Age | Commit message (Collapse) | Author |
|
T5989 fix: Add ipv4-prefix as a valid option for UPnP ACLs. (backport #2897)
|
|
Completion help suggests only IPv4 and IPv6 prefixes are supported, thus add a
proper constraint enforcing this.
(cherry picked from commit 049560725b93de49ec2d5a779e391e61d568ceb6)
|
|
Fix option descriptions
(cherry picked from commit c4b6c156549ea03262793c78532c2456e8713b81)
|
|
(cherry picked from commit eb76729d63245e2e8f06f4d6d52d2fd4aab4fb1f)
|
|
(cherry picked from commit 0307801b8928bbaaa20caf5bd10b928bae459490)
|
|
appropiate commands to populate such groups using source and destination address of the packet.
(cherry picked from commit 6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122)
|
|
T5865: Moved ipv6 pools to named ipv6 pools in accel-ppp (backport #2832)
|
|
Moved ipv6 pools to named ipv6 pools in accel-ppp services
(cherry picked from commit d187803c31175e471397dd4f77040ab56d2e1073)
|
|
Denied using command 'route-target vpn export/import'
with 'both' together in bgp configuration.
(cherry picked from commit 32a13411f47beffcbe4b49a869c99cb42374d729)
|
|
since it's not supported.
(cherry picked from commit 9d490ecf616eb9d019beee37a3802705c4109d9d)
|
|
(cherry picked from commit f2c6cb62521bf13a51225462e8d39ee184645de1)
|
|
(cherry picked from commit 256346a66cc3bb20e93c68245ebca2f68f42e7b5)
|
|
* set protocols bfd peer <x.x.x.x> minimum-ttl <1-254>
* set protocols bfd profile <name> minimum-ttl <1-254>
(cherry picked from commit 1f07dcbddfcfdbb9079936ec479c5633934dd547)
|
|
QoS policy shaper-hfsc was not implemented after rewriting the
traffic-policy to qos policy. We had CLI but it does not use the
correct class. Add a basic implementation of policy shaper-hfsc.
Write the class `TrafficShaperHFS`
(cherry picked from commit f6b6ee636e34f98d336ee53599666afd1f395d78)
|
|
Add support to run hsflowd in a dedicated (e.g. management) VRF.
Command will be "set system sflow vrf <name>" like with any other service
(cherry picked from commit 64473fa6f320375fb3d3de4de9e729f456ee5ae2)
|
|
firewall: T5729: T5681: T5217: backport subsystem from current branch
|
|
This is a combined backport for all accumulated changes done to the firewall
subsystem on the current branch.
|
|
* set service ntp leap-second [ignore|smear|system|timezone]
Where timezone is the new and old default resulting in adding "leapsectz right/UTC"
to chrony.conf. The most prominent new option is "smear" which will add
leapsecmode slew
maxslewrate 1000
smoothtime 400 0.001 leaponly
to chrony.
See https://chrony-project.org/doc/4.3/chrony.conf.html leapsecmode for
additional information
(cherry picked from commit 7ae064bab0010dff8827a0ed5e1239d2778dc7c1)
|
|
The following CLI nodes are deprecated and will be remove in VyOS 1.5 while
moving to KEA as DHCP server.
* set service dhcp-server global-parameters
* set service dhcp-server shared-network-name <name> shared-network-parameters
* set service dhcp-server shared-network-name <name> subnet <x.x.x.x/y> subnet-parameters
Please open feature requests if any DHCP option is missing and should be added
as a proper CLI node to make your life easier.
|
|
Backport of the conntrack system from current branch.
(cherry picked from commit fd0bcaf12)
(cherry picked from commit 5acf5aced)
(cherry picked from commit 42ff4d8a7)
(cherry picked from commit 24a1a7059)
|
|
(cherry picked from commit 100c2393e8732d4faa108889575a25f2a0a397d4)
|
|
(cherry picked from commit 40ed1e4f63878a33538370f8c980c2bb73a9fbc4)
|
|
Changed the value from 'hold' to 'trap' in the 'close-action'
option in the IKE group.
Changed the value from 'restart' to 'start' in the 'close-action'
option in the IKE group.
(cherry picked from commit 8870fabf1b4358618fca7db459515106653214b5)
|
|
Renamed DPD action value from 'hold' to 'trap'
(cherry picked from commit 9f4aee5778eefa0a17d4795430d50e4a046e88b0)
|
|
set protocols bgp address-family ipv4-unicast nexthop vpn export <ipv4-address|ipv6-address>
set protocols bgp address-family ipv6-unicast nexthop vpn export <ipv4-address|ipv6-address>
(cherry picked from commit 7349927908206fa83a7295d643f56950309efb4f)
|
|
set protocols bgp address-family ipv4-unicast sid vpn export <auto|1-1048575>
set protocols bgp address-family ipv6-unicast sid vpn export <auto|1-1048575>
(cherry picked from commit d7e248ba514108461ca9d5875c0be077c80ceca7)
|
|
T5688: Changed 'range' to multi in 'client-ip-pool' for accell-ppp (backport #2777)
|
|
interface: T5550: Interface source-validation priority over global value (backport)
|
|
Changed node 'range' to multi in 'client-ip-pool' for accell-ppp
services.
Added completionHelp to default-pool and next-pool.
Fixed verification in vpn l2tp config script.
(cherry picked from commit 4ffec67d04670192d9b722353cbaef04cb0ba129)
|
|
(cherry picked from commit f1411240c6b11ec400ac0f66eb71982259204317)
|
|
T5530: isis: Adding loop free alternate feature (backport #2263)
|
|
(cherry picked from commit 7a2b70bd73c8579a885348b93b8addfb20fb006c)
|
|
We have not seen the adoption of the https virtual-host CLI option.
What it did?
* Create multiple webservers each listening on a different IP/port
(but in the same VRF)
* All webservers shared one common document root
* All webservers shared the same SSL certificates
* All webservers could have had individual allow-client configurations
* API could be enabled for a particular virtual-host but was always enabled on
the default host
This configuration tried to provide a full webserver via the CLI but VyOS is a
router and the Webserver is there for an API or to serve files for a local-ui.
Changes
Remove support for virtual-hosts as it's an incomplete and thus mostly useless
"thing". Migrate all allow-client statements to one top-level allow statement.
(cherry picked from commit d0d3071e99eb65edb888c26ef2fdc9e038438887)
|
|
(cherry picked from commit 9ab6665c80c30bf446d94620fc9d85b052d48072)
|
|
The "idea" of this PR is to add new CLI nodes under the pki subsystem to
activate ACME for any given certificate.
vyos@vyos# set pki certificate NAME acme
Possible completions:
+ domain-name Domain Name
email Email address to associate with certificate
listen-address Local IPv4 addresses to listen on
rsa-key-size Size of the RSA key (default: 2048)
url Remote URL (default:
https://acme-v02.api.letsencrypt.org/directory)
Users choose if the CLI based custom certificates are used
set pki certificate EXAMPLE acme certificate <base64>
or if it should be generated via ACME.
The ACME server URL defaults to LetsEncrypt but can be changed to their staging
API for testing to not get blacklisted.
set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory
Certificate retrieval has a certbot --dry-run stage in verify() to see if it
can be generated.
After successful generation, the certificate is stored in under
/config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set
interfaces ethernet eth0 eapol certificate EXAMPLE) we call
vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the
base64 encoded certificate into the JSON data structure normally used when
using a certificate set by the CLI.
Using this "design" does not need any change to any other code referencing the
PKI system, as the base64 encoded certificate is already there.
certbot renewal will call the PKI python script to trigger dependency updates.
(cherry picked from commit b8db1a9d7baf91b70c1b735e58710f1e2bc9fc7a)
# Conflicts:
# debian/control
|
|
|
|
features
(cherry picked from commit 199ceb1f0a820c838dea6862371a3121b3d9f3a9)
|
|
underscore and dot
(cherry picked from commit 82b4b2db8fda51df172210f470e5825b91e81de4)
|
|
Backports for Accel-PPP based serviced T5801, T5842 and T5688
|
|
T5880: verify_source_interface() should not allow dynamic interfaces like ppp, l2tp, ipoe or sstpc client interfaces (backport #2728)
|
|
Files got added by accident in commit c9eaafd9f ("T5474: establish common file
name pattern for XML conf mode commands")
|
|
(cherry picked from commit 679be4c9742ffd5c317742c6c20a268a5e044f0c)
|
|
(cherry picked from commit a232b83601f4f8b2fe6964239a568acad3fa764a)
|
|
Rewritten PPTP to get_config_dict
Fixed 'dynamic-author' commands. These commands did not create
anything in accel-ppp config.
(cherry picked from commit f39eb894d991d296a82c69d1ab783011b5d0ed2f)
|
|
Rewritten L2TP to get_config_dict
Rewritten L2TP xml to accel-ppp patterns
Migrated 'idle' to 'ppp-options.lcp-echo-timeout'
Migrated 'authentication.mppe' to 'ppp-options.mppe'
Migrated 'authentication.radius.dae-server' to
'authentication.radius.dynamic-author'
Migrated 'authentication.require' to 'authentication.protocol'
Added 'authentication.radius.acct-interim-jitter'
Added 'authentication.radius.preallocate-vif'
Added 'authentication.radius.server.<IP>.acct-port'
Added 'ppp-options.ipv4'
Added smoke-tests
Fixed 'preallocate-vif' in SSTP
(cherry picked from commit 09e0a2ca035ee39a68a510b28cc74560669d0420)
|
|
interfaces
Interfaces matching the following regex (ppp|pppoe|sstpc|l2tp|ipoe)[0-9]+ can
not be used as source-interface for e.g. a tunnel.
The main reason is that these are dynamic interfaces which come and go from a
kernel point of view, thus it's not possible to bind an interface to them.
(cherry picked from commit 5062f5d313548d6ebb9c07fee6b6d6be25b8f8f0)
|
|
We will use _ as CLI level divider. The XML definition filename and also
the Python helper should match the CLI node.
Example:
set interfaces ethernet -> interfaces_ethernet.xml.in
set interfaces bond -> interfaces_bond.xml.in
set service dhcp-server -> service_dhcp-server-xml.in
(cherry picked from commit 4ef110fd2c501b718344c72d495ad7e16d2bd465)
|
|
firewall: T5834: Rename 'enable-default-log' to 'default-log' (backport #2651)
|
|
(cherry picked from commit 656934e85cee799dba5b495d143f6be445ac22d5)
|
|
`include/firewall/rule-log-options.xml.i` is now more aptly renamed to
`include/firewall/log-options.xml.i`.
(cherry picked from commit 53a48f499ae9bcc2f657136bb7779b38aad1c242)
|