summaryrefslogtreecommitdiff
path: root/data
AgeCommit message (Collapse)Author
2023-11-01T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher ↵Nicolas Fort
firewal, nat and nat66. (cherry picked from commit 51abbc0f1b2ccf4785cf7f29f1fe6f4af6007ee6)
2023-10-23T5637: Firewall: add new rule at the end of base chains for default-actions. ↵Nicolas Fort
This enables logs capabilities for default-action in base chains.
2023-10-22bonding: T5254: Fixed changing ethernet when it is a bond memberaapostoliuk
If ethernet interface is a bond memeber: 1. Allow for changing only specific parameters which are specified in EthernetIf.get_bond_member_allowed_options function. 2. Added inheritable parameters from bond interface to ethernet interface which are scpecified in BondIf.get_inherit_bond_options. Users can change inheritable options under ethernet interface but in commit it will be copied from bond interface. 3. All other parameters are denied for changing. Added migration script. It deletes all denied parameters under ethernet interface if it is a bond member. (cherry picked from commit aa0282ceb379df1ab3cc93e4bd019134d37f0d89)
2023-10-20T5541: firewall: re-add zone-based firewall.Nicolas Fort
2023-10-14pmacct: T5232: Fixed pmacct service control via systemctlzsdc
pmacct daemons have one very important specific - they handle control signals in the same loop as packets. And packets waiting is blocking operation. Because of this, when systemctl sends SIGTERM to uacctd, this signal has no effect until uacct receives at least one packet via nflog. In some cases, this leads to a 90-second timeout, sending SIGKILL, and improperly finished tasks. As a result, a working folder is not cleaned properly. This commit contains several changes to fix service issues: - add a new nftables table for pmacct with a single rule to get the ability to send a packet to nflog and unlock uacctd - remove PID file options from the uacctd and a systemd service file. Systemd can detect proper PID, and PIDfile is created by uacctd too late, which leads to extra errors in systemd logs - KillMode changed to mixed. Without this, SIGTERM is sent to all plugins and the core process exits with status 1 because it loses connection to plugins too early. As a result, we have errors in logs, and the systemd service is in a failed state. - added logging to uacctd - systemctl service modified to send packets to specific address during a service stop which unlocks uacctd and allows systemctl to finish its work properly (cherry picked from commit e364e9813b6833f6b108e7177ef7ea2d9e7bac33)
2023-10-10http-api: T2612: reload server within configsession for api self-configJohn Estabrook
(cherry picked from commit 93d2ea7d635c7aa5acf3000654393ea48b7c6405)
2023-10-07pppoe: T5630: allow to specify MRU in addition to already configurable MTUChristian Breunig
Set the MRU (Maximum Receive Unit) value to n. PPPd will ask the peer to send packets of no more than n bytes. The value of n must be between 128 and 16384, the default was always 1492 to match PPPoE MTU. A value of 296 works well on very slow links (40 bytes for TCP/IP header + 256 bytes of data). Note that for the IPv6 protocol, the MRU must be at least 1280. CLI: set interfaces pppoe pppoe0 mru 1280 (cherry picked from commit e062a8c11856f213983f5b41f50d4f9dbc0dde0f)
2023-09-28mdns: T5615: Rename avahi-daemon config fileIndrajit Raychaudhuri
Rename avahi-daemon config file to avahi-daemon.conf.j2 to match the convention used by other config files. (cherry picked from commit 3a3123485f2ea7b253caa1c49f19c82a0eaa0b37)
2023-09-28mdns: T5615: Allow controlling IP version to use for mDNS repeaterIndrajit Raychaudhuri
This commit adds a new configuration option to the mDNS repeater service to allow controlling which IP version to use for mDNS repeater. Additionally, publishing AAAA record over IPv4 and A record over IPv6 is disabled as suggested. See: - https://github.com/lathiat/avahi/issues/117#issuecomment-1651475104 - https://bugzilla.redhat.com/show_bug.cgi?id=669627#c2 (cherry picked from commit e66f7075ee12ae3107d29efaf683442c3535e8b9)
2023-09-27conf-mode: T5412: add support for supplemental dependency definitionsJohn Estabrook
Add support for defining config-mode dependencies in add-on packages. (cherry picked from commit d9ad551816e34f38280534ad75d267697e4f096f)
2023-09-26Merge pull request #2311 from vyos/mergify/bp/sagitta/pr-2308Christian Breunig
firewall: T5160: Remove zone policy op-mode (backport #2308)
2023-09-26rpki: T2044: add to daemons Jinja2 templateChristian Breunig
This is a combined backport of commits: * a4aad1120 - frr: T5591: hint about daemons that always run and can't be disabled * d9d2b2b96 - frr: T5591: cleanup of daemons file * 40503a9d7 - T2044: RPKI doesn't boot properly
2023-09-26firewall: T5160: Remove zone policy op-modesarthurdev
(cherry picked from commit 9b9b37e9cbb225eaacac2ad8cb03bef735fed117)
2023-09-22Merge pull request #2291 from vyos/mergify/bp/sagitta/pr-2284Christian Breunig
bgp: T5596: add new features from FRR 9 (backport #2284)
2023-09-21T5602: Reverse-proxy add option backup for backend serverViacheslav Hletenko
A `backup` server can be defined to take over in the case of all other backends failing set load-balancing reverse-proxy backend <tag> server <tag> address '192.0.2.3' set load-balancing reverse-proxy backend <tag> server <tag> port '8883' set load-balancing reverse-proxy backend <tag> server <tag> backup (cherry picked from commit cb297aea56da91144c53be1f396b64a26a8e5b04)
2023-09-19bgp: T5596: add new features from FRR 9Christian Breunig
* Add BGP Software Version capability (draft-abraitis-bgp-version-capability) set protocols bgp neighbor 192.0.2.1 capability software-version * Add BGP neighbor path-attribute treat-as-withdraw command set protocols bgp neighbor 192.0.2.1 path-attribute treat-as-withdraw (cherry picked from commit d285355716708a46767c18661976906812da8a3c)
2023-09-19isis: T5597: add new features from FRR 9Christian Breunig
* Add support for IS-IS advertise-high-metrics set protocols isis advertise-high-metrics * Add support for IS-IS advertise-passive-only set protocols isis advertise-passive-only (cherry picked from commit f7d35c15256ea74ab32c9b978a5c6fdbd659a7a0)
2023-09-16frr: T2472: disable eigrp daemonChristian Breunig
There is no EIGRP support in VyOS 1.4/sagitta
2023-09-15T5586: Disable by default SNMP for Keeplived VRRP serviceViacheslav Hletenko
AgentX does not work stable. From time to time we see the system service crashing/degrading if something is wrong with SNMP from util net-snmp. We should disable it by default and enable it only if configured. set high-availability vrrp snmp (cherry picked from commit 47875457cd8b176f7f23a3141175d745aeb14d8a)
2023-09-14Merge pull request #2212 from sever-sever/T5480-sagDaniil Baturin
T5480: Ability to disable SNMP for keepalived service VRRP
2023-09-13T5576: Add BGP remove-private-as all optionViacheslav Hletenko
Add the ability to use the option all for remove-private-as. Remove private ASNs in outbound updates. all - Apply to all AS numbers set protocols bgp neighbor <tag> address-family ipv4-unicast remove-private-as all (cherry picked from commit d72024b11e127cc11931cfaee4d07944dceb1ea9)
2023-09-10T3655: Fix NAT problem with VRFYuxiang Zhu
Linux netfilter patch https://patchwork.ozlabs.org/project/netfilter-devel/patch/d0f84a97f9c86bec4d537536a26d0150873e640d.1439559328.git.daniel@iogearbox.net/ adds direction support for conntrack zones, which makes it possible to do NAT with conflicting IP address/port tuples from multiple, isolated tenants on a host. According to the description of the kernel patch: > ... overlapping tuples can be made unique with the zone identifier in original direction, where the NAT engine will then allocate a unique tuple in the commonly shared default zone for the reply direction. I did some basic tests in my lab and it worked fine to forward packets from eth0 to pppoe0. - eth0 192.168.1.1/24 in VRF red - pppoe0 dynamic public IP from ISP VRF default - set vrf name red protocols static route 0.0.0.0/0 interface pppoe0 vrf 'default' - set protocols static route 192.168.1.0/24 interface eth0 vrf 'red' `conntrack -L` shows something like: ``` tcp 6 113 ESTABLISHED src=192.168.1.2 dst=1.1.1.1 sport=58946 dport=80 zone-orig=250 packets=6 bytes=391 src=1.1.1.1 dst=<my-public-ip> sport=80 dport=58946 packets=4 bytes=602 [ASSURED] mark=0 helper=tns use=1 ``` It would be much appreciated if someone could test this with more complex VRF setup.
2023-09-06T5480: Ability to disable SNMP for keepalived service VRRPViacheslav Hletenko
By default we enable `--snmp` for keepalived unit service Add ability to disable it set high-availability vrrp disable-snmp (cherry picked from commit 5ae730a52de2f284e45cd433bb0cf66c8508f2f7)
2023-09-05Merge pull request #2210 from sever-sever/T5548-sagViacheslav Hletenko
T5548: Fix load-balancing reverse-proxy timeouts
2023-09-05T5548: Fix load-balancing reverse-proxy timeoutsViacheslav Hletenko
By default haproxy uses timeouts in millisecond but we set timeouts in seconds from CLI Fix template to use 'seconds' units (cherry picked from commit 257019520c49c20824b7e5cad01d2d29ef5f62e6)
2023-09-05T2958: Refactor DHCP-server systemd unit and leaseViacheslav Hletenko
Render isc-dhcp-server systemd unit from configuration
2023-09-03T5543: IGMP: fix source address handling in static joinsYuxiang Zhu
The following command expects to join source-specific multicast group 239.1.2.3 on interface eth0, where the source address is 192.0.2.1. set protocols igmp interface eth0 join 239.1.2.3 source 192.0.2.1 This command should generate FRR config: interface eth0 ip igmp ip igmp join 239.1.2.3 192.0.2.1 exit However, there is a bug in the Jinja template where `if ifaces[iface].gr_join[group]` is mostly evaluated as `false` because `iface` is a loop variable from another loop.
2023-09-03ipoe: T5542: fix Jinja2 template and add missing dhcp relay configNiklas Polte
2023-09-03wireless: T5540: use elif in Jinja2 template for VHT channel widthChristian Breunig
2023-09-02wireless: T5540: fix VHT capability settings for 802.11acalainlamar
2023-08-26firewall: T5080: Disable conntrack unless required by rulessarthurdev
2023-08-25firewall: T5160: Remove unused zone templatesarthurdev
2023-08-25interface: T3509: Add per-interface IPv6 source validationsarthurdev
2023-08-25firewall: T3509: Add support for IPv6 return path filteringsarthurdev
2023-08-23Merge pull request #2159 from c-po/t5491-wifiChristian Breunig
wifi: T5491: allow white-/blacklisting station MAC addresses for security
2023-08-23T5448: Add configuration host-name for zabbix-agentViacheslav Hletenko
Ability to configure host-name for zabbix-agent set service monitoring zabbix-agent host-name 'r-vyos'
2023-08-20wifi: T5491: allow white-/blacklisting station MAC addresses for securityChristian Breunig
Station MAC address-based authentication means: * 'allow' accept all clients except the one on the deny list * 'deny' accept only clients listed on the accept list New CLI commands: * set interfaces wireless wlan0 security station-address mode <accept|deny> * set interfaces wireless wlan0 security station-address accept mac <mac> * set interfaces wireless wlan0 security station-address deny mac <mac>
2023-08-19bgp: T5466: rename type on CLI per-nexhop -> per-nexthop for l3vpn MPLS labelsChristian Breunig
This fixes a CLI typo added in commit 77ef9f800 ("T5466: L3VPN label allocation mode").
2023-08-17T5488: Set correct priority -300 for conntrack entriesViacheslav Hletenko
For conntrack ignore priority must be less then -200
2023-08-17Revert: dhcp: T5428: always release lease from default VRFChristian Breunig
This reverts commit 9afcea251bdc895ffd49cb11f455fd636fdf817b A DHCP relese must also be originated from the VRF where the dhclient program is running, else the RELEASE message can not be send through the interface towards the DHCP server. The reason it did not work in the past was because of https://vyos.dev/T5476
2023-08-16 T5466: L3VPN label allocation modefett0
2023-08-15T5271: correct dict path in the template for OpenVPN peer fingerprintDaniil Baturin
2023-08-15T5270: generate 'dh none' unconditionally when dh-params is no presentDaniil Baturin
The condition is useless since OpenVPN simply switches to ECDH in all modes when the classic DH prime is not specified
2023-08-11T5160: firewall refactor: move <set firewall ipv6 ipv6-name ...> to <set ↵Nicolas Fort
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip.
2023-08-11T5160: firewall refactor: fix firewall template for correct rule parsing ↵Nicolas Fort
that contains fqnd and/or geo-ip in base chains. Fix mig script
2023-08-11T5160: firewall refactor: change firewall ip to firewall ipv4Nicolas Fort
2023-08-11T5160: firewall refactor: new cli structure. Update jinja templates, python ↵Nicolas Fort
scripts and src firewall
2023-08-10Merge pull request #2140 from sever-sever/T5448Daniil Baturin
T5448: Add service zabbix-agent
2023-08-09openvpn: T5271: add peer certificate fingerprint optionDaniil Baturin
2023-08-09T5448: Add service zabbix-agent version 2Viacheslav Hletenko
Add service zabbix-agent set service zabbix-agent directory '/config/zabbix/' set service zabbix-agent limits buffer-flush-interval '8' set service zabbix-agent limits buffer-size '120' set service zabbix-agent log debug-level 'warning' set service zabbix-agent log size '1' set service zabbix-agent server '192.0.2.5' set service zabbix-agent server-active 192.0.2.5 port '10051' set service zabbix-agent server-active 2001:db8::123