Age | Commit message (Collapse) | Author |
|
T5801: Rewritten L2TP to get_config_dict
|
|
dhcp: T3316: Support hostname, DUID and MAC address in reservation
|
|
|
|
|
|
|
|
VyOS CLI command
set service ndp-proxy interface eth0 prefix 2001:db8::/64 mode 'static'
Will generate the following NDP proxy configuration
$ cat /run/ndppd/ndppd.conf
# autogenerated by service_ndp-proxy.py
# This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route
route-ttl 30000
# This sets up a listener, that will listen for any Neighbor Solicitation
# messages, and respond to them according to a set of rules
proxy eth0 {
# Turn on or off the router flag for Neighbor Advertisements
router no
# Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds)
timeout 500
# Control how long a valid or invalid entry remains in the cache (milliseconds)
ttl 30000
# This is a rule that the target address is to match against. If no netmask
# is provided, /128 is assumed. You may have several rule sections, and the
# addresses may or may not overlap.
rule 2001:db8::/64 {
static
}
}
|
|
Rewritten L2TP to get_config_dict
Rewritten L2TP xml to accel-ppp patterns
Migrated 'idle' to 'ppp-options.lcp-echo-timeout'
Migrated 'authentication.mppe' to 'ppp-options.mppe'
Migrated 'authentication.radius.dae-server' to
'authentication.radius.dynamic-author'
Migrated 'authentication.require' to 'authentication.protocol'
Added 'authentication.radius.acct-interim-jitter'
Added 'authentication.radius.preallocate-vif'
Added 'authentication.radius.server.<IP>.acct-port'
Added 'ppp-options.ipv4'
Added smoke-tests
Fixed 'preallocate-vif' in SSTP
|
|
|
|
accel-ppp: T5688: Standardized pool configuration in accel-ppp
|
|
Standardized pool configuration for all accel-ppp services.
1. Only named pools are used now.
2. Allows all services to use range in x.x.x.x/mask
and x.x.x.x-x.x.x.y format
3. next-pool can be used in all services
2. Allows to use in ipoe gw-ip-address without pool configuration
which allows to use Fraimed-IP-Address attribute by radius.
3. Default pool name should be explicidly configured
with default-pool.
4. In ipoe netmask and range subnet can be different.
|
|
|
|
Why: Smoketests fail as they can not establish IPv6 connection to uvicorn
backend server.
https://github.com/vyos/vyos-1x/pull/2481 added a bunch of new smoketests.
While debugging those failing, it was uncovered, that uvicorn only listens on
IPv4 connections
vyos@vyos# netstat -tulnp | grep 8080
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -
As the CLI already has an option to move the API communication from an IP to a
UNIX domain socket, the best idea is to make this the default way of
communication, as we never directly talk to the API server but rather use the
NGINX reverse proxy.
|
|
IGMP and PIM are two different but related things.
FRR has both combined in pimd. As we use get_config_dict() and FRR reload it
is better to have both centrally stored under the same CLI node (as FRR does,
too) to just "fire and forget" the commit to the daemon.
"set protocols igmp interface eth1" -> "set protocols pim interface eth1 igmp"
|
|
<enable|disable> commands; log and state moved to new syntax.
|
|
change.
|
|
Time interval in seconds to wait between DNS updates would be a bit
more intuitive as `interval` than `timeout`.
|
|
Fix commit 51abbc0f1b2 ("T5681: Firewall,Nat and Nat66: simplified and
standarize interface matcher (valid for interfaces and groups) in firewal, nat
and nat66") that added a migrator but did not bump the version number.
|
|
vxlan: T5671: change port to IANA assigned default port
|
|
Currently VyOS VXLAN implementation uses the Linux assigned port 8472 that
predates the IANA assignment. As Most other vendors use the IANA assigned port,
follow this guideline and use the new default port 4789.
Existing configuration not defining an explicit port number will be migrated
to the old default port number of 8472, keeping existing configurations work!
|
|
|
|
bonding: T5254: Fixed changing ethernet when it is a bond member
|
|
|
|
|
|
If ethernet interface is a bond memeber:
1. Allow for changing only specific parameters which are specified
in EthernetIf.get_bond_member_allowed_options function.
2. Added inheritable parameters from bond interface to ethernet
interface which are scpecified
in BondIf.get_inherit_bond_options.
Users can change inheritable options under ethernet interface
but in commit it will be copied from bond interface.
3. All other parameters are denied for changing.
Added migration script. It deletes all denied parameters under
ethernet interface if it is a bond member.
|
|
Migrate policy local-route <destination|source> to node address
replace 'policy local-route{v6} rule <tag> destination|source <x.x.x.x>'
=> 'policy local-route{v6} rule <tag> destination|source address <x.x.x.x>'
|
|
add IPv6 support and firewall groups
|
|
|
|
Disabeled adding the peer with the same public key as the router has.
Added smoketest
|
|
T5154: NTP: allow maximum of one ipv4 and one ipv6 address on paramet…
|
|
<listen-address>. Also allow only one single value <interface>.
|
|
Migrate:
high-availability virtual-server 203.0.113.1
to: high-availability virtual-server <name> address 203.0.113.1
|
|
... this is a step towards a new and better implementation that will utilize
VPP.
|
|
Create migration and bump package version from 0 -> 1 for dynamic dns
|
|
syslog: T2778: T2769: refactoring and VRF support
|
|
|
|
|
|
|
|
|
|
Tunnel interface multicast settings can be "enabled or disabled". As we prefer
valueless nodes, and the linux kernel default is "disabled" we should add a
set interfaces tunnel tunXX enable-multicast
command
|
|
Not supported with swanctl
|
|
sstp-client
|
|
T4916: Rewrite IPsec peer authentication and psk migration
|
|
Rewrite strongswan IPsec authentication to reflect structure
from swanctl.conf
The most important change is that more than one local/remote ID in the
same auth entry should be allowed
replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx'
=> 'ipsec authentication psk <tag> secret xxx'
set vpn ipsec authentication psk <tag> id '192.0.2.1'
set vpn ipsec authentication psk <tag> id '192.0.2.2'
set vpn ipsec authentication psk <tag> secret 'xxx'
set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1'
set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2'
Add template filter for Jinja2 'generate_uuid4'
|
|
T4857: SNMP: Implement FRR SNMP Recomendations
|
|
warning message
|
|
* Move CLI from "system ntp" -> "service ntp"
* Drop NTP server option preempt as not supported by chrony
|
|
|
|
move from vfs to overlay driver
The following pre iage upgrade script must be executed to have containers after
the reboot:
for pod in $(cli-shell-api listActiveNodes container name); do
systemctl stop vyos-container-${pod//\'}.service
done
sed -i 's/vfs/overlay/g' /etc/containers/storage.conf /usr/share/vyos/templates/container/storage.conf.j2
rm -rf /usr/lib/live/mount/persistence/container/storage/libpod
for pod in $(cli-shell-api listActiveNodes container name); do
image=$(cli-shell-api returnActiveValue container name ${pod//\'} image)
podman image pull $image
systemctl start vyos-container-${pod//\'}.service
done
for dir in vfs vfs-containers vfs-images vfs-layers; do
rm -rf /usr/lib/live/mount/persistence/container/storage/$dir
done
|
|
T4780: Firewall: add firewall groups in firewall. Extend matching cri…
|
|
so this new group can be used in inbound and outbound matcher
|