Age | Commit message (Collapse) | Author |
|
Add interface type veth (Virtual ethernet)
One of the usecases it's interconnect different vrf's and
default vrf via bridge
set interfaces virtual-ethernet veth0 peer-name 'veth1010'
set interfaces virtual-ethernet veth1010 address '10.0.0.10/24'
set interfaces virtual-ethernet veth1010 peer-name 'veth0'
set interfaces virtual-ethernet veth1010 vrf 'foo'
set interfaces bridge br0 address '10.0.0.1/24'
set interfaces bridge br0 member interface veth0
vyos@r1:~$ ping 10.0.0.10 count 1
PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.
64 bytes from 10.0.0.10: icmp_seq=1 ttl=64 time=0.082 ms
|
|
(cherry picked from commit 3d5aba0775ff0d858d6c75d6aa37183be73c15aa)
|
|
Sshguard protects hosts from brute-force attacks
It can inspect logs and block "bad" addresses by threshold
Auto-generates own tables and rules for nftables, so they are not
intercept with VyOS firewall rules.
When service stops, all generated tables are deleted.
set service ssh dynamic-protection
set service ssh dynamic-protection allow-from '192.0.2.1'
set service ssh dynamic-protection block-time '120'
set service ssh dynamic-protection detect-time '1800'
set service ssh dynamic-protection threshold '30'
|
|
(cherry picked from commit 90c0c2c4c81cdbf2ec3f928499f3e1719bfd6f9a)
|
|
set high-availability vrrp group <name> version 2|3
(cherry picked from commit 6ca308182a7891e600a2e8749f7b12b566005576)
|
|
Allow syslog messages to be sent through a VRF (e.g. management).
(cherry picked from commit 46d2bcdb0b500b4d1b9d973ab5b9ca3c6cf44e51)
|
|
T4727: Add RADIUS rate-limit attribute for vpn pptp
|
|
Add rate-limit attribute, multiplier, vendor specific attribute
for the [shaper] section
|
|
|
|
Container registry CLI node changed from leafNode to tagNode with the same
defaults. In addition we can now configure an authentication option per
registry.
(cherry picked from commit fe82d86d3e87cb8d92ebc9d0652c08e3dd79a12c)
|
|
Event-handler allows executing a custom script when detects
some configured "pattern regex"
set service event-handler event first filter pattern '.*ssh2.*'
set service event-handler event first script arguments '192.0.2.5'
set service event-handler event first script environment interface value 'eth0'
set service event-handler event first script path '/config/scripts/hello.sh'
It is the backport from 1.4
|
|
(cherry picked from commit d14a6814acb173cdc6df13212620f7da330434ed)
|
|
Ability setting container hostname
This host name is used as /etc/hostname
set container name <tag> host-name 'mybox'
(cherry picked from commit c68d73e6720a7df2b48df17ac7b9b4c906e0294c)
|
|
options for containers
(cherry picked from commit 53aebddb4ca54b0cc4a296d6cc4c4d960c5f1d73)
|
|
Based on wpa_supplicant documentation.
mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit)
hex-string (2..64 hex-digits)
Changed allowable length of CKN from strong 64 hex-digits
to the range (2..64 hex-digits)
|
|
T4971: PPPoE server add named ip pool and attr Framed-Pool
|
|
T1993: PPPoE-server add section shaper and fwmark option
|
|
Add a new feature to allow to use named pools
Also it can be used with RADIUS attribute 'Framed-Pool'
set service pppoe-server client-ip-pool name POOL1 gateway-address '192.0.2.1'
set service pppoe-server client-ip-pool name POOL1 subnet '192.0.2.0/24'
|
|
Add accel-ppp include client-ip-pool-name.xml.i
Can be used in other accep-ppp CLI as "include"
|
|
Extended PPPoE-server rate-limiter to avoid shaping marked resources
Often this feature needs for ISP, which provides access to some IX
or its resources.
set service pppoe-server shaper fwmark '223'
|
|
Minimum acceptable MTU. If client will try to negotiate less then
specified MTU then it will be NAKed or disconnected if rejects
greater MTU.
Change 'min-mtu' from 1492 to 1280 for 1.3.3
|
|
T4947: container: fix existing issues in equuleus after backport from 1.4
|
|
VyOS 1.3 does not support automatic generation of the (default: <>) string
from XML defaultValue nodes. Specify help string manually.
|
|
pppoe: T4948: add CLI option to allow definition of host-uniq flag (equuleus backport)
|
|
container: T4947: support mounting container volumes as ro or rw (equuleus backport)
|
|
Some ISPs seem to use the host-uniq flag to authenticate client equipment.
Add CLI option in VyOS to allow specification of the host-uniq flag.
set interfaces pppoe pppoeN host-uniq <value>
(cherry-picked from commit 38bab79324087df5a9057c23b85a0a784c09540a)
|
|
(cherry-picked from commit 046bb9ccd56ac5e97c638bb4a9ca856d3d36026a)
|
|
(cherry picked from commit f0bc6c62016d285f0645c4b3ba8b1451c40c637f)
|
|
Whenever a container is used and a folder is mounted, this happenes as
read-write which is the default in Docker/Podman - so is the default in VyOS.
A new option is added "set container name foo volume mode <ro|rw>" to specify
explicitly if rw (default) or ro should be used for this mounted folder.
(cherry picked from commit 275ea7303cfdb79c042da1b710622aee17a488a8)
|
|
[1.3] T4832: dhcp: Add dhcp option to signal IPv6-only support (RFC 8925)
|
|
(cherry picked from commit 87cc636bd2baf576a2a5ece7a4f8318eb4f69c2e)
|
|
container: T578: backport podman from 1.4 development branch (equuleus)
|
|
|
|
(cherry picked from commit e5a5684eb4004772439b2dc33ec21b7546db3fe1)
|
|
I use dummy interfaces in a VRF as source-interfaces for VXLAN in order to
force VXLAN send underlay UDP traffic through the VRF where the dummy interface
resides.
However dummy interface has no mtu option so it always gets an MTU of 1500.
This will cause an error when the mtu of dummy is not large enough for the
VXLAN traffic.
Adding this option in the config template will solve this.
(cherry picked from commit 1440ef93e13d15e2247cbfc2cb4ea2afb266fc9e)
|
|
T4809: radvd: (Backport) Allow the use of AdvRASrcAddress
|
|
T3810: Fixed all issues in T3810
|
|
1. Added in script update webproxy blacklists generation of all DBs
2. Fixed: if the blacklist category does not have generated db,
the template generates an empty dest category
in squidGuard.conf and a Warning message.
3. Added template generation for local's categories
in the rule section.
4. Changed syntax in the generation dest section for blacklist's
categories
5. Fixed generation dest local sections in squidGuard.conf
6. Fixed bug in syntax. The word 'allow' changed to the word 'any'
in acl squidGuard.conf
7. Backported all changes from 1.4 to 1.3 which were made in T3810
8. Fixed webproxy smoketest
|
|
This add the AdvRASrcAddress configuration option to configure
a source address for the router advertisements. The source
address still must be configured on the system. This is useful
for VRRP setups where you want fe80::1 on the VRRP interface
for cleaner VRRP failovers.
|
|
backport: T4515: T4219: policy local-route6 and inbound-interface support
|
|
firewall: T4709: fix firewall MSS clamping issues
|
|
Clients supporting this DHCP option (DHCP option 108, per RFC 8925) will
disable its IPv4 network stack for configured number of seconds
and operate in IPv6-only mode.
Example clients supporting this option including iOS 15+ and macOS 12.0.1+.
|
|
(cherry picked from commit 3f91033927d80748b70e1ef58b2941643d1aca33)
|
|
(cherry picked from commit dda62226353ebc198b4dbbd319412bb5d1d1ece2)
|
|
ddclient: T4743: Add option for IPv6 Dynamic DNS
|
|
Use common "url.xml" which allow URL as domain name or IP entrie
|
|
Allow to set IPv6 address for Dynamic DNS
set service dns dynamic interface eth2 ipv6-enable
|
|
This commit fixes MSS clamping ranges as well as reintroduces the
clamp-mss-to-pmtu option value to clamp to PMTU instead.
|
|
Co-authored-by: initramfs <initramfs@initramfs.io>
|
|
|