summaryrefslogtreecommitdiff
path: root/src/conf_mode
AgeCommit message (Collapse)Author
2023-05-19T5222: reverse-proxy add send-proxy option for backend serverViacheslav Hletenko
To accept a Proxy Protocol header on incoming TCP connections, add an accept-proxy parameter to the bind line in a frontend section. This parameter detects both Proxy Protocol version 1 (text format) and Proxy Protocol version 2 (binary format). set load-balancing reverse-proxy backend <tag> server <tag> send-proxy
2023-05-19T5222: Refactoring load-balancing reverse-proxyViacheslav Hletenko
Improve and refactoring "load-balancing reverse-proxy" - replace 'reverse-proxy server <tag>' => 'reverse-proxy service <tag>' - replace 'reverse-proxy global-parameters tls <xxx>' => 'reverse-proxy global-parameters tls-version-min xxx' => 'reverse-proxy global-parameters ssl-bind-ciphers xxx' - replace 'reverse-proxy service https rule <tag> set server 'xxx' => 'reverse-proxy service https rule <tag> set backend 'xxx' 'service https rule <tag> domain-name xxx' set as multinode
2023-05-17Merge pull request #2004 from sever-sever/T5222Christian Breunig
T5222: Add load-balancing for web traffic
2023-05-17T5222: Add load-balancing for web trafficViacheslav Hletenko
2023-05-14T5224: Stop syslog.socket alongside syslog.serviceJoe Groocock
Avoids the following warning, and any external service from re-activating syslog via systemd socket activation: frebib@vyos# commit [ system syslog ] DEBUG/COMMAND returned (err): Warning: Stopping syslog.service, but it can still be activated by: syslog.socket DEBUG/COMMAND cmd 'systemctl stop syslog.service' Signed-off-by: Joe Groocock <me@frebib.net>
2023-05-14T5224: Fix `del system syslog`Joe Groocock
os.unlink() is the correct function: Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/system-syslog.py", line 146, in <module> generate(c) File "/usr/libexec/vyos/conf_mode/system-syslog.py", line 114, in generate os.path.unlink(rsyslog_conf) ^^^^^^^^^^^^^^ AttributeError: module 'posixpath' has no attribute 'unlink' Signed-off-by: Joe Groocock <me@frebib.net>
2023-05-12ethernet: T3891: add conditional code-path when doing speed/duplex changesChristian Breunig
There is no need for the backend code to call ethtool and try to change speed or duplex settings every time there is a change in the interface configuration, but no change for the speed/duplex subnodes. This also makes the commit itself faster when working with ethernet interfaces. Bonus: no repeating CLI messages that the driver does not support speed/duplex changes, as we do not change anything here. Extension to commit f2ecc9710 ("ethernet: T3891: honor auto-negotiation support per NIC")
2023-05-12ocserv: T3896: improve XML definition and add warning about 3rd party configsChristian Breunig
When enabling identity-based-config, users can add arbitrary config keys that are processed by ocserv. The user "must know" what he is been doing, as invalid config option will make the ocserv daemon go ... whoop! Thus add a warning and inform the user about this setting.
2023-05-12Merge pull request #1783 from PeppyH/T3896-ocserv-config-per-xChristian Breunig
ocserv: T3896: add CLI options to configure ocserv config-per-user/group
2023-05-12Merge pull request #2002 from Zen3515/fix-cloudflare-ddnsChristian Breunig
T5219: ddclient: Allow not set login for Cloudflare API token
2023-05-12T5219: ddclient: Cloudflare doesn't require loginZen3515
2023-05-12vrrp: T5215: fix VRRP commit error when health check is not configuredDaniil Baturin
2023-05-10Merge pull request #1987 from dmbaturin/T5251-vrrp-group-pingChristian Breunig
T5215: add a built-in ping check for VRRP groups
2023-05-10vrrp: T5215: Add built-in ping check for VRRP groupsDaniil Baturin
2023-05-10T5213: Add accounting-interim-interval option for PPTP-serverViacheslav Hletenko
Add RADIUS accounting-interim-interval option for PPTP-server Specifies interval in seconds to send accounting information (may be overridden by radius Acct-Interim-Interval attribute) set vpn pptp remote-access authentication radius accounting-interim-interval '52'
2023-05-10T5213: Add accounting-interim-interval option for L2TP-serverViacheslav Hletenko
Add RADIUS accounting-interim-interval option for L2TP-server Specifies interval in seconds to send accounting information (may be overridden by radius Acct-Interim-Interval attribute) set vpn l2tp remote-access authentication radius accounting-interim-interval '120'
2023-05-09Merge pull request #1984 from sever-sever/T5060Christian Breunig
T5060: Add disable option for high-availability
2023-05-09Merge pull request #1985 from c-po/t2778-syslogChristian Breunig
syslog: T2778: T2769: refactoring and VRF support
2023-05-09T5214: Fix warning if a named pool is defined for PPPoE-serverViacheslav Hletenko
2023-05-08syslog: T2769: add VRF supportChristian Breunig
Allow syslog messages to be sent through a VRF (e.g. management).
2023-05-08syslog: T2778: migrate to get_config_dict()Christian Breunig
2023-05-08T5060: Add disable option for high-availabilityViacheslav Hletenko
Add 'maintenance mode' (option disable) for high-availability set high-availability disable
2023-05-05T5203: Use vyos-wan-load-balance.service for load-balancingViacheslav Hletenko
Use 'vyos-wan-load-balance.service' for load-balancing instead of old start and stop 'vyatta-wanloadbalance.init' script
2023-05-04dns-forwarding: T5193: implement NS resource typeChristian Breunig
2023-05-04dns-forwarding: T5193: use f'ormat strings when building messagesChristian Breunig
2023-05-04Merge pull request #1973 from sever-sever/T5171Christian Breunig
T5171: Use XML for loadbalancing wan instead of old templates
2023-05-02T5171: Rewrite load-balancing wan to XML and python3Viacheslav Hletenko
Use XML and python3 for 'load-balancing wan' Use Jinja2 templates instead of old vyatta-wanloadbalance.pl to generate configuration '/run/load-balance/wlb.conf' wich used by /opt/vyatta/sbin/wan_lb
2023-04-30T5150: harmonize verify() error message - encapsulate variable in "" quotesChristian Breunig
2023-04-27bgp: T5010: add verify() for L2VPN EVPN route-distinguisher and route-targetChristian Breunig
Without the change users might get confused as the setting is specified on the VyOS CLI but never makes it to FRR due to an internal FRR check.
2023-04-27T5181: Fix condition to detect correct vrf name for vrf-vniViacheslav Hletenko
When we delete vrf vni there is a dictionary {'only_vrf': 'red', 'new_frr_config': '!\n'}
2023-04-26bgp: T5181: FRR can not tear down VRF isntance if l3vni is still configuredChristian Breunig
Add verify() section to check if l3vni was removed in addition to the BGP process under any given VRF.
2023-04-26vrf: T5174: ensure no duplicate VNIs can be definedChristian Breunig
2023-04-26T5181: Fix for correct deleting vni under vrfViacheslav Hletenko
2023-04-25vrf: T5150: fix improper config dict generation for individual vni configurationChristian Breunig
2023-04-23vrf: T5150: must use no_tag_node_value_mangle when working with the config dictChristian Breunig
2023-04-21vrf: T5150: fix regex used on frr-reload when searching for discrete VRFChristian Breunig
We must only search and replace for "vrf red" or "vrf green" - the regex used infact matched on all VRFs which is wrong. This would remove all VRF VNI configurations when only changing a single VRf.
2023-04-21vrf: T5150: l3vni must be removed prior to removing BGP VRF processChristian Breunig
2023-04-20ocserv: T3896: refactor: change ocserv config-per-x node nameJamie Austin
Changes the node name from config-per-x to identity-based-config, as a result the j2 templates and vpn_openeconnect.py has been refactored to update the node name when accessing it's child nodes.
2023-04-14container: T5082: enable aardvark-dns supportChristian Breunig
With commit 0ea3e1420 ("container: T5082: switch to netavark network stack") moving to a new network stack we should also enable the new DNS plugin provided by default. TODO: add CLI nodes to manually disable DNS and/or supply external DNS servers to the container.
2023-04-14container: T5082: shorten container network prefix to allow longer namesChristian Breunig
If the name of the network + the length of the podman- prefix exceeds the maximum supported length of netavark we get an error: Error: netavark: get bridge interface: Netlink error: Numerical result out of range (os error 34)
2023-04-13T5150: initial VRF support for Kernel/Zebra route-map filteringChristian Breunig
2023-04-13T5150: do not apply zebra route-map from routing-daemon config levelChristian Breunig
2023-04-13T5150: initial implementation of new Kernel/Zebra route-map supportChristian Breunig
It is possible to install a route-map which filters the routes between routing daemons and the OS kernel (zebra) As of now this can be done by e.g. * set protocols ospf route-map foo * set protocols ospfv3 route-map foo * set protocols bgp route-map foo Which in turn will install the following lines into FRR * ip protocol ospf route-map foo * ipv6 protocol ospf6 route-map foo * ip protocol bgp route-map foo The current state of the VyOS CLI is incomplete as there is no way to: * Install a filter for BGP IPv6 routes * Install a filter for static routes * Install a filter for connected routes Thus the CLI should be redesigned to close match what FRR does for both the default and any other VRF * set system ip protocol ospf route-map foo * set system ipv6 protocol ospfv3 route-map foo * set system ip protocol bgp route-map foo * set system ipv6 protocol bgp route-map foo The configuration can be migrated accordingly. This commit does not come with the migrator, it will be comitted later.
2023-04-13eigrp: T2472: remove pprint debug statementChristian Breunig
2023-04-11T4727: Change and fix RADIUS rate-limit option for pptpViacheslav Hletenko
Initially the option 'rate-limit' was implemented with the wrong place in the CLI: set vpn pptp remote-access authentication rate-limit <xxx> Expected under 'radius' section: set vpn pptp remote-access authentication radius rate-limit <xxx> Configuration for 'rate-limit' (Jinja2 template) never worked for pptp, fix it.
2023-04-11T5152: Get default hostname for telegraf from FQDN or hostnameViacheslav Hletenko
Fix for Telegraf agent hostname isn't qualified Try to get hostname from FQDN and then from hostname Used for metrics You may have more than one machine with different domain names r1 domain-name foo.local, hostname myhost r2 domain-name bar.local, hostname myhost It helps to detect from which exectly host we get metric for InfluxDB2
2023-04-10T5065: Add verify for firewall port-group and portViacheslav Hletenko
We cannot use both 'port' and 'port-group' for the same direction in one rule at the same time Otherwise it generates wrong rules that don't block anything set P_pgrp { type inet_service flags interval auto-merge elements = { 101-105 } } chain NAME_foo { tcp dport 22 tcp dport @P_pgrp counter drop comment "foo-10" counter return comment "foo default-action accept" }
2023-04-10T5148: Fix OpenVPN plugin dir variableViacheslav Hletenko
Jinja2 template uses {{ plugin_dir }} that it gets from the interface-openvpn.py variable 'plugin_dir' but the correct var should be as part of 'openvpn' dictionary i.e. openvpn['plugin_dir']
2023-04-06container: T5147: ensure container network exists before VRF operationChristian Breunig
Networks are started only as soon as there is a consumer. If only a network is created in the first place, no need to assign it to a VRF as there's no consumer, yet.
2023-04-04T5145: Add maximum number of all logins on systemViacheslav Hletenko
maxsyslogins maximum number of all logins on system; user is not allowed to log-in if total number of all user logins is greater than specified number (this limit does not apply to user with uid=0) set system login max-login-session 2