summaryrefslogtreecommitdiff
path: root/data
AgeCommit message (Collapse)Author
2024-04-02ssh: T6192: allow binding to multiple VRF instancesChristian Breunig
Currently VyOS only supports binding a service to one individual VRF. It might become handy to have the services (initially it will be VRF, NTP and SNMP) be bound to multiple VRFs. Changed VRF from leafNode to multi leafNode with defaultValue: default - which is the name of the default VRF. (cherry picked from commit e5af1f0905991103b12302892e6f0070bbb7b770)
2024-04-01bgp: T6010: Allow configuration of disable-ebgp-connected-route-checkfett0
(cherry picked from commit 010c4061a8884a3617368f3618a425dc517d0675)
2024-04-01dhcpv6-client: T2590: fix vyos-hostsd update for nameserver and search domainsChristian Breunig
After migrating from ISC DHCLIENT for IPv6 to wide-dhcp-client the logic which was present to update /etc/resolv.conf with the DHCP specified nameservers and also the search domain list was no longer present. This commit adds a per interface rendered script to inform vyos-hostsd about the received IPv6 nameservers and search domains. (cherry picked from commit ece425f0191762638b7c967097accd8739e9103d)
2024-03-28T5832: VRRP allow set interface for exluded-addressViacheslav Hletenko
Ability to set interface for `excluded-address` The excluded-addresses are not listed in the VRRP packet (adverts packets). We have this ability for `address`, add the same feature for the excluded-address ``` set high-availability vrrp group GRP-01 excluded-address 192.0.2.202 interface 'dum2' set high-availability vrrp group GRP-01 excluded-address 192.0.2.203 interface 'dum3' ``` (cherry picked from commit 0daf445abcd00446da21fe0220d41d5fdde95ebd)
2024-03-28T5872: re-write exit hook to always regenerate configLucas Christian
(cherry picked from commit 679b78356cbda4de15f96a7f22d4a98037dbeea4)
2024-03-28T5872: fix ipsec dhclient exit hookLucas Christian
(cherry picked from commit cd8ef21f280f726955f537132e3fab2bcb3c286f)
2024-03-28T5872: ipsec remote access VPN: support dhcp-interface.Lucas Christian
(cherry picked from commit f7834324d3d9edd7e161e7f2f3868452997c9c81)
2024-03-28op-mode: T6175: "renew dhcp interface <name>" does not check for DHCP interfaceChristian Breunig
The current op-mode script simply calls sudo systemctl restart "dhclient@$4.service" with no additional information about a client interface at all. This results in useless dhclient processes root 47812 4.7 0.0 5848 3584 ? Ss 00:30 0:00 /sbin/dhclient -4 -d root 48121 0.0 0.0 4188 3072 ? S 00:30 0:00 \_ /bin/sh /sbin/dhclient-script root 48148 50.0 0.2 18776 11264 ? R 00:30 0:00 \_ python3 - Which also assign client leases to all local interfaces, if we receive one valid DHCPOFFER vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address MAC VRF MTU S/L Description ----------- ----------------- ----------------- ------- ----- ----- ------------- eth0 - 00:50:56:bf:c5:6d default 1500 u/u eth0.10 172.16.33.102/24 00:50:56:bf:c5:6d default 1500 u/u eth1 172.16.33.131/24 00:50:56:b3:38:c5 default 1500 u/u 172.16.33.102/24 and 172.16.33.131/24 are stray DHCP addresses. This commit moved the renew command to the DHCP op-mode script to properly validate if the interface we request a renew for, has actually a dhcp address configured. In additional this exposes the renew feature to the API. (cherry picked from commit 7dbaa25a199a781aaa9f269741547e576410cb11)
2024-03-13radvd: T6118: add nat64prefix support RFC8781Christian Breunig
Add support for pref64 option, as defined in RFC8781. The prefix valid lifetime must not be smaller than the "interface interval max" definition which defaults to 600. set service router-advert interface eth1 nat64prefix 64:ff9b::/96 (cherry picked from commit f1ead5c6a16aba00699b8a5b9c18ef6cffe8cc4d)
2024-03-12vrrp: T6020: vrrp health-check script not applied correctly in keepalived.confkhramshinr
Added health-check to sync-group in CLI Don't use instance health-check when instance in sync group member Disallow wrong healtch-check configurations New smoke test
2024-03-07http-api: T6107: add an option to increase the request body size limitDaniil Baturin
(cherry picked from commit 4792d39bb84991768404f69ff807e43a9979a79e)
2024-03-07snmp: T2998: SNMP v3 oid "exclude" option fixNataliia Solomko
(cherry picked from commit 77a25e95da48549f2791b677f4ba187e547b1c6a)
2024-03-06conntrack-sync: T6057: Add ability to disable syslog for conntrackdNataliia Solomko
(cherry picked from commit c37fb4010c50a18029d6c680c42fceb3b8930dbd)
2024-03-05T6084: Add NHRP dependency for IPsec and fix NHRP empty config bugViacheslav Hletenko
If we have any `vpn ipsec` and `protocol nhrp` configuration we get the empty configuration file `/run/opennhrp/opennhrp.conf` after rebooting the system. Use config dependency instead of the old `resync_nhrp` function fixes this issue (cherry picked from commit 689fea253d9019df20d5c6ac7fa22d5e8454afab)
2024-03-02Merge pull request #3075 from vyos/mergify/bp/sagitta/pr-3070Daniil Baturin
banner: T6077: dehardcode URLs in MOTD template (backport #3070)
2024-03-02ospf: T5717: sync code with ospfv3 implementationChristian Breunig
(cherry picked from commit 298bcc5cb90c4c83981ec4baaaa0db785306867d)
2024-03-02ospfv3: T5717: allow metric and metric-type on redistributed routesChristian Breunig
Example: vyos@vyos# set protocols ospfv3 redistribute bgp Possible completions: metric OSPF default metric metric-type OSPF metric type for default routes (default: 2) route-map Specify route-map name to use (cherry picked from commit ed2c288c8a9031f91acf76d20b84e2002696981c)
2024-03-02banner: T6077: dehardcode URLs in MOTD templateChristian Breunig
Use URLs provided by flavor build system and version.json file (cherry picked from commit a5762cb03f17fd0bc65a19604e505fe94ad42011)
2024-02-29vyos-hostsd: T4270: resolve only hostname without domain name to 127.0.1.1Christian Breunig
This is a fix for commit 665ae50729 ("vyos-hostsd: T4270: do not resolve local router FQDN to 127.0.1.1") as it made calls to sudo super slow due to: sudo: unable to resolve host vyos: System error To avoid the initial issue we only add the hostname without domain name, thus the FQDN is not resolved by powerdns. (cherry picked from commit 3712f28025a5bc99e941b5212091a2732b9f6d6c)
2024-02-29T5504 Keepalived VRRP ability to set more than one peer-addressNataliia Solomko
(cherry picked from commit 3480d92a8c4d84e8c1f94a9362bac2be0cc77921)
2024-02-29banner: T6077: implement ASCII contest winner default logoChristian Breunig
Implement VyOS ASCII art contest winners logo as the default for our MOTD (cherry picked from commit 0ea3a454cf560171d3eb9d4d1b97b172c06360fe)
2024-02-28vrf: conntrack: T6073: Populate VRF zoning chains only while conntrack is ↵sarthurdev
required (cherry picked from commit 6f7d1e15665655e37e8ca830e28d9650445c1217)
2024-02-28vyos-hostsd: T4270: do not resolve local router FQDN to 127.0.1.1Christian Breunig
Clients using VyOS as their DNS server and trying to resolve the FQDN of the router will receive 127.0.1.1 as answer. set service dns forwarding allow-from '172.16.0.0/12' set service dns forwarding listen-address '172.31.0.254' set service dns forwarding negative-ttl '60' set system domain-name 'vyos.net' set system host-name 'R1' Will return: $ host R1.vyos.net 172.31.0.254 Using domain server: Name: 172.31.0.254 Address: 172.31.0.254#53 Aliases: R1.vyos.net has address 127.0.1.1 When it should rather return the real IP address assigned via DNS. (cherry picked from commit 665ae5072911fbb1373c393d9b57212552957888)
2024-02-23T6054: WLB: fix rules parsing when using multiple ports in one ruleNicolas Fort
(cherry picked from commit 6d79c73d4fa2d26197c1bc19df215a204af6c5dd)
2024-02-22conntrack: T5376: Fix priority for CT helperssarthurdev
Ref: https://www.spinics.net/lists/netfilter/msg59549.html (cherry picked from commit 538aeeccc46d31ab54647b67c8a2ba442d61cc46)
2024-02-16T6001: add option to disable next-hop-tracking resolve-via-default in VRF ↵Christian Breunig
context * set vrf name <name> ip nht no-resolve-via-default * set vrf name <name> ipv6 nht no-resolve-via-default (cherry picked from commit 0fafc4bcdb9efc03796ddab0832471b11ba1bbe0)
2024-02-16T6001: add option to disable next-hop-tracking resolve-via-defaultChristian Breunig
* set system ip nht no-resolve-via-default * set system ipv6 nht no-resolve-via-default (cherry picked from commit ece0e768f36e52f8964823d891264d7c187204ec)
2024-02-15T6029: Rewritten Accel-PPP services to an identical feature setaapostoliuk
Removed dhcp-interface option (l2tp) Added wins-server (sstp) Added description (ipoe, pppoe, sstp, pptp) Added exteded-script (l2tp, sstp, pptp) Added shaper (ipoe, pptp, sstp, l2tp) Added limits (ipoe, pptp, sstp, l2tp) Added snmp ( ipoe, pptp,sstp, l2tp) Refactoring and reformated code. (cherry picked from commit ac6a16f6c5ad7700789759e1ec093236c2e182a2)
2024-02-13pki: T6034: add dependencies to trigger rpki re-run on openssh key updateChristian Breunig
(cherry picked from commit 0f8bf6bd0fb29cfd638e9920674e7ad1d1d25350)
2024-02-13bgp: T6032: add EVPN MAC-VRF Site-of-Origin supportChristian Breunig
In some EVPN deployments it is useful to associate a logical VTEP's Layer 2 domain (MAC-VRF) with a Site-of-Origin "site" identifier. This provides a BGP topology-independent means of marking and import-filtering EVPN routes originated from a particular L2 domain. One situation where this is valuable is when deploying EVPN using anycast VTEPs set protocols bgp address-family l2vpn-evpn mac-vrf soo (cherry picked from commit f308df322bd62024e29dd458642cb6bcac8a5ad6)
2024-02-12Merge pull request #2990 from vyos/mergify/bp/sagitta/pr-2980Christian Breunig
srv6: T5849: add segment support to "protocols static route6" (backport #2980)
2024-02-11srv6: T5849: add segment support to "protocols static route6"Christian Breunig
* set protocols static route6 <prefix> next-hop <address> segments 'x:x::x:x/y:y::y/z::z' * set protocols static route6 <prefix> interface <interface> segments 'x:x::x:x/y:y::y/z::z' (cherry picked from commit b84f7de453f3951945298d95a8a27345ba7d28c3)
2024-02-11bgp: T6010: support setting multiple values for neighbor path-attributeChristian Breunig
(cherry picked from commit a22e0ee09ff4750de004090f1f55ee75a12dc821)
2024-02-09T5960: Rewritten authentication node in PPTP to a single viewaapostoliuk
Rewritten authentication node in accel-ppp services to a single view. In particular - PPTP authentication. (cherry picked from commit 018110200c9a82815dd5d0510f0732d7159c0d59)
2024-02-08rpki: T6023: add support for CLI knobs expire-interval and retry-intervalChristian Breunig
(cherry picked from commit 17894f6f5d97df7d3ac1cf37ce0e1a96b8fa8e8b)
2024-02-07bgp: T6024: add additional missing FRR featuresChristian Breunig
* set protocols bgp parameters labeled-unicast <explicit-null | ipv4-explicit-null | ipv6-explicit-null> * set protocols bgp parameters allow-martian-nexthop * set protocols bgp parameters no-hard-administrative-reset" (cherry picked from commit fff6004d46c5b939800fc3e61fe2102224625c0d)
2024-02-07vpn: T3843: l2tp configuration not cleared after deletekhramshinr
vpn: T5926: IPSEC does not apply after l2tp configuration was changed added dependency between l2tp and ipsec conf added test for apply config to swanctl (cherry picked from commit e697ed1e7fd5c33f8082b2f4f96c42fc822ec9a5)
2024-02-06rpki: T6011: known-hosts-file is no longer supported by FRRChristian Breunig
(cherry picked from commit 586863bf3a9cb1dd1c0d74b628d00096b905740f)
2024-02-03ipsec: T5998: add replay-windows settingChristian Breunig
The replay_window for child SA will always be 32 (hence enabled). Add a CLI node to explicitly change this. * set vpn ipsec site-to-site peer <name> replay-window <0-2040> (cherry picked from commit 4d943d8fbf1253154897179b0e3ea2d93b898197)
2024-02-02Merge pull request #2928 from vyos/mergify/bp/sagitta/pr-2891Viacheslav Hletenko
T5971: Rewritten ppp options in accel-ppp services (backport #2891)
2024-02-02Merge pull request #2921 from vyos/mergify/bp/sagitta/pr-2903Viacheslav Hletenko
dns forwarding: T5687: Implement ECS settings for PowerDNS recursor (backport #2903)
2024-02-02T5971: Rewritten ppp options in accel-ppp servicesaapostoliuk
Rewritten 'ppp-options' to the same view in all accel-ppp services. Adding IPv6 support to PPTP. (cherry picked from commit d9e57fe65dd538c6ea80637f4f6f23cf11dc583d)
2024-02-01ddclient: T5966: Adjust dynamic dns config address subpathIndrajit Raychaudhuri
Modify the dynamic dns configuration 'address' subpath for better clarity on how the address is obtained. Additionally, remove `web-options` and fold those options under the path `address web`.
2024-02-01Merge pull request #2925 from vyos/mergify/bp/sagitta/pr-2897Christian Breunig
T5989 fix: Add ipv4-prefix as a valid option for UPnP ACLs. (backport #2897)
2024-02-01Merge pull request #2924 from vyos/mergify/bp/sagitta/pr-2756Christian Breunig
T4839: firewall: Add dynamic address group in firewall configuration (backport #2756)
2024-02-01dns forwarding: T5687: Implement ECS settings for PowerDNS recursorkhramshinr
(cherry picked from commit eb76729d63245e2e8f06f4d6d52d2fd4aab4fb1f)
2024-02-01Merge pull request #2922 from vyos/mergify/bp/sagitta/pr-2854Christian Breunig
dns: T5959: Streamline dns forwarding service (backport #2854)
2024-02-01upnp: T5989: add ipv4-prefix as a valid option for UPnP ACLsChris Buechler
(cherry picked from commit 0307801b8928bbaaa20caf5bd10b928bae459490)
2024-02-01T4839: firewall: Add dynamic address group in firewall configuration, and ↵Nicolas Fort
appropiate commands to populate such groups using source and destination address of the packet. (cherry picked from commit 6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122)
2024-02-01dns: T5959: Streamline dns forwarding serviceIndrajit Raychaudhuri
Streamline configuration and operation of dns forwarding service in following ways: - Remove `dns_forwarding_reset.py` as its functionality is now covered by `dns.py` - Adjust function names in `dns.py` to disambiguate between DNS forwarding and dynamic DNS - Remove `dns_forwarding_restart.sh` as its functionality is inlined in `dns-forwarding.xml` - Templatize systemd override for `pdns-recursor.service` and move the generated override files in /run. This ensures that the override files are always generated afresh after boot - Simplify the systemd override file by removing the redundant overrides - Relocate configuration path for pdns-recursor to `/run/pdns-recursor` and utilize the `RuntimeDirectory` default that pdns-recursor expects - We do not need to use custom `--socket-dir` path anymore, the default path (viz., `/run/pdns-recursor` is fine) (cherry picked from commit 1c1fb5fb4bd7c0d205b28caf90357ad56423464f)