Age | Commit message (Collapse) | Author |
|
T5480: Ability to disable SNMP for keepalived service VRRP
|
|
|
|
- Migrate IPv4 source-validation to nftables
- Interface source-validation value takes priority, fallback to global value
|
|
T5548: Fix load-balancing reverse-proxy timeouts
|
|
T2958: Fix path for leases to config directory
|
|
By default we enable `--snmp` for keepalived unit service
Add ability to disable it
set high-availability vrrp disable-snmp
|
|
The leases path should be in `/config` directory to save leases
between reboots.
The typo was in this commit c07055258b853de641d2a1353582800b24c514d2
Before this the idea was to get leases from `/run` directory only
for livecd images. But then we added `/config` directory for livecd.
PR was modified and incorrect variable directory `/run` was used.
Fix it.
|
|
By default haproxy uses timeouts in millisecond but we set timeouts
in seconds from CLI
Fix template to use 'seconds' units
|
|
T2958: Refactor DHCP-server systemd unit and lease
|
|
Render isc-dhcp-server systemd unit from configuration
|
|
add IPv6 support and firewall groups
|
|
The following command expects to join source-specific multicast group 239.1.2.3
on interface eth0, where the source address is 192.0.2.1.
set protocols igmp interface eth0 join 239.1.2.3 source 192.0.2.1
This command should generate FRR config:
interface eth0
ip igmp
ip igmp join 239.1.2.3 192.0.2.1
exit
However, there is a bug in the Jinja template where `if ifaces[iface].gr_join[group]`
is mostly evaluated as `false` because `iface` is a loop variable from another loop.
|
|
|
|
|
|
|
|
Add AWS load-balancing tunnel handler
https://aws.amazon.com/blogs/networking-and-content-delivery/how-to-integrate-linux-instances-with-aws-gateway-load-balancer/
set service aws glb script on-create '/config/scripts/tmp.sh'
set service aws glb script on-destroy '/config/scripts/tmp.sh'
set service aws glb status format 'simple'
set service aws glb status port '8282'
set service aws glb threads tunnel '4'
set service aws glb threads tunnel-affinity '1-2'
set service aws glb threads udp '4'
set service aws glb threads udp-affinity '0-3'
|
|
|
|
|
|
|
|
|
|
wifi: T5491: allow white-/blacklisting station MAC addresses for security
|
|
Ability to configure host-name for zabbix-agent
set service monitoring zabbix-agent host-name 'r-vyos'
|
|
Station MAC address-based authentication means:
* 'allow' accept all clients except the one on the deny list
* 'deny' accept only clients listed on the accept list
New CLI commands:
* set interfaces wireless wlan0 security station-address mode <accept|deny>
* set interfaces wireless wlan0 security station-address accept mac <mac>
* set interfaces wireless wlan0 security station-address deny mac <mac>
|
|
This fixes a CLI typo added in commit 77ef9f800 ("T5466: L3VPN label allocation
mode").
|
|
For conntrack ignore priority must be less then -200
|
|
This reverts commit 9afcea251bdc895ffd49cb11f455fd636fdf817b
A DHCP relese must also be originated from the VRF where the dhclient program is
running, else the RELEASE message can not be send through the interface towards
the DHCP server.
The reason it did not work in the past was because of https://vyos.dev/T5476
|
|
|
|
|
|
The condition is useless since OpenVPN simply switches to ECDH in all modes
when the classic DH prime is not specified
|
|
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip.
|
|
that contains fqnd and/or geo-ip in base chains. Fix mig script
|
|
|
|
scripts and src firewall
|
|
T5448: Add service zabbix-agent
|
|
|
|
Add service zabbix-agent
set service zabbix-agent directory '/config/zabbix/'
set service zabbix-agent limits buffer-flush-interval '8'
set service zabbix-agent limits buffer-size '120'
set service zabbix-agent log debug-level 'warning'
set service zabbix-agent log size '1'
set service zabbix-agent server '192.0.2.5'
set service zabbix-agent server-active 192.0.2.5 port '10051'
set service zabbix-agent server-active 2001:db8::123
|
|
Otherwise packet can be received in a VRF that was already deleted.
Image of the following CLI commands:
del interface ethernet eth0 address dhcp
del interface ethernet eth0 vrf red
del vrf name red
VRF could be deleted even if dhclient release was not yet completely
processed.
|
|
order to avoid empty value and problems when removing such parameters
|
|
set service dns dynamic timeout <60-3600>
|
|
|
|
|
|
vyos@vyos# run show vrf MGMT processes
2282 sshd
There is no dhclient process running in given VRF. dhclient complains it can
not send out packets via the given interface (as it's not bound to that VRF)
Aug 02 20:29:54 dhclient[1686]: send_packet: Network is unreachable
Aug 02 20:29:54 dhclient[1686]: send_packet: please consult README file regarding broadcast address.
Aug 02 20:29:54 dhclient[1686]: dhclient.c:3001: Failed to send 300 byte long packet over fallback interface.
|
|
|
|
|
|
When no-release is specified, dhcp6c client will not release allocated address or prefix on client exit.
vyos.ifconfig: dhcpv6: T5387: re-use options_file for no release flag [WIP]
* Todo: render Jinja2 template and fill it
vyos.ifconfig: dhcpv6: T5387: finish options_file and no release flag in cli
vyos.ifconfig: dhcpv6: T5387: fix missing/wrong end tag
vyos.ifconfig: dhcpv6: T5387: fix options, no var for -n
dhcpv6-client: T5387: fix missing / from filepaths
|
|
T5368: service ids ddos-protection add support sflow mode
|
|
inetfaces
Keep a common CLI structure by re-using the already established offload
node from ethernet.
|
|
T5154: NTP: allow maximum of one ipv4 and one ipv6 address on paramet…
|
|
<listen-address>. Also allow only one single value <interface>.
|
|
T4974:add/fixed enable ovpn-dco by default
|