Age | Commit message (Collapse) | Author |
|
|
|
|
|
firewall: zone-policy: T2199: T4130: Fixes for firewall, state-policy and zone-policy
|
|
zone-policy
|
|
keepalived: T4109: Add high-availability virtual-server
|
|
Add new feature, high-availability virtual-server
Change XML, python and templates
Move vrrp to root node 'high-availability' as all logic are
handler by root node 'high-availability'
|
|
firewall: T4130: Fix firewall state-policy errors
|
|
Also fixes:
* Issue with multiple state-policy rules being created on firewall updates
* Prevents interface rules being inserted before state-policy
|
|
monitoring: T3872: Add a new feature service monitoring
|
|
|
|
* 'firewall' of https://github.com/sarthurdev/vyos-1x:
zone_policy: T3873: Implement intra-zone-filtering
policy: T2199: Migrate policy route op-mode to XML/Python
policy: T2199: Migrate policy route to XML/Python
zone-policy: T2199: Migrate zone-policy op-mode to XML/Python
zone-policy: T2199: Migrate zone-policy to XML/Python
firewall: T2199: Migrate firewall op-mode to XML/Python
firewall: T2199: Migrate firewall to XML/Python
|
|
Add priority for policy based IPSec VPN tunnels
If 2 tunnels have the same pair of local and remote traffic
selectors (prefixes) it allows to set more preforable install
policy from required peer
The lowest priority is more preforable
|
|
Commit 566f7f24 ("snmp: T4124: migrate to get_config_dict()") changed the
internal structure to support vyos-configd. When using SNMPv3 we need to
alter the running config by replacing the plaintext-password with an encrypted
one, this is not allowed with vyos-configd.
|
|
|
|
IPv6 addresses on webproxy/SQUID where not added correctly.
They need to be added in brackets.
Modified squid.conf.tmpl to bracketize the address
|
|
Peer name must not contain dots and colons, otherwise
swanct can't generate correct configuration for swanctl.conf
This is used in connection names and child SA names
Add filter 'dot_colon_to_dash' which replace dots and colons
|
|
syslog: T4039: Add protocol23format logging for UDP
|
|
Add protocol23format for rsyslog protocol UDP
Add ability to use IPv6 addresses (bracketize_ipv6) for
protocol TCP and UDP, when protocol is configured explicity
|
|
Add XML for required 'virtual-server' configuration commands
|
|
|
|
|
|
|
|
|
|
|
|
* t4097-flow-accounting:
flow-accounting: T4106: support specification of capture packet length
flow-accounting: T4105: drop "sflow agent-address auto"
flow-accounting: T4099: rename "netflow source-ip" to source-address
flow-accounting: T4097: move to get_config_dict()
|
|
|
|
sFlow uses the source-address CLI node and netflow uses source-ip this is just
confusing and should be synced to the common source-address CLI node.
|
|
|
|
keepalived: T4081: Fix health-checking when syn-group is used
|
|
|
|
If health-check scripts are used in vrrp group and vrrp group
is membmer of sync-group, then health-check scripts should be
part of the section "vrrp_sync_group". In other case the
health-scripts won't work anymore.
|
|
logs: T3774: Added CLI options to control atop logs rotation
|
|
* Added proper handling of default values from CLI.
* Replaced rsyslog restart postrotate action to native `rsyslog-rotate`
script.
* Removed unnecessary checks for `None` instead `dict` - with
default values the situation becomes impossible.
* Fixed default value from 10 to 1 in the rsyslog CLI.
|
|
Added the ability to control the `/var/log/messages` rotation.
Renamed the option `maxsize` to `max-size`.
|
|
|
|
The BGP conditional advertisement feature uses the non-exist-map or the
exist-map and the advertise-map keywords of the neighbor advertise-map command
in order to track routes by the route prefix.
non-exist-map
=============
* If a route prefix is not present in the output of non-exist-map command, then
advertise the route specified by the advertise-map command.
* If a route prefix is present in the output of non-exist-map command, then do
not advertise the route specified by the addvertise-map command.
exist-map
=========
* If a route prefix is present in the output of exist-map command, then
advertise the route specified by the advertise-map command.
* If a route prefix is not present in the output of exist-map command, then do
not advertise the route specified by the advertise-map command.
This feature is useful when some prefixes are advertised to one of its peers
only if the information from the other peer is not present (due to failure in
peering session or partial reachability etc).
The conditional BGP announcements are sent in addition to the normal
announcements that a BGP router sends to its peer.
CLI nodes can be found under:
* set protocols bgp neighbor <ip> address-family <afi> conditional-advertisement
* set protocols bgp peer-group <p> address-family <afi> conditional-advertisement
|
|
This command is applicable at the global level and at an individual bgp level.
If applied at the global level all bgp instances will wait for fib installation
before announcing routes and there is no way to turn it off for a particular
BGP vrf.
|
|
Administrative shutdown of all peers of a bgp instance. Drop all BGP peers,
but preserve their configurations. The peers are notified in accordance with
RFC 8203 by sending a NOTIFICATION message with error code Cease and subcode
Administrative Shutdown prior to terminating connections.
This global shutdown is independent of the neighbor shutdown, meaning that
individually shut down peers will not be affected by lifting it.
|
|
This command enables rejection of incoming and outgoing routes having AS_SET
or AS_CONFED_SET type.
|
|
This command allows user to prevent session establishment with BGP peers with
lower holdtime less than configured minimum holdtime.
When this command is not set, minimum holdtime does not work.
|
|
Whenever BGP peer address becomes unreachable we must bring down the BGP
session immediately. Currently only single-hop EBGP sessions are brought down
immediately. IBGP and multi-hop EBGP sessions wait for hold-timer expiry to
bring down the sessions.
This new configuration option helps user to teardown BGP sessions immediately
whenever peer becomes unreachable.
This configuration is available at the bgp level. When enabled, configuration
is applied to all the neighbors configured in that bgp instance.
|
|
Set the period to rerun the conditional advertisement scanner process.
The default is 60 seconds.
|
|
|
|
|
|
|
|
T562: Config syntax for defining DNS forward authoritative zones
|
|
Added CLI options to generate logrotate configuration file for atop logs
|
|
pppoe-server: T3006: Add range to regex generator
|
|
|
|
|