Age | Commit message (Collapse) | Author |
|
Migrate policy local-route <destination|source> to node address
replace 'policy local-route{v6} rule <tag> destination|source <x.x.x.x>'
=> 'policy local-route{v6} rule <tag> destination|source address <x.x.x.x>'
(cherry picked from commit 9f7a5f79200782f7849cab72f55a39dedf45f214)
|
|
This commit adds a new configuration option to the mDNS repeater service
to allow controlling which IP version to use for mDNS repeater.
Additionally, publishing AAAA record over IPv4 and A record over IPv6 is
disabled as suggested.
See:
- https://github.com/lathiat/avahi/issues/117#issuecomment-1651475104
- https://bugzilla.redhat.com/show_bug.cgi?id=669627#c2
(cherry picked from commit e66f7075ee12ae3107d29efaf683442c3535e8b9)
|
|
T5165: Add option protocol for policy local-route (backport #2313)
|
|
(cherry picked from commit 81dee963a9ca3224ddbd54767a36efae5851a001)
|
|
Add option `protocol` for policy local-route
set policy local-route rule 100 destination '192.0.2.12'
set policy local-route rule 100 protocol 'tcp'
set policy local-route rule 100 set table '100'
(cherry picked from commit 96b8b38a3c17aa08fa964eef9141cf89f1c1d442)
|
|
bgp: T5596: add new features from FRR 9 (backport #2284)
|
|
A `backup` server can be defined to take over in the case of all other
backends failing
set load-balancing reverse-proxy backend <tag> server <tag> address '192.0.2.3'
set load-balancing reverse-proxy backend <tag> server <tag> port '8883'
set load-balancing reverse-proxy backend <tag> server <tag> backup
(cherry picked from commit cb297aea56da91144c53be1f396b64a26a8e5b04)
|
|
* Add BGP Software Version capability (draft-abraitis-bgp-version-capability)
set protocols bgp neighbor 192.0.2.1 capability software-version
* Add BGP neighbor path-attribute treat-as-withdraw command
set protocols bgp neighbor 192.0.2.1 path-attribute treat-as-withdraw
(cherry picked from commit d285355716708a46767c18661976906812da8a3c)
|
|
* Add support for IS-IS advertise-high-metrics
set protocols isis advertise-high-metrics
* Add support for IS-IS advertise-passive-only
set protocols isis advertise-passive-only
(cherry picked from commit f7d35c15256ea74ab32c9b978a5c6fdbd659a7a0)
|
|
AgentX does not work stable. From time to time we see the system
service crashing/degrading if something is wrong with SNMP from
util net-snmp.
We should disable it by default and enable it only if configured.
set high-availability vrrp snmp
(cherry picked from commit 47875457cd8b176f7f23a3141175d745aeb14d8a)
|
|
T5480: Ability to disable SNMP for keepalived service VRRP
|
|
Add the ability to use the option all for remove-private-as.
Remove private ASNs in outbound updates.
all - Apply to all AS numbers
set protocols bgp neighbor <tag> address-family ipv4-unicast remove-private-as all
(cherry picked from commit d72024b11e127cc11931cfaee4d07944dceb1ea9)
|
|
webproxy service
(cherry picked from commit 4401c6920fed08050832a00041021137e9efae54)
|
|
FRR supports a new way of configuring VLAN-to-VNI mappings for EVPN-VXLAN, when
working with the Linux kernel. In this new way, the mapping of a VLAN to a VNI
is configured against a container VXLAN interface which is referred to as a
'Single VXLAN device (SVD)'.
Multiple VLAN to VNI mappings can be configured against the same SVD. This
allows for a significant scaling of the number of VNIs since a separate VXLAN
interface is no longer required for each VNI.
Sample configuration of SVD with VLAN to VNI mappings is shown below.
set interfaces bridge br0 member interface vxlan0
set interfaces vxlan vxlan0 external
set interfaces vxlan vxlan0 source-interface 'dum0'
set interfaces vxlan vxlan0 vlan-to-vni 10 vni '10010'
set interfaces vxlan vxlan0 vlan-to-vni 11 vni '10011'
set interfaces vxlan vxlan0 vlan-to-vni 30 vni '10030'
set interfaces vxlan vxlan0 vlan-to-vni 31 vni '10031'
(cherry picked from commit 7f6624f5a6f8bd1749b54103ea5ec9f010adf778)
|
|
By default we enable `--snmp` for keepalived unit service
Add ability to disable it
set high-availability vrrp disable-snmp
(cherry picked from commit 5ae730a52de2f284e45cd433bb0cf66c8508f2f7)
|
|
Signed-off-by: Anthony Rabbito <hello@anthonyrabbito.com>
|
|
Signed-off-by: Anthony Rabbito <hello@anthonyrabbito.com>
|
|
|
|
T5531: Containers add label option
|
|
Ability to set labels for container
set container name c1 allow-host-networks
set container name c1 image 'busybox'
set container name c1 label mypods value 'My label for containers'
|
|
|
|
|
|
system-ip: T5449: add TCP MSS probing options
|
|
wifi: T5491: allow white-/blacklisting station MAC addresses for security
|
|
T5448: Add configuration host-name for zabbix-agent
|
|
T5463: Container allow publish listen-addresses
|
|
|
|
T5450: allow inverted matcher for interface and interface-group
|
|
Ability to publish multiple IP/IPv6 addresses for container
set container name c1 port web destination '80'
set container name c1 port web listen-address '192.0.2.1'
set container name c1 port web listen-address '2001:db8:1111::1'
set container name c1 port web source '8080'
--publish 192.0.2.1:8080:80/tcp --publish [2001:db8:1111::1]:8080:80/tcp
|
|
firewall cli
|
|
Ability to configure host-name for zabbix-agent
set service monitoring zabbix-agent host-name 'r-vyos'
|
|
T5447: Initial support for MACsec static keys
|
|
|
|
Station MAC address-based authentication means:
* 'allow' accept all clients except the one on the deny list
* 'deny' accept only clients listed on the accept list
New CLI commands:
* set interfaces wireless wlan0 security station-address mode <accept|deny>
* set interfaces wireless wlan0 security station-address accept mac <mac>
* set interfaces wireless wlan0 security station-address deny mac <mac>
|
|
This fixes a CLI typo added in commit 77ef9f800 ("T5466: L3VPN label allocation
mode").
|
|
his extends commit b9655365b ("login: T5490: add stricter validation for
home-directory path") by adding a dot to the REGEX allow list.
This was previously allowed and covered in out smoketests which failed.
|
|
|
|
wireguard: T5409: Added 'set interfaces wireguard wgX threaded'
|
|
Provides a per-device control to enable/disable the threaded mode for all the
napi instances of the given network device, without the need for a device
up/down.
|
|
Using threaded as CLI node is a very deep term used by kernel threads. To make
this more understandable to users, rename the node to per-client-thread.
It's also not necessary to test if any one peer is configured and probing if
the option is set. There is a base test which requires at least one peer
to be configured.
|
|
|
|
|
|
|
|
|
|
|
|
setting
|
|
This is only a cosmetic change so that the default value is properly retrieved
from the defaultValue XML node.
|
|
T5160: Firewall refactor
|
|
|
|
with common matcher for ipv4 and ipv6, and use include on all chains for all this comman matchers
|