Age | Commit message (Collapse) | Author |
|
* set protocols bgp parameters labeled-unicast <explicit-null | ipv4-explicit-null | ipv6-explicit-null>
* set protocols bgp parameters allow-martian-nexthop
* set protocols bgp parameters no-hard-administrative-reset"
(cherry picked from commit fff6004d46c5b939800fc3e61fe2102224625c0d)
|
|
(cherry picked from commit 1c882769cc0627cfc1ebf5ab7c338c6c474456da)
|
|
(cherry picked from commit 586863bf3a9cb1dd1c0d74b628d00096b905740f)
|
|
The replay_window for child SA will always be 32 (hence enabled). Add a CLI node
to explicitly change this.
* set vpn ipsec site-to-site peer <name> replay-window <0-2040>
(cherry picked from commit 4d943d8fbf1253154897179b0e3ea2d93b898197)
|
|
(cherry picked from commit 762be96f45bb1d9705e45ff554ad483c9d4e10ff)
|
|
(cherry picked from commit 61342083d7db8c30d015474fae5cb71f480487d8)
|
|
(cherry picked from commit 52e9707a43290f5f826766e2c42c5f0db3c9adec)
|
|
T5971: Rewritten ppp options in accel-ppp services (backport #2891)
|
|
dns forwarding: T5687: Implement ECS settings for PowerDNS recursor (backport #2903)
|
|
Rewritten 'ppp-options' to the same view in all accel-ppp services.
Adding IPv6 support to PPTP.
(cherry picked from commit d9e57fe65dd538c6ea80637f4f6f23cf11dc583d)
|
|
|
|
Modify the dynamic dns configuration 'address' subpath for better
clarity on how the address is obtained.
Additionally, remove `web-options` and fold those options under the
path `address web`.
|
|
T5989 fix: Add ipv4-prefix as a valid option for UPnP ACLs. (backport #2897)
|
|
Completion help suggests only IPv4 and IPv6 prefixes are supported, thus add a
proper constraint enforcing this.
(cherry picked from commit 049560725b93de49ec2d5a779e391e61d568ceb6)
|
|
Fix option descriptions
(cherry picked from commit c4b6c156549ea03262793c78532c2456e8713b81)
|
|
(cherry picked from commit eb76729d63245e2e8f06f4d6d52d2fd4aab4fb1f)
|
|
(cherry picked from commit 0307801b8928bbaaa20caf5bd10b928bae459490)
|
|
appropiate commands to populate such groups using source and destination address of the packet.
(cherry picked from commit 6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122)
|
|
T5865: Moved ipv6 pools to named ipv6 pools in accel-ppp (backport #2832)
|
|
Moved ipv6 pools to named ipv6 pools in accel-ppp services
(cherry picked from commit d187803c31175e471397dd4f77040ab56d2e1073)
|
|
Denied using command 'route-target vpn export/import'
with 'both' together in bgp configuration.
(cherry picked from commit 32a13411f47beffcbe4b49a869c99cb42374d729)
|
|
since it's not supported.
(cherry picked from commit 9d490ecf616eb9d019beee37a3802705c4109d9d)
|
|
(cherry picked from commit f2c6cb62521bf13a51225462e8d39ee184645de1)
|
|
(cherry picked from commit 256346a66cc3bb20e93c68245ebca2f68f42e7b5)
|
|
* set protocols bfd peer <x.x.x.x> minimum-ttl <1-254>
* set protocols bfd profile <name> minimum-ttl <1-254>
(cherry picked from commit 1f07dcbddfcfdbb9079936ec479c5633934dd547)
|
|
QoS policy shaper-hfsc was not implemented after rewriting the
traffic-policy to qos policy. We had CLI but it does not use the
correct class. Add a basic implementation of policy shaper-hfsc.
Write the class `TrafficShaperHFS`
(cherry picked from commit f6b6ee636e34f98d336ee53599666afd1f395d78)
|
|
Add support to run hsflowd in a dedicated (e.g. management) VRF.
Command will be "set system sflow vrf <name>" like with any other service
(cherry picked from commit 64473fa6f320375fb3d3de4de9e729f456ee5ae2)
|
|
firewall: T5729: T5681: T5217: backport subsystem from current branch
|
|
This is a combined backport for all accumulated changes done to the firewall
subsystem on the current branch.
|
|
* set service ntp leap-second [ignore|smear|system|timezone]
Where timezone is the new and old default resulting in adding "leapsectz right/UTC"
to chrony.conf. The most prominent new option is "smear" which will add
leapsecmode slew
maxslewrate 1000
smoothtime 400 0.001 leaponly
to chrony.
See https://chrony-project.org/doc/4.3/chrony.conf.html leapsecmode for
additional information
(cherry picked from commit 7ae064bab0010dff8827a0ed5e1239d2778dc7c1)
|
|
The following CLI nodes are deprecated and will be remove in VyOS 1.5 while
moving to KEA as DHCP server.
* set service dhcp-server global-parameters
* set service dhcp-server shared-network-name <name> shared-network-parameters
* set service dhcp-server shared-network-name <name> subnet <x.x.x.x/y> subnet-parameters
Please open feature requests if any DHCP option is missing and should be added
as a proper CLI node to make your life easier.
|
|
Backport of the conntrack system from current branch.
(cherry picked from commit fd0bcaf12)
(cherry picked from commit 5acf5aced)
(cherry picked from commit 42ff4d8a7)
(cherry picked from commit 24a1a7059)
|
|
(cherry picked from commit 100c2393e8732d4faa108889575a25f2a0a397d4)
|
|
(cherry picked from commit 40ed1e4f63878a33538370f8c980c2bb73a9fbc4)
|
|
Changed the value from 'hold' to 'trap' in the 'close-action'
option in the IKE group.
Changed the value from 'restart' to 'start' in the 'close-action'
option in the IKE group.
(cherry picked from commit 8870fabf1b4358618fca7db459515106653214b5)
|
|
Renamed DPD action value from 'hold' to 'trap'
(cherry picked from commit 9f4aee5778eefa0a17d4795430d50e4a046e88b0)
|
|
set protocols bgp address-family ipv4-unicast nexthop vpn export <ipv4-address|ipv6-address>
set protocols bgp address-family ipv6-unicast nexthop vpn export <ipv4-address|ipv6-address>
(cherry picked from commit 7349927908206fa83a7295d643f56950309efb4f)
|
|
set protocols bgp address-family ipv4-unicast sid vpn export <auto|1-1048575>
set protocols bgp address-family ipv6-unicast sid vpn export <auto|1-1048575>
(cherry picked from commit d7e248ba514108461ca9d5875c0be077c80ceca7)
|
|
T5688: Changed 'range' to multi in 'client-ip-pool' for accell-ppp (backport #2777)
|
|
interface: T5550: Interface source-validation priority over global value (backport)
|
|
Changed node 'range' to multi in 'client-ip-pool' for accell-ppp
services.
Added completionHelp to default-pool and next-pool.
Fixed verification in vpn l2tp config script.
(cherry picked from commit 4ffec67d04670192d9b722353cbaef04cb0ba129)
|
|
(cherry picked from commit f1411240c6b11ec400ac0f66eb71982259204317)
|
|
T5530: isis: Adding loop free alternate feature (backport #2263)
|
|
(cherry picked from commit 7a2b70bd73c8579a885348b93b8addfb20fb006c)
|
|
We have not seen the adoption of the https virtual-host CLI option.
What it did?
* Create multiple webservers each listening on a different IP/port
(but in the same VRF)
* All webservers shared one common document root
* All webservers shared the same SSL certificates
* All webservers could have had individual allow-client configurations
* API could be enabled for a particular virtual-host but was always enabled on
the default host
This configuration tried to provide a full webserver via the CLI but VyOS is a
router and the Webserver is there for an API or to serve files for a local-ui.
Changes
Remove support for virtual-hosts as it's an incomplete and thus mostly useless
"thing". Migrate all allow-client statements to one top-level allow statement.
(cherry picked from commit d0d3071e99eb65edb888c26ef2fdc9e038438887)
|
|
(cherry picked from commit 9ab6665c80c30bf446d94620fc9d85b052d48072)
|
|
The "idea" of this PR is to add new CLI nodes under the pki subsystem to
activate ACME for any given certificate.
vyos@vyos# set pki certificate NAME acme
Possible completions:
+ domain-name Domain Name
email Email address to associate with certificate
listen-address Local IPv4 addresses to listen on
rsa-key-size Size of the RSA key (default: 2048)
url Remote URL (default:
https://acme-v02.api.letsencrypt.org/directory)
Users choose if the CLI based custom certificates are used
set pki certificate EXAMPLE acme certificate <base64>
or if it should be generated via ACME.
The ACME server URL defaults to LetsEncrypt but can be changed to their staging
API for testing to not get blacklisted.
set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory
Certificate retrieval has a certbot --dry-run stage in verify() to see if it
can be generated.
After successful generation, the certificate is stored in under
/config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set
interfaces ethernet eth0 eapol certificate EXAMPLE) we call
vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the
base64 encoded certificate into the JSON data structure normally used when
using a certificate set by the CLI.
Using this "design" does not need any change to any other code referencing the
PKI system, as the base64 encoded certificate is already there.
certbot renewal will call the PKI python script to trigger dependency updates.
(cherry picked from commit b8db1a9d7baf91b70c1b735e58710f1e2bc9fc7a)
# Conflicts:
# debian/control
|
|
|
|
features
(cherry picked from commit 199ceb1f0a820c838dea6862371a3121b3d9f3a9)
|
|
underscore and dot
(cherry picked from commit 82b4b2db8fda51df172210f470e5825b91e81de4)
|