Age | Commit message (Collapse) | Author |
|
firewall|nat rules.
(cherry picked from commit 3c0634e572ffdecaf24a9dac16678427f22761ab)
|
|
If we have any `vpn ipsec` and `protocol nhrp` configuration we
get the empty configuration file `/run/opennhrp/opennhrp.conf`
after rebooting the system.
Use config dependency instead of the old `resync_nhrp` function
fixes this issue
(cherry picked from commit 689fea253d9019df20d5c6ac7fa22d5e8454afab)
|
|
(cherry picked from commit 6a97fdfa1ba9b4135a51498ea5acabb804256b2c)
|
|
(cherry picked from commit 298bcc5cb90c4c83981ec4baaaa0db785306867d)
|
|
Example:
vyos@vyos# set protocols ospfv3 redistribute bgp
Possible completions:
metric OSPF default metric
metric-type OSPF metric type for default routes (default: 2)
route-map Specify route-map name to use
(cherry picked from commit ed2c288c8a9031f91acf76d20b84e2002696981c)
|
|
(cherry picked from commit 3480d92a8c4d84e8c1f94a9362bac2be0cc77921)
|
|
Implement VyOS ASCII art contest winners logo as the default for our MOTD
(cherry picked from commit 0ea3a454cf560171d3eb9d4d1b97b172c06360fe)
|
|
required
(cherry picked from commit 6f7d1e15665655e37e8ca830e28d9650445c1217)
|
|
It does not make sense to perform the "podman login" command when setting up
containers, as images are not automatically pulled in from the registry - due
to issues with the default route during startup.
The same issue manifests in "podman login" where we can not login to a registry
unless there is a default route present.
This commit changes the behavior that the container registry is part of the
configuration, but it is only referenced during "add container image" and thus
never during system boot.
(cherry picked from commit baf30d8319ef4d0f0cc4cdf0f7c12f03f8a492b6)
|
|
In order to keep the proper priority list during system startup and on initial
setup/commit for this feature the dependent VXLAN code should not be called,
if the interface in question does not exist (yet).
(cherry picked from commit dbe8c613bb80bc8b714398825054ade5942ea75b)
|
|
* set system login user <name> disable
(cherry picked from commit 6e0b146ed3b90da577c3ecba38836883fd435e7a)
|
|
* set system ip nht no-resolve-via-default
* set system ipv6 nht no-resolve-via-default
(cherry picked from commit ece0e768f36e52f8964823d891264d7c187204ec)
|
|
Removed dhcp-interface option (l2tp)
Added wins-server (sstp)
Added description (ipoe, pppoe, sstp, pptp)
Added exteded-script (l2tp, sstp, pptp)
Added shaper (ipoe, pptp, sstp, l2tp)
Added limits (ipoe, pptp, sstp, l2tp)
Added snmp ( ipoe, pptp,sstp, l2tp)
Refactoring and reformated code.
(cherry picked from commit ac6a16f6c5ad7700789759e1ec093236c2e182a2)
|
|
(cherry picked from commit 78820752b936e77d30f995498ff36487c5c6af87)
|
|
(cherry picked from commit 0f8bf6bd0fb29cfd638e9920674e7ad1d1d25350)
|
|
(cherry picked from commit ac2d7dfac6073d0f232191ec494f78a8d12889e4)
|
|
set pki openssh rpki private key ...
set pki openssh rpki public key ...
set pki openssh rpki public type 'ssh-rsa'
(cherry picked from commit 8c78ef0879f22ffd4a5f7fdb175e9109b46e9d7b)
|
|
Rewritten authentication node in accel-ppp services
to a single view. In particular - PPTP authentication.
(cherry picked from commit 018110200c9a82815dd5d0510f0732d7159c0d59)
|
|
Hide unexpected output by attempts of deleting `qdisc` from
interfaces
[ qos ]
Error: Cannot find specified qdisc on specified device.
Error: Cannot delete qdisc with handle of zero.
(cherry picked from commit 6dcb68ba5553ac94eb3a9da4a915999500b00ab2)
|
|
Always enable VRF strict_mode
(cherry picked from commit 117fbcd6237b59f54f2c1c66986a8ce073808c84)
|
|
vpn: T5926: IPSEC does not apply after l2tp configuration was changed
added dependency between l2tp and ipsec conf
added test for apply config to swanctl
(cherry picked from commit e697ed1e7fd5c33f8082b2f4f96c42fc822ec9a5)
|
|
Fix verify error for the VPN OpenConnect configuration with
local authentication and without any user
File "/usr/libexec/vyos/conf_mode/vpn_openconnect.py", line 94, in verify
if not ocserv["authentication"]["local_users"]:
KeyError: 'local_users'
(cherry picked from commit 71644dfed63f6248525db3c3bc9493c059707a2a)
|
|
(cherry picked from commit 586863bf3a9cb1dd1c0d74b628d00096b905740f)
|
|
(cherry picked from commit 52e9707a43290f5f826766e2c42c5f0db3c9adec)
|
|
T5971: Rewritten ppp options in accel-ppp services (backport #2891)
|
|
Rewritten 'ppp-options' to the same view in all accel-ppp services.
Adding IPv6 support to PPTP.
(cherry picked from commit d9e57fe65dd538c6ea80637f4f6f23cf11dc583d)
|
|
Modify the dynamic dns configuration 'address' subpath for better
clarity on how the address is obtained.
Additionally, remove `web-options` and fold those options under the
path `address web`.
|
|
T4839: firewall: Add dynamic address group in firewall configuration (backport #2756)
|
|
dns: T5959: Streamline dns forwarding service (backport #2854)
|
|
appropiate commands to populate such groups using source and destination address of the packet.
(cherry picked from commit 6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122)
|
|
T5865: Moved ipv6 pools to named ipv6 pools in accel-ppp (backport #2832)
|
|
Streamline configuration and operation of dns forwarding service in
following ways:
- Remove `dns_forwarding_reset.py` as its functionality is now covered
by `dns.py`
- Adjust function names in `dns.py` to disambiguate between DNS
forwarding and dynamic DNS
- Remove `dns_forwarding_restart.sh` as its functionality is inlined in
`dns-forwarding.xml`
- Templatize systemd override for `pdns-recursor.service` and move the
generated override files in /run. This ensures that the override files
are always generated afresh after boot
- Simplify the systemd override file by removing the redundant overrides
- Relocate configuration path for pdns-recursor to `/run/pdns-recursor`
and utilize the `RuntimeDirectory` default that pdns-recursor expects
- We do not need to use custom `--socket-dir` path anymore, the default
path (viz., `/run/pdns-recursor` is fine)
(cherry picked from commit 1c1fb5fb4bd7c0d205b28caf90357ad56423464f)
|
|
Moved ipv6 pools to named ipv6 pools in accel-ppp services
(cherry picked from commit d187803c31175e471397dd4f77040ab56d2e1073)
|
|
Denied using command 'route-target vpn export/import'
with 'both' together in bgp configuration.
(cherry picked from commit 32a13411f47beffcbe4b49a869c99cb42374d729)
|
|
system-option: T5979: Add configurable kernel boot options (backport #2886)
|
|
A code path was missing to check if only priority is available in the result of
"ip --json -4 rule show", in the case of l3mdev it's a dedicated key!
(cherry picked from commit a009143a62caca207fdffffcf0b490c747a87025)
|
|
There is no need to add and remove this table during runtime - it can lurk
in the standard firewall init code.
(cherry picked from commit 89f0d347bfe5e468355817a617dc71823a58c284)
|
|
This prevents the following error when configuring the first VRF:
sysctl: cannot stat /proc/sys/net/vrf/strict_mode: No such file or directory
(cherry picked from commit a821b8c603999665ce8a77acb0e44a743811992a)
|
|
(cherry picked from commit 256346a66cc3bb20e93c68245ebca2f68f42e7b5)
|
|
* set protocols bfd peer <x.x.x.x> minimum-ttl <1-254>
* set protocols bfd profile <name> minimum-ttl <1-254>
(cherry picked from commit 1f07dcbddfcfdbb9079936ec479c5633934dd547)
|
|
|
|
QoS policy shaper-hfsc was not implemented after rewriting the
traffic-policy to qos policy. We had CLI but it does not use the
correct class. Add a basic implementation of policy shaper-hfsc.
Write the class `TrafficShaperHFS`
(cherry picked from commit f6b6ee636e34f98d336ee53599666afd1f395d78)
|
|
Add support to run hsflowd in a dedicated (e.g. management) VRF.
Command will be "set system sflow vrf <name>" like with any other service
(cherry picked from commit 64473fa6f320375fb3d3de4de9e729f456ee5ae2)
|
|
firewall: T5729: T5681: T5217: backport subsystem from current branch
|
|
This is a combined backport for all accumulated changes done to the firewall
subsystem on the current branch.
|
|
* set service ntp leap-second [ignore|smear|system|timezone]
Where timezone is the new and old default resulting in adding "leapsectz right/UTC"
to chrony.conf. The most prominent new option is "smear" which will add
leapsecmode slew
maxslewrate 1000
smoothtime 400 0.001 leaponly
to chrony.
See https://chrony-project.org/doc/4.3/chrony.conf.html leapsecmode for
additional information
(cherry picked from commit 7ae064bab0010dff8827a0ed5e1239d2778dc7c1)
|
|
The following CLI nodes are deprecated and will be remove in VyOS 1.5 while
moving to KEA as DHCP server.
* set service dhcp-server global-parameters
* set service dhcp-server shared-network-name <name> shared-network-parameters
* set service dhcp-server shared-network-name <name> subnet <x.x.x.x/y> subnet-parameters
Please open feature requests if any DHCP option is missing and should be added
as a proper CLI node to make your life easier.
|
|
dhcp: T5952: validate duplicate MAC and IP address in static-mappings incl. smoketests
|
|
Backport of the conntrack system from current branch.
(cherry picked from commit fd0bcaf12)
(cherry picked from commit 5acf5aced)
(cherry picked from commit 42ff4d8a7)
(cherry picked from commit 24a1a7059)
|
|
smoketests
(cherry picked from commit 62a8ef29d6238d5b777c3e946c132aca16a813c3)
(cherry picked from commit eb4cac98cb3790eb888d4ea7626781b9afbea8f4)
|