Age | Commit message (Collapse) | Author |
|
as it's done with facility. Create basic smoketest for syslog
(cherry picked from commit c5ae7c9e2a141d92b8a716b3dbe3e5b41ee4aaba)
|
|
firewal, nat and nat66.
(cherry picked from commit 51abbc0f1b2ccf4785cf7f29f1fe6f4af6007ee6)
|
|
This enables logs capabilities for default-action in base chains.
|
|
If ethernet interface is a bond memeber:
1. Allow for changing only specific parameters which are specified
in EthernetIf.get_bond_member_allowed_options function.
2. Added inheritable parameters from bond interface to ethernet
interface which are scpecified
in BondIf.get_inherit_bond_options.
Users can change inheritable options under ethernet interface
but in commit it will be copied from bond interface.
3. All other parameters are denied for changing.
Added migration script. It deletes all denied parameters under
ethernet interface if it is a bond member.
(cherry picked from commit aa0282ceb379df1ab3cc93e4bd019134d37f0d89)
|
|
|
|
pmacct daemons have one very important specific - they handle control signals in
the same loop as packets. And packets waiting is blocking operation.
Because of this, when systemctl sends SIGTERM to uacctd, this signal has no
effect until uacct receives at least one packet via nflog. In some cases, this
leads to a 90-second timeout, sending SIGKILL, and improperly finished tasks.
As a result, a working folder is not cleaned properly.
This commit contains several changes to fix service issues:
- add a new nftables table for pmacct with a single rule to get the ability to
send a packet to nflog and unlock uacctd
- remove PID file options from the uacctd and a systemd service file. Systemd
can detect proper PID, and PIDfile is created by uacctd too late, which leads
to extra errors in systemd logs
- KillMode changed to mixed. Without this, SIGTERM is sent to all plugins and
the core process exits with status 1 because it loses connection to plugins too
early. As a result, we have errors in logs, and the systemd service is in a
failed state.
- added logging to uacctd
- systemctl service modified to send packets to specific address during a service
stop which unlocks uacctd and allows systemctl to finish its work properly
(cherry picked from commit e364e9813b6833f6b108e7177ef7ea2d9e7bac33)
|
|
(cherry picked from commit 93d2ea7d635c7aa5acf3000654393ea48b7c6405)
|
|
Set the MRU (Maximum Receive Unit) value to n. PPPd will ask the peer to send
packets of no more than n bytes. The value of n must be between 128 and 16384,
the default was always 1492 to match PPPoE MTU.
A value of 296 works well on very slow links (40 bytes for TCP/IP header + 256
bytes of data). Note that for the IPv6 protocol, the MRU must be at least 1280.
CLI:
set interfaces pppoe pppoe0 mru 1280
(cherry picked from commit e062a8c11856f213983f5b41f50d4f9dbc0dde0f)
|
|
Rename avahi-daemon config file to avahi-daemon.conf.j2 to match the
convention used by other config files.
(cherry picked from commit 3a3123485f2ea7b253caa1c49f19c82a0eaa0b37)
|
|
This commit adds a new configuration option to the mDNS repeater service
to allow controlling which IP version to use for mDNS repeater.
Additionally, publishing AAAA record over IPv4 and A record over IPv6 is
disabled as suggested.
See:
- https://github.com/lathiat/avahi/issues/117#issuecomment-1651475104
- https://bugzilla.redhat.com/show_bug.cgi?id=669627#c2
(cherry picked from commit e66f7075ee12ae3107d29efaf683442c3535e8b9)
|
|
Add support for defining config-mode dependencies in add-on packages.
(cherry picked from commit d9ad551816e34f38280534ad75d267697e4f096f)
|
|
firewall: T5160: Remove zone policy op-mode (backport #2308)
|
|
This is a combined backport of commits:
* a4aad1120 - frr: T5591: hint about daemons that always run and can't be disabled
* d9d2b2b96 - frr: T5591: cleanup of daemons file
* 40503a9d7 - T2044: RPKI doesn't boot properly
|
|
(cherry picked from commit 9b9b37e9cbb225eaacac2ad8cb03bef735fed117)
|
|
bgp: T5596: add new features from FRR 9 (backport #2284)
|
|
A `backup` server can be defined to take over in the case of all other
backends failing
set load-balancing reverse-proxy backend <tag> server <tag> address '192.0.2.3'
set load-balancing reverse-proxy backend <tag> server <tag> port '8883'
set load-balancing reverse-proxy backend <tag> server <tag> backup
(cherry picked from commit cb297aea56da91144c53be1f396b64a26a8e5b04)
|
|
* Add BGP Software Version capability (draft-abraitis-bgp-version-capability)
set protocols bgp neighbor 192.0.2.1 capability software-version
* Add BGP neighbor path-attribute treat-as-withdraw command
set protocols bgp neighbor 192.0.2.1 path-attribute treat-as-withdraw
(cherry picked from commit d285355716708a46767c18661976906812da8a3c)
|
|
* Add support for IS-IS advertise-high-metrics
set protocols isis advertise-high-metrics
* Add support for IS-IS advertise-passive-only
set protocols isis advertise-passive-only
(cherry picked from commit f7d35c15256ea74ab32c9b978a5c6fdbd659a7a0)
|
|
There is no EIGRP support in VyOS 1.4/sagitta
|
|
AgentX does not work stable. From time to time we see the system
service crashing/degrading if something is wrong with SNMP from
util net-snmp.
We should disable it by default and enable it only if configured.
set high-availability vrrp snmp
(cherry picked from commit 47875457cd8b176f7f23a3141175d745aeb14d8a)
|
|
T5480: Ability to disable SNMP for keepalived service VRRP
|
|
Add the ability to use the option all for remove-private-as.
Remove private ASNs in outbound updates.
all - Apply to all AS numbers
set protocols bgp neighbor <tag> address-family ipv4-unicast remove-private-as all
(cherry picked from commit d72024b11e127cc11931cfaee4d07944dceb1ea9)
|
|
Linux netfilter patch https://patchwork.ozlabs.org/project/netfilter-devel/patch/d0f84a97f9c86bec4d537536a26d0150873e640d.1439559328.git.daniel@iogearbox.net/
adds direction support for conntrack zones, which makes it possible to
do NAT with conflicting IP address/port tuples from multiple, isolated tenants on a host.
According to the description of the kernel patch:
> ... overlapping tuples can be made unique with the zone identifier in
original direction, where the NAT engine will then allocate a unique
tuple in the commonly shared default zone for the reply direction.
I did some basic tests in my lab and it worked fine to forward packets
from eth0 to pppoe0.
- eth0 192.168.1.1/24 in VRF red
- pppoe0 dynamic public IP from ISP VRF default
- set vrf name red protocols static route 0.0.0.0/0 interface pppoe0 vrf 'default'
- set protocols static route 192.168.1.0/24 interface eth0 vrf 'red'
`conntrack -L` shows something like:
```
tcp 6 113 ESTABLISHED src=192.168.1.2 dst=1.1.1.1 sport=58946 dport=80 zone-orig=250 packets=6 bytes=391 src=1.1.1.1 dst=<my-public-ip> sport=80 dport=58946 packets=4 bytes=602 [ASSURED] mark=0 helper=tns use=1
```
It would be much appreciated if someone could test this with more
complex VRF setup.
|
|
By default we enable `--snmp` for keepalived unit service
Add ability to disable it
set high-availability vrrp disable-snmp
(cherry picked from commit 5ae730a52de2f284e45cd433bb0cf66c8508f2f7)
|
|
T5548: Fix load-balancing reverse-proxy timeouts
|
|
By default haproxy uses timeouts in millisecond but we set timeouts
in seconds from CLI
Fix template to use 'seconds' units
(cherry picked from commit 257019520c49c20824b7e5cad01d2d29ef5f62e6)
|
|
Render isc-dhcp-server systemd unit from configuration
|
|
The following command expects to join source-specific multicast group 239.1.2.3
on interface eth0, where the source address is 192.0.2.1.
set protocols igmp interface eth0 join 239.1.2.3 source 192.0.2.1
This command should generate FRR config:
interface eth0
ip igmp
ip igmp join 239.1.2.3 192.0.2.1
exit
However, there is a bug in the Jinja template where `if ifaces[iface].gr_join[group]`
is mostly evaluated as `false` because `iface` is a loop variable from another loop.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
wifi: T5491: allow white-/blacklisting station MAC addresses for security
|
|
Ability to configure host-name for zabbix-agent
set service monitoring zabbix-agent host-name 'r-vyos'
|
|
Station MAC address-based authentication means:
* 'allow' accept all clients except the one on the deny list
* 'deny' accept only clients listed on the accept list
New CLI commands:
* set interfaces wireless wlan0 security station-address mode <accept|deny>
* set interfaces wireless wlan0 security station-address accept mac <mac>
* set interfaces wireless wlan0 security station-address deny mac <mac>
|
|
This fixes a CLI typo added in commit 77ef9f800 ("T5466: L3VPN label allocation
mode").
|
|
For conntrack ignore priority must be less then -200
|
|
This reverts commit 9afcea251bdc895ffd49cb11f455fd636fdf817b
A DHCP relese must also be originated from the VRF where the dhclient program is
running, else the RELEASE message can not be send through the interface towards
the DHCP server.
The reason it did not work in the past was because of https://vyos.dev/T5476
|
|
|
|
|
|
The condition is useless since OpenVPN simply switches to ECDH in all modes
when the classic DH prime is not specified
|
|
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip.
|
|
that contains fqnd and/or geo-ip in base chains. Fix mig script
|
|
|
|
scripts and src firewall
|
|
T5448: Add service zabbix-agent
|
|
|