summaryrefslogtreecommitdiff
path: root/interface-definitions
AgeCommit message (Collapse)Author
2024-02-07bgp: T6024: add additional missing FRR featuresChristian Breunig
* set protocols bgp parameters labeled-unicast <explicit-null | ipv4-explicit-null | ipv6-explicit-null> * set protocols bgp parameters allow-martian-nexthop * set protocols bgp parameters no-hard-administrative-reset" (cherry picked from commit fff6004d46c5b939800fc3e61fe2102224625c0d)
2024-02-07xml: T302: replace references to Quagga with FRRoutingChristian Breunig
(cherry picked from commit 1c882769cc0627cfc1ebf5ab7c338c6c474456da)
2024-02-06rpki: T6011: known-hosts-file is no longer supported by FRRChristian Breunig
(cherry picked from commit 586863bf3a9cb1dd1c0d74b628d00096b905740f)
2024-02-03ipsec: T5998: add replay-windows settingChristian Breunig
The replay_window for child SA will always be 32 (hence enabled). Add a CLI node to explicitly change this. * set vpn ipsec site-to-site peer <name> replay-window <0-2040> (cherry picked from commit 4d943d8fbf1253154897179b0e3ea2d93b898197)
2024-02-02qos: T5848: improve flow-isolation help stringsChristian Breunig
(cherry picked from commit 762be96f45bb1d9705e45ff554ad483c9d4e10ff)
2024-02-02qos: T5848: Add triple-isolate option to CAKE policy configMatthew Kobayashi
(cherry picked from commit 61342083d7db8c30d015474fae5cb71f480487d8)
2024-02-02container: T5955: allow setting uid/gidPiotr Maksymiuk
(cherry picked from commit 52e9707a43290f5f826766e2c42c5f0db3c9adec)
2024-02-02Merge pull request #2928 from vyos/mergify/bp/sagitta/pr-2891Viacheslav Hletenko
T5971: Rewritten ppp options in accel-ppp services (backport #2891)
2024-02-02Merge pull request #2921 from vyos/mergify/bp/sagitta/pr-2903Viacheslav Hletenko
dns forwarding: T5687: Implement ECS settings for PowerDNS recursor (backport #2903)
2024-02-02T5971: Rewritten ppp options in accel-ppp servicesaapostoliuk
Rewritten 'ppp-options' to the same view in all accel-ppp services. Adding IPv6 support to PPTP. (cherry picked from commit d9e57fe65dd538c6ea80637f4f6f23cf11dc583d)
2024-02-01ddclient: T5966: Migration script for dynamic dns config subpath changeIndrajit Raychaudhuri
2024-02-01ddclient: T5966: Adjust dynamic dns config address subpathIndrajit Raychaudhuri
Modify the dynamic dns configuration 'address' subpath for better clarity on how the address is obtained. Additionally, remove `web-options` and fold those options under the path `address web`.
2024-02-01Merge pull request #2925 from vyos/mergify/bp/sagitta/pr-2897Christian Breunig
T5989 fix: Add ipv4-prefix as a valid option for UPnP ACLs. (backport #2897)
2024-02-01dns forwarding: T5687: add missing constraints on ecs-add-for CLI nodeChristian Breunig
Completion help suggests only IPv4 and IPv6 prefixes are supported, thus add a proper constraint enforcing this. (cherry picked from commit 049560725b93de49ec2d5a779e391e61d568ceb6)
2024-02-01dns forwarding: T5687: Implement ECS settings for PowerDNS recursorkhramshinr
Fix option descriptions (cherry picked from commit c4b6c156549ea03262793c78532c2456e8713b81)
2024-02-01dns forwarding: T5687: Implement ECS settings for PowerDNS recursorkhramshinr
(cherry picked from commit eb76729d63245e2e8f06f4d6d52d2fd4aab4fb1f)
2024-02-01upnp: T5989: add ipv4-prefix as a valid option for UPnP ACLsChris Buechler
(cherry picked from commit 0307801b8928bbaaa20caf5bd10b928bae459490)
2024-02-01T4839: firewall: Add dynamic address group in firewall configuration, and ↵Nicolas Fort
appropiate commands to populate such groups using source and destination address of the packet. (cherry picked from commit 6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122)
2024-02-01Merge pull request #2916 from vyos/mergify/bp/sagitta/pr-2832Christian Breunig
T5865: Moved ipv6 pools to named ipv6 pools in accel-ppp (backport #2832)
2024-02-01T5865: Moved ipv6 pools to named ipv6 pools in accel-pppaapostoliuk
Moved ipv6 pools to named ipv6 pools in accel-ppp services (cherry picked from commit d187803c31175e471397dd4f77040ab56d2e1073)
2024-02-01bgp: T5930: Denied using rt vpn 'export/import' with 'both' togetheraapostoliuk
Denied using command 'route-target vpn export/import' with 'both' together in bgp configuration. (cherry picked from commit 32a13411f47beffcbe4b49a869c99cb42374d729)
2024-02-01T5977: firewall: remove ipsec options in output chain rule definitions, ↵Nicolas Fort
since it's not supported. (cherry picked from commit 9d490ecf616eb9d019beee37a3802705c4109d9d)
2024-01-31reverse-proxy: T5999: Allow root for exact match in backend rule URLcleopold73
(cherry picked from commit f2c6cb62521bf13a51225462e8d39ee184645de1)
2024-01-23T5979: add configurable kernel boot option 'disable-mitigations'Christian Breunig
(cherry picked from commit 256346a66cc3bb20e93c68245ebca2f68f42e7b5)
2024-01-23bfd: T5967: add minimum-ttl optionChristian Breunig
* set protocols bfd peer <x.x.x.x> minimum-ttl <1-254> * set protocols bfd profile <name> minimum-ttl <1-254> (cherry picked from commit 1f07dcbddfcfdbb9079936ec479c5633934dd547)
2024-01-22T5958: QoS add basic implementation of policy shaper-hfscViacheslav Hletenko
QoS policy shaper-hfsc was not implemented after rewriting the traffic-policy to qos policy. We had CLI but it does not use the correct class. Add a basic implementation of policy shaper-hfsc. Write the class `TrafficShaperHFS` (cherry picked from commit f6b6ee636e34f98d336ee53599666afd1f395d78)
2024-01-22sflow: T5968: add VRF supportChristian Breunig
Add support to run hsflowd in a dedicated (e.g. management) VRF. Command will be "set system sflow vrf <name>" like with any other service (cherry picked from commit 64473fa6f320375fb3d3de4de9e729f456ee5ae2)
2024-01-22Merge pull request #2856 from c-po/firewall-backportsChristian Breunig
firewall: T5729: T5681: T5217: backport subsystem from current branch
2024-01-22firewall: T5729: T5681: T5217: backport subsystem from current branchChristian Breunig
This is a combined backport for all accumulated changes done to the firewall subsystem on the current branch.
2024-01-21ntp: T5692: add support to configure leap second behaviorChristian Breunig
* set service ntp leap-second [ignore|smear|system|timezone] Where timezone is the new and old default resulting in adding "leapsectz right/UTC" to chrony.conf. The most prominent new option is "smear" which will add leapsecmode slew maxslewrate 1000 smoothtime 400 0.001 leaponly to chrony. See https://chrony-project.org/doc/4.3/chrony.conf.html leapsecmode for additional information (cherry picked from commit 7ae064bab0010dff8827a0ed5e1239d2778dc7c1)
2024-01-21dhcp: T3316: add deprecation warning on RAW ISC DHCPD optionsChristian Breunig
The following CLI nodes are deprecated and will be remove in VyOS 1.5 while moving to KEA as DHCP server. * set service dhcp-server global-parameters * set service dhcp-server shared-network-name <name> shared-network-parameters * set service dhcp-server shared-network-name <name> subnet <x.x.x.x/y> subnet-parameters Please open feature requests if any DHCP option is missing and should be added as a proper CLI node to make your life easier.
2024-01-18conntrack: T5376: T5779: backport from currentChristian Breunig
Backport of the conntrack system from current branch. (cherry picked from commit fd0bcaf12) (cherry picked from commit 5acf5aced) (cherry picked from commit 42ff4d8a7) (cherry picked from commit 24a1a7059)
2024-01-18xml: T5738: re-use source-address-ipv4-ipv6 building block for config-managementChristian Breunig
(cherry picked from commit 100c2393e8732d4faa108889575a25f2a0a397d4)
2024-01-18ndp-proxy: T5863: add missing priority to honor interface dependenciesChristian Breunig
(cherry picked from commit 40ed1e4f63878a33538370f8c980c2bb73a9fbc4)
2024-01-17T5953: Changed values of 'close-action' to Strongswan valuesaapostoliuk
Changed the value from 'hold' to 'trap' in the 'close-action' option in the IKE group. Changed the value from 'restart' to 'start' in the 'close-action' option in the IKE group. (cherry picked from commit 8870fabf1b4358618fca7db459515106653214b5)
2024-01-16T4658: Renamed DPD action value from 'hold' to 'trap'aapostoliuk
Renamed DPD action value from 'hold' to 'trap' (cherry picked from commit 9f4aee5778eefa0a17d4795430d50e4a046e88b0)
2024-01-14bgp: T591: add VPN nexthop support per address-familyChristian Breunig
set protocols bgp address-family ipv4-unicast nexthop vpn export <ipv4-address|ipv6-address> set protocols bgp address-family ipv6-unicast nexthop vpn export <ipv4-address|ipv6-address> (cherry picked from commit 7349927908206fa83a7295d643f56950309efb4f)
2024-01-14bgp: T591: add SRv6 per address-family SID supportChristian Breunig
set protocols bgp address-family ipv4-unicast sid vpn export <auto|1-1048575> set protocols bgp address-family ipv6-unicast sid vpn export <auto|1-1048575> (cherry picked from commit d7e248ba514108461ca9d5875c0be077c80ceca7)
2024-01-11Merge pull request #2789 from vyos/mergify/bp/sagitta/pr-2777Christian Breunig
T5688: Changed 'range' to multi in 'client-ip-pool' for accell-ppp (backport #2777)
2024-01-11Merge pull request #2793 from sarthurdev/T5550_sagittaChristian Breunig
interface: T5550: Interface source-validation priority over global value (backport)
2024-01-10T5688: Changed 'range' to multi in 'client-ip-pool' for accell-pppaapostoliuk
Changed node 'range' to multi in 'client-ip-pool' for accell-ppp services. Added completionHelp to default-pool and next-pool. Fixed verification in vpn l2tp config script. (cherry picked from commit 4ffec67d04670192d9b722353cbaef04cb0ba129)
2024-01-10bgp: T5913: allow peer-group support for ipv4|6-labeled-unicast SAFIChristian Breunig
(cherry picked from commit f1411240c6b11ec400ac0f66eb71982259204317)
2024-01-10Merge pull request #2783 from vyos/mergify/bp/sagitta/pr-2263Christian Breunig
T5530: isis: Adding loop free alternate feature (backport #2263)
2024-01-10T5530: isis: Adding loop free alternate featureCheeze_It
(cherry picked from commit 7a2b70bd73c8579a885348b93b8addfb20fb006c)
2024-01-10https: T5902: remove virtual-host configurationChristian Breunig
We have not seen the adoption of the https virtual-host CLI option. What it did? * Create multiple webservers each listening on a different IP/port (but in the same VRF) * All webservers shared one common document root * All webservers shared the same SSL certificates * All webservers could have had individual allow-client configurations * API could be enabled for a particular virtual-host but was always enabled on the default host This configuration tried to provide a full webserver via the CLI but VyOS is a router and the Webserver is there for an API or to serve files for a local-ui. Changes Remove support for virtual-hosts as it's an incomplete and thus mostly useless "thing". Migrate all allow-client statements to one top-level allow statement. (cherry picked from commit d0d3071e99eb65edb888c26ef2fdc9e038438887)
2024-01-08https: T5886: migrate https certbot to new "pki certificate" CLI treeChristian Breunig
(cherry picked from commit 9ab6665c80c30bf446d94620fc9d85b052d48072)
2024-01-08pki: T5886: add support for ACME protocol (LetsEncrypt)Christian Breunig
The "idea" of this PR is to add new CLI nodes under the pki subsystem to activate ACME for any given certificate. vyos@vyos# set pki certificate NAME acme Possible completions: + domain-name Domain Name email Email address to associate with certificate listen-address Local IPv4 addresses to listen on rsa-key-size Size of the RSA key (default: 2048) url Remote URL (default: https://acme-v02.api.letsencrypt.org/directory) Users choose if the CLI based custom certificates are used set pki certificate EXAMPLE acme certificate <base64> or if it should be generated via ACME. The ACME server URL defaults to LetsEncrypt but can be changed to their staging API for testing to not get blacklisted. set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory Certificate retrieval has a certbot --dry-run stage in verify() to see if it can be generated. After successful generation, the certificate is stored in under /config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set interfaces ethernet eth0 eapol certificate EXAMPLE) we call vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the base64 encoded certificate into the JSON data structure normally used when using a certificate set by the CLI. Using this "design" does not need any change to any other code referencing the PKI system, as the base64 encoded certificate is already there. certbot renewal will call the PKI python script to trigger dependency updates. (cherry picked from commit b8db1a9d7baf91b70c1b735e58710f1e2bc9fc7a) # Conflicts: # debian/control
2024-01-08T5896: firewall: backport interface validator for firewall rules.Nicolas Fort
2024-01-06dns: T5900: add dont-throttle-netmasks and serve-stale-extensions powerdns ↵fvlaicu
features (cherry picked from commit 199ceb1f0a820c838dea6862371a3121b3d9f3a9)
2024-01-04xml: T5738: add constraint building block with alphanumeric, hypen, ↵Christian Breunig
underscore and dot (cherry picked from commit 82b4b2db8fda51df172210f470e5825b91e81de4)