Age | Commit message (Collapse) | Author |
|
routing: T1237: Add new feature failover route
|
|
This add the AdvRASrcAddress configuration option to configure
a source address for the router advertisements. The source
address still must be configured on the system. This is useful
for VRRP setups where you want fe80::1 on the VRRP interface
for cleaner VRRP failovers.
|
|
If no client and network is defined only a `community` config
is created. This also adds the `community6` part
|
|
Failover route allows to install static routes to the kernel routing
table only if required target or gateway is alive
When target or gateway doesn't respond for ICMP/ARP checks this route
deleted from the routing table
Routes are marked as protocol 'failover' (rt_protos)
cat /etc/iproute2/rt_protos.d/failover.conf
111 failover
ip route add 203.0.113.1 metric 2 via 192.0.2.1 dev eth0 proto failover
$ sudo ip route show proto failover
203.0.113.1 via 192.0.2.1 dev eth0 metric 1
So we can safely flush such routes
|
|
openvpn: T4770: rewrite op-mode show/reset to use vyos.opmode
|
|
|
|
vyos@vyos# show interfaces sstpc
sstpc sstpc10 {
authentication {
password vyos
user vyos
}
server sstp.vyos.net
ssl {
ca-certificate VyOS-CA
}
}
|
|
|
|
L2TP 'ppp-options ipv6 x' can work without declaring IPv6 pool
As we can get addresses via RADIUS attributes:
- Framed-IPv6-Prefix
- Delegated-IPv6-Prefix
|
|
Fix l2tp dae server template and python config dict for correctlly
handling Dynamic Authorization Extension server configuration
|
|
Added the generation in the config file /etc/squid/squid.conf
for command: set service webroxy domain-block <domain>
|
|
|
|
|
|
|
|
|
|
Adding the parameters that were missing to the OSPF FRR template.
|
|
The variable 'client' was accidently used where 'network should
have been used. This lead to missing community6 string when
an IPv6 network was defined instead of an IPv6 client.
|
|
Remote TS for transport mode GRE must be remote-address and
not peer name
|
|
Clients supporting this DHCP option (DHCP option 108, RFC 8925) will
disable its IPv4 network stack for configured number of seconds
and operate in IPv6-only mode.
This option is known to work on iOS 15+ and macOS 12.0.1+.
Example command:
```sh
set service dhcp-server shared-network-name LAN6 subnet 192.168.64.0/24 ipv6-only-preferred 0
```
|
|
Commit 66288ccfee ("dns-forwarding: T4578: Rewrite show dns forwarding") added
the implementation for the new standardized op-mode definitions/implementation.
As the API daemon has the proper permissions and also the CLI op-mode calls the
script already with "sudo", there is no need to call "sudo" inside this script,
again.
Also add dns.py to data/op-mode-standardized.json for the GraphQL schema to be
generated.
|
|
so this new group can be used in inbound and outbound matcher
|
|
policy: T2199: T4605: Migrate policy route interface node
|
|
|
|
<name> interface <ifname>`
* Include refactor to policy route to allow for deletion of mangle table instead of complex cleanup
* T4605: Rename mangle table to vyos_mangle
|
|
T4789: Ability to get op-mode raw data for PPPoE L2TP SSTP IPoE
|
|
Ability to get 'raw' data sessions and statistics for accel-ppp
protocols IPoE/PPPoE/L2TP/PPTP/SSTP server
|
|
|
|
firewall: T970: T1877: Add source/destination fqdn, refactor domain resolver, firewall groups in NAT
|
|
|
|
`fqdn` node
|
|
|
|
Rewrite op-mode DHCP and DHCPv6 leases to vyos.opmode format
Abbility to show 'raw' format
show dhcp server leases
show dhcpv6 server leases
|
|
T4771: Ability to get raw format for op-mode BGP commands
|
|
Ability to get logs in JSON format
Possible filter by unit. Options for count lines,
UTC time, facility or logs since boot
|
|
This enabled users to also use 2FA/MFA authentication with a radius backend as
there is enough time to enter the second factor.
|
|
|
|
* ExecStop action with defined timeout allows for quicker reboot/shutdown with containers
|
|
|
|
|
|
Ability to configure SSH-server HostKeyAlgorithms.
Specifies the host key signature algorithms that the server
offers. Can accept multiple values.
|
|
Move default values of TOTP configuration from a global to a per user setting.
This makes the entire code easier as no global configuration must be blended
into the per user config dict.
Also it should be possible to set the authentication window "multiple concurrent
keys" individual per user.
set system login user vyos authentication otp key 'gzkmajid7na2oltajs4kbuq7lq'
set system login user vyos authentication plaintext-password 'vyos'
|
|
|
|
no-php-flag
The nested if statement was not properly evaluated during smoketests making
them fail. There is no need to nest the if's - as a simple string can be
appended by {{ 'foo' if bar is vyos_defined }}
|
|
system login: T874: add 2FA support for local and ssh authentication
|
|
|
|
Due to monitoring telegraf was rewritten - fix template for
inputs.exec plugin
We do not use 'influxdb_configured' in the dictionary anymore and
use just 'influxdb'
|
|
isis: T4739: ISIS segment routing being refactored
|
|
This is to refactor ISIS segment routing to match up with OSPF segment routing.
|
|
firewall: policy: T4741: T4742: Verify zone `from` is defined, autocomplete policy route tables
|
|
ssh: T4716: Ability to configure RekeyLimit data and time
|