Age | Commit message (Collapse) | Author |
|
Fix commit 51abbc0f1b2 ("T5681: Firewall,Nat and Nat66: simplified and
standarize interface matcher (valid for interfaces and groups) in firewal, nat
and nat66") that added a migrator but did not bump the version number.
|
|
vxlan: T5668: add CLI knob to enable ARP/ND suppression
|
|
As we have a bunch of options under "paramteres" already and "external" is
clearly one of them it should be migrated under that node as well.
|
|
In order to minimize the flooding of ARP and ND messages in the VXLAN network,
EVPN includes provisions [1] that allow participating VTEPs to suppress such
messages in case they know the MAC-IP binding and can reply on behalf of the
remote host. In Linux, the above is implemented in the bridge driver using a
per-port option called "neigh_suppress" that was added in kernel version 4.15.
[1] https://www.rfc-editor.org/rfc/rfc7432#section-10
|
|
(valid for interfaces and groups) in firewal, nat and nat66.
|
|
T5643: nat: add interface-groups to nat. Use same cli structure for i…
|
|
vxlan: T5671: change port to IANA assigned default port
|
|
Currently VyOS VXLAN implementation uses the Linux assigned port 8472 that
predates the IANA assignment. As Most other vendors use the IANA assigned port,
follow this guideline and use the new default port 4789.
Existing configuration not defining an explicit port number will be migrated
to the old default port number of 8472, keeping existing configurations work!
|
|
|
|
bridge: T5670: add missing constraint on "member interface" node
|
|
T5541: firewall zone: re add firewall zone-base firewall
|
|
cluster: T2897: add a migration script for converting cluster to VRRP
|
|
T5637: add new rule at the end of base chains for default-actions and log capabilities
|
|
One could specify a bridge member of VXLAN1 interface, but it is not possible
to create a VXLAN interface with the name of VXLAN1 - prohibited by VXLAN
interface name validator.
Add missing interface-name validator code
|
|
|
|
|
|
bonding: T5254: Fixed changing ethernet when it is a bond member
|
|
|
|
openvpn: T5634: Remove support for insecure DES and Blowfish ciphers
|
|
|
|
interface-name|interface-group as in firewall.
|
|
T5165: Implement policy local-route source and destination port
|
|
T5530: isis: Adding loop free alternate feature
|
|
enables log capabilities for default-action in base chains. And of course, add option for enabling log for default-action
|
|
Add `policy local-route` source and destination port
set policy local-route rule 23 destination port '222'
set policy local-route rule 23 protocol 'tcp'
set policy local-route rule 23 set table '123'
set policy local-route rule 23 source port '8888'
% ip rule show prio 23
23: from all ipproto tcp sport 8888 dport 222 lookup 123
|
|
|
|
Set the MRU (Maximum Receive Unit) value to n. PPPd will ask the peer to send
packets of no more than n bytes. The value of n must be between 128 and 16384,
the default was always 1492 to match PPPoE MTU.
A value of 296 works well on very slow links (40 bytes for TCP/IP header + 256
bytes of data). Note that for the IPv6 protocol, the MRU must be at least 1280.
CLI:
set interfaces pppoe pppoe0 mru 1280
|
|
If ethernet interface is a bond memeber:
1. Allow for changing only specific parameters which are specified
in EthernetIf.get_bond_member_allowed_options function.
2. Added inheritable parameters from bond interface to ethernet
interface which are scpecified
in BondIf.get_inherit_bond_options.
Users can change inheritable options under ethernet interface
but in commit it will be copied from bond interface.
3. All other parameters are denied for changing.
Added migration script. It deletes all denied parameters under
ethernet interface if it is a bond member.
|
|
A network namespace can have VRFs assigned, thus we need to get the priorities
right. This lowers both priorities in general as a VRF or NETNS needs to be
available very early as services can run on top of them.
|
|
ddclient: T5574: Support per-service cache management for providers
|
|
T5600: firewall: change constraints for inbound|outbound interface-name
|
|
Add support for per-service cache management for ddclient providers
via `wait-time` and `expiry-time` options. This allows for finer-grained
control over how often a service is updated and how long the hostname
will be cached before being marked expired in ddclient's cache.
More specifically, `wait-time` controls how often ddclient will attempt
to check for a change in the hostname's IP address, and `expiry-time`
controls how often ddclient to a forced update of the hostname's IP
address.
These options intentionally don't have any default values because they
are provider-specific. They get treated similar to the other provider-
specific options in that they are only used if defined.
|
|
T5165: Migrate policy local-route rule x destination to address
|
|
ddclient: T5612: Miscellaneous improvements and fixes for dynamic DNS
|
|
Migrate policy local-route <destination|source> to node address
replace 'policy local-route{v6} rule <tag> destination|source <x.x.x.x>'
=> 'policy local-route{v6} rule <tag> destination|source address <x.x.x.x>'
|
|
filter and in policy route.
|
|
T5577: Optimized PAM configs for RADIUS/TACACS+
|
|
This commit adds a new configuration option to the mDNS repeater service
to allow controlling which IP version to use for mDNS repeater.
Additionally, publishing AAAA record over IPv4 and A record over IPv6 is
disabled as suggested.
See:
- https://github.com/lathiat/avahi/issues/117#issuecomment-1651475104
- https://bugzilla.redhat.com/show_bug.cgi?id=669627#c2
|
|
T5217: Add firewall synproxy
|
|
firewall: T5614: Add support for matching on conntrack helper
|
|
Add option `protocol` for policy local-route
set policy local-route rule 100 destination '192.0.2.12'
set policy local-route rule 100 protocol 'tcp'
set policy local-route rule 100 set table '100'
|
|
|
|
Some porvides (like 'namecheap') allow to use '@' or '*' as hostname
prefix for apex and wildcard records. This commit relaxes the hostname
validation to allow these prefixes.
|
|
Enable TTL support for web-service based protocols in addition to
RFC2136 based (nsupdate) protocol.
Since TTL is not supported by all protocols, and thus cannot have a
configuration default, the existing XML snippet `include/dns/time-to-live.xml.i`
does not have common `<defaultValue>300</defaultValue>` anymore and is
instead added explicitly whenever necessary.
|
|
Refactor zone configuration to use shared XML snippet for all cases.
|
|
Fix VRF support interface definition and configuration mode for ddclient
to actually capture the VRF name and pass it to the template.
|
|
Add ability to SYNPROXY connections
It is useful to protect against TCP SYN flood attacks and port-scanners
set firewall global-options syn-cookies 'enable'
set firewall ipv4 input filter rule 10 action 'synproxy'
set firewall ipv4 input filter rule 10 destination port '22'
set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1'
set firewall ipv4 input filter rule 10 protocol 'tcp'
set firewall ipv4 input filter rule 10 synproxy tcp mss '1460'
set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
|
|
user can use VRF, and negated VRF, and configuration wonn't be broken after reboot.
|
|
A `backup` server can be defined to take over in the case of all other
backends failing
set load-balancing reverse-proxy backend <tag> server <tag> address '192.0.2.3'
set load-balancing reverse-proxy backend <tag> server <tag> port '8883'
set load-balancing reverse-proxy backend <tag> server <tag> backup
|
|
bgp: T5596: add new features from FRR 9
|