Age | Commit message (Collapse) | Author |
|
To accept a Proxy Protocol header on incoming TCP connections,
add an accept-proxy parameter to the bind line in a frontend section.
This parameter detects both Proxy Protocol version 1 (text format)
and Proxy Protocol version 2 (binary format).
set load-balancing reverse-proxy backend <tag> server <tag> send-proxy
|
|
Improve and refactoring "load-balancing reverse-proxy"
- replace 'reverse-proxy server <tag>'
=> 'reverse-proxy service <tag>'
- replace 'reverse-proxy global-parameters tls <xxx>'
=> 'reverse-proxy global-parameters tls-version-min xxx'
=> 'reverse-proxy global-parameters ssl-bind-ciphers xxx'
- replace 'reverse-proxy service https rule <tag> set server 'xxx'
=> 'reverse-proxy service https rule <tag> set backend 'xxx'
'service https rule <tag> domain-name xxx' set as multinode
|
|
T5222: Add load-balancing for web traffic
|
|
|
|
Avoids the following warning, and any external service from
re-activating syslog via systemd socket activation:
frebib@vyos# commit
[ system syslog ]
DEBUG/COMMAND returned (err):
Warning: Stopping syslog.service, but it can still be activated by:
syslog.socket
DEBUG/COMMAND cmd 'systemctl stop syslog.service'
Signed-off-by: Joe Groocock <me@frebib.net>
|
|
os.unlink() is the correct function:
Traceback (most recent call last):
File "/usr/libexec/vyos/conf_mode/system-syslog.py", line 146, in <module>
generate(c)
File "/usr/libexec/vyos/conf_mode/system-syslog.py", line 114, in generate
os.path.unlink(rsyslog_conf)
^^^^^^^^^^^^^^
AttributeError: module 'posixpath' has no attribute 'unlink'
Signed-off-by: Joe Groocock <me@frebib.net>
|
|
There is no need for the backend code to call ethtool and try to change speed or
duplex settings every time there is a change in the interface configuration,
but no change for the speed/duplex subnodes. This also makes the commit itself
faster when working with ethernet interfaces.
Bonus: no repeating CLI messages that the driver does not support speed/duplex
changes, as we do not change anything here.
Extension to commit f2ecc9710 ("ethernet: T3891: honor auto-negotiation support
per NIC")
|
|
When enabling identity-based-config, users can add arbitrary config keys
that are processed by ocserv. The user "must know" what he is been doing, as
invalid config option will make the ocserv daemon go ... whoop!
Thus add a warning and inform the user about this setting.
|
|
ocserv: T3896: add CLI options to configure ocserv config-per-user/group
|
|
T5219: ddclient: Allow not set login for Cloudflare API token
|
|
|
|
|
|
T5215: add a built-in ping check for VRRP groups
|
|
|
|
Add RADIUS accounting-interim-interval option for PPTP-server
Specifies interval in seconds to send accounting information
(may be overridden by radius Acct-Interim-Interval attribute)
set vpn pptp remote-access authentication radius accounting-interim-interval '52'
|
|
Add RADIUS accounting-interim-interval option for L2TP-server
Specifies interval in seconds to send accounting information
(may be overridden by radius Acct-Interim-Interval attribute)
set vpn l2tp remote-access authentication radius accounting-interim-interval '120'
|
|
T5060: Add disable option for high-availability
|
|
syslog: T2778: T2769: refactoring and VRF support
|
|
|
|
Allow syslog messages to be sent through a VRF (e.g. management).
|
|
|
|
Add 'maintenance mode' (option disable) for high-availability
set high-availability disable
|
|
Use 'vyos-wan-load-balance.service' for load-balancing instead of
old start and stop 'vyatta-wanloadbalance.init' script
|
|
|
|
|
|
T5171: Use XML for loadbalancing wan instead of old templates
|
|
Use XML and python3 for 'load-balancing wan'
Use Jinja2 templates instead of old vyatta-wanloadbalance.pl to
generate configuration '/run/load-balance/wlb.conf' wich used by
/opt/vyatta/sbin/wan_lb
|
|
|
|
Without the change users might get confused as the setting is specified
on the VyOS CLI but never makes it to FRR due to an internal FRR check.
|
|
When we delete vrf vni there is a dictionary
{'only_vrf': 'red', 'new_frr_config': '!\n'}
|
|
Add verify() section to check if l3vni was removed in addition to the BGP
process under any given VRF.
|
|
|
|
|
|
|
|
|
|
We must only search and replace for "vrf red" or "vrf green" - the regex
used infact matched on all VRFs which is wrong. This would remove all VRF VNI
configurations when only changing a single VRf.
|
|
|
|
Changes the node name from config-per-x to identity-based-config, as a result the j2 templates and vpn_openeconnect.py has been refactored to update the node name when accessing it's child nodes.
|
|
With commit 0ea3e1420 ("container: T5082: switch to netavark network stack")
moving to a new network stack we should also enable the new DNS plugin provided
by default.
TODO: add CLI nodes to manually disable DNS and/or supply external DNS servers
to the container.
|
|
If the name of the network + the length of the podman- prefix exceeds
the maximum supported length of netavark we get an error:
Error: netavark: get bridge interface: Netlink error: Numerical result out of
range (os error 34)
|
|
|
|
|
|
It is possible to install a route-map which filters the routes between routing
daemons and the OS kernel (zebra)
As of now this can be done by e.g.
* set protocols ospf route-map foo
* set protocols ospfv3 route-map foo
* set protocols bgp route-map foo
Which in turn will install the following lines into FRR
* ip protocol ospf route-map foo
* ipv6 protocol ospf6 route-map foo
* ip protocol bgp route-map foo
The current state of the VyOS CLI is incomplete as there is no way to:
* Install a filter for BGP IPv6 routes
* Install a filter for static routes
* Install a filter for connected routes
Thus the CLI should be redesigned to close match what FRR does for both the
default and any other VRF
* set system ip protocol ospf route-map foo
* set system ipv6 protocol ospfv3 route-map foo
* set system ip protocol bgp route-map foo
* set system ipv6 protocol bgp route-map foo
The configuration can be migrated accordingly. This commit does not come with
the migrator, it will be comitted later.
|
|
|
|
Initially the option 'rate-limit' was implemented with the
wrong place in the CLI:
set vpn pptp remote-access authentication rate-limit <xxx>
Expected under 'radius' section:
set vpn pptp remote-access authentication radius rate-limit <xxx>
Configuration for 'rate-limit' (Jinja2 template) never worked for
pptp, fix it.
|
|
Fix for Telegraf agent hostname isn't qualified
Try to get hostname from FQDN and then from hostname
Used for metrics
You may have more than one machine with different domain names
r1 domain-name foo.local, hostname myhost
r2 domain-name bar.local, hostname myhost
It helps to detect from which exectly host we get metric for
InfluxDB2
|
|
We cannot use both 'port' and 'port-group' for the same direction
in one rule at the same time
Otherwise it generates wrong rules that don't block anything
set P_pgrp {
type inet_service
flags interval
auto-merge
elements = { 101-105 }
}
chain NAME_foo {
tcp dport 22 tcp dport @P_pgrp counter drop comment "foo-10"
counter return comment "foo default-action accept"
}
|
|
Jinja2 template uses {{ plugin_dir }} that it gets from the
interface-openvpn.py variable 'plugin_dir' but the correct var
should be as part of 'openvpn' dictionary i.e. openvpn['plugin_dir']
|
|
Networks are started only as soon as there is a consumer. If only a network is
created in the first place, no need to assign it to a VRF as there's no
consumer, yet.
|
|
maxsyslogins
maximum number of all logins on system; user is not
allowed to log-in if total number of all user logins is
greater than specified number (this limit does not apply
to user with uid=0)
set system login max-login-session 2
|