcp: T5428: remove hardcoded path to client runtime directoriesChristian Breunig
2023-08-04dhcp: T5428: client renewal fails when running inside VRFChristian Breunig
vyos@vyos# run show vrf MGMT processes 2282 sshd There is no dhclient process running in given VRF. dhclient complains it can not send out packets via the given interface (as it's not bound to that VRF) Aug 02 20:29:54 dhclient[1686]: send_packet: Network is unreachable Aug 02 20:29:54 dhclient[1686]: send_packet: please consult README file regarding broadcast address. Aug 02 20:29:54 dhclient[1686]: dhclient.c:3001: Failed to send 300 byte long packet over fallback interface.
2023-08-04frr: T5415: make mgmtd only listen on localhostChristian Breunig
2023-08-04dns: T4353: fix warning "Wait at least 5 minutes between update attempts"Christian Breunig
2023-07-31dhcpv6-pd: T5387: add support for no-release flag1vivy
When no-release is specified, dhcp6c client will not release allocated address or prefix on client exit. vyos.ifconfig: dhcpv6: T5387: re-use options_file for no release flag [WIP] * Todo: render Jinja2 template and fill it vyos.ifconfig: dhcpv6: T5387: finish options_file and no release flag in cli vyos.ifconfig: dhcpv6: T5387: fix missing/wrong end tag vyos.ifconfig: dhcpv6: T5387: fix options, no var for -n dhcpv6-client: T5387: fix missing / from filepaths
2023-07-27Merge pull request #2105 from sever-sever/T5368Daniil Baturin
T5368: service ids ddos-protection add support sflow mode