Age | Commit message (Collapse) | Author |
|
Allowed to set metric (MED) to (+/-)rtt in the route-map.
(cherry picked from commit 5d98e806ef4edb4439620eff60215aaf30b5a592)
|
|
Time interval in seconds to wait between DNS updates would be a bit
more intuitive as `interval` than `timeout`.
|
|
Add support for per-service cache management for ddclient providers
via `wait-time` and `expiry-time` options. This allows for finer-grained
control over how often a service is updated and how long the hostname
will be cached before being marked expired in ddclient's cache.
More specifically, `wait-time` controls how often ddclient will attempt
to check for a change in the hostname's IP address, and `expiry-time`
controls how often ddclient to a forced update of the hostname's IP
address.
These options intentionally don't have any default values because they
are provider-specific. They get treated similar to the other provider-
specific options in that they are only used if defined.
|
|
Refactor zone configuration to use shared XML snippet for all cases.
|
|
Some porvides (like 'namecheap') allow to use '@' or '*' as hostname
prefix for apex and wildcard records. This commit relaxes the hostname
validation to allow these prefixes.
|
|
Enable TTL support for web-service based protocols in addition to
RFC2136 based (nsupdate) protocol.
Since TTL is not supported by all protocols, and thus cannot have a
configuration default, the existing XML snippet `include/dns/time-to-live.xml.i`
does not have common `<defaultValue>300</defaultValue>` anymore and is
instead added explicitly whenever necessary.
|
|
Fix VRF support interface definition and configuration mode for ddclient
to actually capture the VRF name and pass it to the template.
|
|
vxlan: T5759: change default MTU from 1450 -> 1500 bytes (backport #2503)
|
|
This fixes the implementation in e062a8c11 ("pppoe: T5630: allow to specify MRU
in addition to already configurable MTU") and restores the bahavior that MRU
defaults to MTU if MRU is not explicitly set.
This was the behavior in VyOS 1.3.3 and below before we added ability to define
the MRU value.
(cherry picked from commit ffd7339e2ea3eafdd97ac0763ca4a3913fe71bf3)
|
|
Found an odd behavior on Linux and the VyOS CLI implementation. If adding VXLAN
interfaces using iproute2 the MTU differs depending on the creation syntax:
ip -4 link add vxlan100 type vxlan dstport 4789 external df unset tos inherit \
ttl 16 nolearning vnifilter local 172.16.33.201
ip -4 link add vxlan200 type vxlan id 200 dstport 4789 local 172.16.33.201 dev eth0
ip -6 link add vxlan300 type vxlan id 300 dstport 4789 local 2001:db8:1::1 dev eth0
132: vxlan300: <BROADCAST,MULTICAST> mtu 1430 qdisc noop state DOWN group default qlen 1000
link/ether 4e:fb:e3:f5:d9:59 brd ff:ff:ff:ff:ff:ff
133: vxlan200: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
link/ether 0e:4e:f4:76:59:3f brd ff:ff:ff:ff:ff:ff
134: vxlan100: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether ba:b6:b7:0c:b1:37 brd ff:ff:ff:ff:ff:ff
VyOS always sets a default MTU of 1450 bytes which is correct for IPv4 p2p links
or multicast, but invalid for IPv6 p2p. Also this will break EVPN deployments
as ethernet bridges with MTU < 1500 bytes are less fun.
Increase default MTU to 1500 bytes. Migrate old configurations to use 1450
bytes if not specified otherwise on the CLI.
(cherry picked from commit 4a163b016333e58fee9d6ec6b53a09e0160b3213)
|
|
In a service provider network a service provider typically supports multiple
bridge domains with overlapping vlans. One bridge domain per customer. Vlans in
each bridge domain are mapped to globally unique VXLAN VNI ranges assigned to
each customer.
Without the ability of VNI filtering, we can not provide VXLAN tunnels
with multiple tenants all requiring e.g. VLAN 10.
To Test:
set interfaces vxlan vxlan987 parameters external
set interfaces vxlan vxlan987 source-interface eth0
set interfaces vxlan vxlan987 parameters vni-filter
set interfaces vxlan vxlan987 vlan-to-vni 50 vni 10050
set interfaces vxlan vxlan987 vlan-to-vni 51 vni 10051
set interfaces vxlan vxlan987 vlan-to-vni 52 vni 10052
set interfaces vxlan vxlan987 vlan-to-vni 53 vni 10053
set interfaces vxlan vxlan987 vlan-to-vni 54 vni 10054
set interfaces vxlan vxlan987 vlan-to-vni 60 vni 10060
set interfaces vxlan vxlan987 vlan-to-vni 69 vni 10069
set interfaces bridge br0 member interface vxlan987
Add new op-mode command: show bridge vni
Interface VNI
----------- -----------
vxlan987 10050-10054
vxlan987 10060
vxlan987 10069
(cherry picked from commit 35f6033d21053fa420e837f157cd9377a4ccd26a)
|
|
This complements commit f5e43b136 ("http: T5762: api: make API socket backend
communication the one and only default") so we have a consistent port CLI node
across VyOS components.
(cherry picked from commit 0e885f1bf01424130b6876e769cc42612b19351b)
|
|
T5419: firewall: backport firewall flowtable to Sagitta.
|
|
dhcp-client: T5760: add CLI option to pass user-class parameter (backport #2506)
|
|
|
|
PAM: T5577: Backported PAM settings from circinus
|
|
Why: Smoketests fail as they can not establish IPv6 connection to uvicorn
backend server.
https://github.com/vyos/vyos-1x/pull/2481 added a bunch of new smoketests.
While debugging those failing, it was uncovered, that uvicorn only listens on
IPv4 connections
vyos@vyos# netstat -tulnp | grep 8080
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -
As the CLI already has an option to move the API communication from an IP to a
UNIX domain socket, the best idea is to make this the default way of
communication, as we never directly talk to the API server but rather use the
NGINX reverse proxy.
(cherry picked from commit f5e43b1361fb59a9c260739bdb28729d5119507c)
|
|
In CLI we can choose authentication logic:
- `mandatory` - if TACACS+ answered with `REJECT`, authentication must be
stopped and access denied immediately.
- `optional` (default) - if TACACS+ answers with `REJECT`, authentication
continues using the next module.
In `mandatory` mode authentication will be stopped only if TACACS+ clearly
answered that access should be denied (no user in TACACS+ database, wrong
password, etc.). If TACACS+ is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
|
|
In CLI we can choose authentication logic:
- `mandatory` - if RADIUS answered with `Access-Reject`, authentication must
be stopped and access denied immediately.
- `optional` (default) - if RADIUS answers with `Access-Reject`,
authentication continues using the next module.
In `mandatory` mode authentication will be stopped only if RADIUS clearly
answered that access should be denied (no user in RADIUS database, wrong
password, etc.). If RADIUS is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
|
|
Example:
set interfaces ethernet eth0 dhcp-options user-class VyOS
or
set interfaces ethernet eth0 dhcp-options user-class 56:79:4f:53
(cherry picked from commit 260645d0c6ff078cc89601f3a586195902f9c18e)
|
|
The string data type specifies either an NVT ASCII string enclosed in double
quotes, or a series of octets specified in hexadecimal, separated by colons.
For example:
set interfaces ethernet eth0 dhcp-options client-id CLIENT-FOO
or
set interfaces ethernet eth0 dhcp-options client-id 43:4c:49:45:54:2d:46:4f:4f
As of now there was no input validation performed.
(cherry picked from commit bed1cd01904ef89b5d31bd47de0f230214900f16)
|
|
(cherry picked from commit e92667504e0c503b7c0d125d89d8795d6b6d5876)
|
|
vyos@vyos# set system config-management commit-archive location
Possible completions:
uri Uniform Resource Identifier
Unfortunately URI is a bit "less" specific - add proper help strings:
vyos@vyos# set system config-management commit-archive location
Possible completions:
http://<user>:<passwd>@<host>/<path>
https://<user>:<passwd>@<host>/<path>
ftp://<user>:<passwd>@<host>/<path>
sftp://<user>:<passwd>@<host>/<path>
scp://<user>:<passwd>@<host>/<path>
tftp://<user>:<passwd>@<host>/<path>
git+https://<user>:<passwd>@<host>/<path>
(cherry picked from commit dcb277ba0aed4a02f48572d10d3ba242942b8639)
|
|
(cherry picked from commit a89243cfbfc90854a8cddd53c0ffc987f75abcee)
|
|
T4072: firewall: backport bridge firewall to sagitta
|
|
|
|
(cherry picked from commit 019723aaa4217403f1fcbcd636f573ea403f909c)
|
|
(cherry picked from commit 64b4cfc71d402222fd6b034336b3588b5986ba24)
|
|
(cherry picked from commit 403d2ffd6e46cb082b1d16ddf515e1784bee968c)
# Conflicts:
# data/templates/frr/pim6d.frr.j2
# interface-definitions/protocols-pim6.xml.in
# smoketest/scripts/cli/test_protocols_pim6.py
# src/conf_mode/protocols_pim6.py
|
|
(cherry picked from commit 6ce2ecb10884a4b79a7643e22596a2d03d805a91)
|
|
(cherry picked from commit dd13213ae94f071bc30cc17f5fabef02fbf95939)
|
|
IGMP and PIM are two different but related things.
FRR has both combined in pimd. As we use get_config_dict() and FRR reload it
is better to have both centrally stored under the same CLI node (as FRR does,
too) to just "fire and forget" the commit to the daemon.
"set protocols igmp interface eth1" -> "set protocols pim interface eth1 igmp"
(cherry picked from commit bc83fb097719f5c4c803808572f690fbc367b9e5)
|
|
(cherry picked from commit 45ea9ed72ee11809f69619a40ae243df562de39f)
|
|
(cherry picked from commit c5e2c25f8968c0f06a9e4e992decc46a4f690868)
|
|
Migrate CLI configuration retrival to common get_config_dict(). In addition
add new functionality to VyOS that is PIM related and already available in FRR.
(cherry picked from commit 9abc02edcc237760f1f8aa1b3f08d7f4d18f866c)
# Conflicts:
# python/vyos/frr.py
# src/op_mode/restart_frr.py
|
|
xml: T5738: add source-address-ipv4-ipv6-multi building block (backport #2479)
|
|
(cherry picked from commit dccca4307339d13e5c3ae78058194baf2fd04002)
|
|
parsing, and migration to valueless node for log and state matchers
|
|
(cherry picked from commit 59c8d5febb2b1333643372f8956fa8f219d022cb)
|
|
T5559: Add static neighbor-proxy feature (backport #2240)
|
|
Ability to set ip neigbhor proxy
set protocols static neighbor-proxy arp 192.0.2.1 interface 'eth0'
set protocols static neighbor-proxy arp 192.0.2.2 interface 'eth0'
set protocols static neighbor-proxy nd 2001:db8::1 interface 'eth1'
(cherry picked from commit c56af995b6e3d867c2a67deeb4be79e498f0a7cf)
|
|
- Allow to configure only required interface prefixes
set service snmp mib interface 'eth'
set service snmp mib interface 'bond'
include_ifmib_iface_prefix eth bond
Sets the interface name prefixes to include in the IF-MIB data collection.
For servers with a large number of interfaces (ppp, dummy, bridge, etc)
the IF-MIB processing will take a large chunk of CPU for ioctl calls.
A set of space separated interface name prefixes will reduce the CPU
load for IF-MIB processing. For example, configuring
"include_ifmib_iface_prefix eth dummy lo" will include only interfaces
with these prefixes and ignore all others for IF-MIB processing.
- Allow to configure maximum interface number
set service snmp mib interface-max '100'
ifmib_max_num_ifaces NUM
Sets the maximum number of interfaces included in IF-MIB data collection.
For servers with a large number of interfaces (ppp, dummy, bridge, etc)
the IF-MIB processing will take a large chunk of CPU for ioctl calls
(on Linux). Setting a reasonable maximum for the CPU used will
reduce the CPU load for IF-MIB processing. For example, configuring
"ifmib_max_num_ifaces 500" will include only the first 500 interfaces
based on ifindex and ignore all others for IF-MIB processing.
(cherry picked from commit 30a05ee1d447c6f92627162a506225f833a80f8c)
|
|
(cherry picked from commit 1d67620e656766731ad6825fd8961140eb50d8a7)
|
|
set interfaces bonding bond10 evpn es-df-pref '50'
set interfaces bonding bond10 evpn es-id '10'
set interfaces bonding bond10 evpn es-sys-mac '01:23:45:67:89:ab'
set interfaces bonding bond10 member interface 'eth3'
set interfaces bonding bond10 mode '802.3ad'
(cherry picked from commit 937685608e61151275c4f60c6d00c0154f2ca06d)
|
|
T4726: Remove accel-ppp RADIUS vendor validators (backport #2423)
|
|
Add `max-starting` option:
[common]
max-starting=N
Specifies maximum concurrent session attempts which server may processed
set service pppoe-server max-concurrent-sessions '30'
Useful to prevent high CPU utilization and compat execution
scripts per time.
(cherry picked from commit 47645f9d0243ce48a473ab7f8cdbd22c19f69f28)
|
|
The vendor name could contain Uppercase or lowercase symbols and
not rely on the dictionary name but on dictionary value
/ # cat /usr/share/freeradius/dictionary.cisco | grep -i vendor
VENDOR Cisco 9
Another example
VENDOR Alcatel-IPD 6527
This way if we use `vendor=cisco` instead of `vendor=Cisco` it
will not work at all
Delete vendor validators
(cherry picked from commit bbc7cabc6be0d5f8629724e9b0025e425168e1a8)
|
|
firewal, nat and nat66.
(cherry picked from commit 51abbc0f1b2ccf4785cf7f29f1fe6f4af6007ee6)
|
|
In order to minimize the flooding of ARP and ND messages in the VXLAN network,
EVPN includes provisions [1] that allow participating VTEPs to suppress such
messages in case they know the MAC-IP binding and can reply on behalf of the
remote host. In Linux, the above is implemented in the bridge driver using a
per-port option called "neigh_suppress" that was added in kernel version 4.15.
[1] https://www.rfc-editor.org/rfc/rfc7432#section-10
(cherry picked from commit ec9a95502daa88b9632af12524e7cefebf86bab6)
|
|
As we have a bunch of options under "paramteres" already and "external" is
clearly one of them it should be migrated under that node as well.
(cherry picked from commit cc7ba8824a5e9ec818f0bbe7fb85e1713a591527)
|