| Age | Commit message (Collapse) | Author |
|---|
|
* set protocols bfd peer <x.x.x.x> minimum-ttl <1-254>
(partially cherry-picked from 1f07dcbddfcfdbb9079936ec479c5633934dd547)
|
|
|
|
|
|
|
|
T5586: Disable by default SNMP for Keeplived VRRP service
|
|
T5213: Add accounting-interim-interval option for PPPoE-server
|
|
Set the MRU (Maximum Receive Unit) value to n. PPPd will ask the peer to send
packets of no more than n bytes. The value of n must be between 128 and 16384,
the default was always 1492 to match PPPoE MTU.
A value of 296 works well on very slow links (40 bytes for TCP/IP header + 256
bytes of data). Note that for the IPv6 protocol, the MRU must be at least 1280.
CLI:
set interfaces pppoe pppoe0 mru 1280
(cherry picked from commit e062a8c11856f213983f5b41f50d4f9dbc0dde0f)
|
|
Add accounting-interim-interval option for PPPoE-server
set service pppoe-server authentication radius accounting-interim-interval '60'
|
|
AgentX does not work stable. From time to time we see the system
service crashing/degrading if something is wrong with SNMP from
util net-snmp.
We should disable it by default and enable it only if configured.
set high-availability vrrp snmp
|
|
|
|
|
|
T738: add CLI option for PowerDNS local-port
|
|
set service dns forwarding allow-from '192.0.2.0/24'
set service dns forwarding listen-address '192.0.2.11'
set service dns forwarding port '5353'
|
|
Ability to get and parse RADIUS attributes via a shell script and
then execute commands
Ane of the usecases is to create a custom shaper with some smart
Extended scripts receive from PPPoE daemon the following variables:
$1 - Interface name
$4 - Tunnel GW IP address
$5 - Delegated IP address to the client
$6 - Calling Station ID (MAC)
if [ -f /run/accel-pppd/radattr.$1 ]; then
true
fi
|
|
Sshguard protects hosts from brute-force attacks
It can inspect logs and block "bad" addresses by threshold
Auto-generates own tables and rules for nftables, so they are not
intercept with VyOS firewall rules.
When service stops, all generated tables are deleted.
set service ssh dynamic-protection
set service ssh dynamic-protection allow-from '192.0.2.1'
set service ssh dynamic-protection block-time '120'
set service ssh dynamic-protection detect-time '1800'
set service ssh dynamic-protection threshold '30'
|
|
set high-availability vrrp group <name> version 2|3
(cherry picked from commit 6ca308182a7891e600a2e8749f7b12b566005576)
|
|
Allow syslog messages to be sent through a VRF (e.g. management).
(cherry picked from commit 46d2bcdb0b500b4d1b9d973ab5b9ca3c6cf44e51)
|
|
Added a new service that starts before Cloud-init, waits for all network
interfaces initialization, and if requested by config, checks which interfaces
can get configuration via DHCP server and creates a corresponding Cloud-init
network configuration.
This protects from two situations:
* when Cloud-init tries to get meta-data via eth0 (default and fallback variant
for any data source which depends on network), but the real network is connected
to another interface
* when Cloud-init starts simultaneously with udev and initializes the first
interface to get meta-data before it is renamed to eth0 by udev
|
|
T4727: Add RADIUS rate-limit attribute for vpn pptp
|
|
T5152: Get default hostname for telegraf from FQDN or hostname
|
|
Fix for Telegraf agent hostname isn't qualified
Try to get the hostname from FQDN and then from the hostname
Used for metrics
You may have more than one machine with different domain names
r1 domain-name foo.local, hostname myhost
r2 domain-name bar.local, hostname myhost
It helps to detect from which exactly host we get metrics for
InfluxDB2
|
|
|
|
Add rate-limit attribute, multiplier, vendor specific attribute
for the [shaper] section
|
|
|
|
Container registry CLI node changed from leafNode to tagNode with the same
defaults. In addition we can now configure an authentication option per
registry.
(cherry picked from commit fe82d86d3e87cb8d92ebc9d0652c08e3dd79a12c)
|
|
Fix incorrect regex '\d+' when used vlan ranges
For example 'ipoe-server interface eth1 vlan 2000-3000'
- replace 'interface=re:eth1\.\d+'
=> 'interface=re:^eth1\.(200\d|20[1-9]\d|2[1-9]\d{2}|3000)$'
|
|
T4971: PPPoE server add named ip pool and attr Framed-Pool
|
|
T1993: PPPoE-server add section shaper and fwmark option
|
|
Replace links to the phabricator site from https://phabricator.vyos.net to
https://vyos.dev
(cherry-picked form commit bd9416a6aa9d5d0a746dc2cebc8d0330fd27d1a2)
|
|
Add a new feature to allow to use named pools
Also it can be used with RADIUS attribute 'Framed-Pool'
set service pppoe-server client-ip-pool name POOL1 gateway-address '192.0.2.1'
set service pppoe-server client-ip-pool name POOL1 subnet '192.0.2.0/24'
|
|
Extended PPPoE-server rate-limiter to avoid shaping marked resources
Often this feature needs for ISP, which provides access to some IX
or its resources.
set service pppoe-server shaper fwmark '223'
|
|
Minimum acceptable MTU. If client will try to negotiate less then
specified MTU then it will be NAKed or disconnected if rejects
greater MTU.
Change 'min-mtu' from 1492 to 1280 for 1.3.3
|
|
Some ISPs seem to use the host-uniq flag to authenticate client equipment.
Add CLI option in VyOS to allow specification of the host-uniq flag.
set interfaces pppoe pppoeN host-uniq <value>
(cherry-picked from commit 38bab79324087df5a9057c23b85a0a784c09540a)
|
|
[1.3] T4832: dhcp: Add dhcp option to signal IPv6-only support (RFC 8925)
|
|
(cherry picked from commit 87cc636bd2baf576a2a5ece7a4f8318eb4f69c2e)
|
|
|
|
T4809: radvd: (Backport) Allow the use of AdvRASrcAddress
|
|
Commit 13071a4a ("T4809: radvd: Allow the use of AdvRASrcAddress") added a new
feature to set the RA source-address. Unfortunately it missed a semicolon.
(cherry picked from commit 4e61fb1f0fd075c5b1a67165204e13f88a7d3015)
|
|
1. Added in script update webproxy blacklists generation of all DBs
2. Fixed: if the blacklist category does not have generated db,
the template generates an empty dest category
in squidGuard.conf and a Warning message.
3. Added template generation for local's categories
in the rule section.
4. Changed syntax in the generation dest section for blacklist's
categories
5. Fixed generation dest local sections in squidGuard.conf
6. Fixed bug in syntax. The word 'allow' changed to the word 'any'
in acl squidGuard.conf
7. Backported all changes from 1.4 to 1.3 which were made in T3810
8. Fixed webproxy smoketest
|
|
This add the AdvRASrcAddress configuration option to configure
a source address for the router advertisements. The source
address still must be configured on the system. This is useful
for VRRP setups where you want fe80::1 on the VRRP interface
for cleaner VRRP failovers.
|
|
Clients supporting this DHCP option (DHCP option 108, per RFC 8925) will
disable its IPv4 network stack for configured number of seconds
and operate in IPv6-only mode.
Example clients supporting this option including iOS 15+ and macOS 12.0.1+.
|
|
This is a backport of https://github.com/vyos/vyos-1x/pull/1656.
Note I also changed `ip-down.script.tmpl` to not wait for `systemctl
stop dhcp6c@$iface.service`, because that command is slow and pppd will
kill the ip-down script if it times out.
I didn't see `ip-down.script.tmpl` or its equivalent in the 1.4 branch.
Not sure if there is another mechanism to handle that functionality or
it is missed.
|
|
ddclient: T4743: Add option for IPv6 Dynamic DNS
|
|
conntrack-sync: T4730: Fix listen-address jinja2 template
|
|
Fix correct format for prometheus listen-address when we use
IPv6 address, we must use square 'brackets'
http://[2001:db8::11e]:9273
|
|
Listen address has option 'multi'
As result we have an incorrect template value for listen-address
- conntrack-sync listen-address '192.0.2.11' in template
It looks like "IPv4_address ['192.0.2.11']" in the conntrackd.conf
but the correct string expected without brackets
Fix it
|
|
Allow to set IPv6 address for Dynamic DNS
set service dns dynamic interface eth2 ipv6-enable
|
|
Adds a sysctl parameter to ignore the default router obtained from
router advertisements when pppoe default-route is set to 'none'.
|
|
ocserv: openconnect: T4614: add support for split-dns (equuleus)
|
|
Add protocol23format for rsyslog protocol UDP
Add ability to use IPv6 addresses (bracketize_ipv6) for
protocol TCP and UDP, when protocol is configured explicity
|
