| Age | Commit message (Collapse) | Author |
|---|
|
* set protocols bfd peer <x.x.x.x> minimum-ttl <1-254>
(partially cherry-picked from 1f07dcbddfcfdbb9079936ec479c5633934dd547)
|
|
* fixed the `systemctl restart` command that used a value from config instead
converted to `ttyUSBX`
* moved systemd units from `/etc/` to `/run/`
(cherry picked from commit ad1236e8d72ff29e0e2215df175b6f032fba75eb)
|
|
|
|
wireguard: T5413: Blocked adding the peer with the router's public key
|
|
Signed-off-by: Daniil Baturin <daniil@baturin.org>
|
|
|
|
This reverts commit 57ba2fa91573ad2ecd03f0c2eb89507dfc397f1e.
|
|
The new verification code prevents it from being used,
but it's not a reason to keep it
|
|
pppoe: T5630: make MRU default to MTU if unspecified (backport #2527)
|
|
Disabled adding the peer with the same public key as the router has.
Backport from current
https://github.com/vyos/vyos-1x/pull/2122
|
|
This fixes the implementation in e062a8c11 ("pppoe: T5630: allow to specify MRU
in addition to already configurable MTU") and restores the bahavior that MRU
defaults to MTU if MRU is not explicitly set.
This was the behavior in VyOS 1.3.3 and below before we added ability to define
the MRU value.
(cherry picked from commit ffd7339e2ea3eafdd97ac0763ca4a3913fe71bf3)
|
|
unless PAM auth is enabled for GraphQL
(cherry picked from commit 8c450ea7f538beb0b2cd21d35c05d18db49a1802)
|
|
- Added system `radius` group
- Added `mandatory` and `optional` modes for RADIUS
- Improved PAM config for RADIUS
New modes:
- `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be
stopped and access denied immediately.
- `optional` (default) - if RADIUS answers with `Access-Reject`, authentication
continues using the next module.
In `mandatory` mode authentication will be stopped only if RADIUS clearly
answered that access should be denied (no user in RADIUS database, wrong
password, etc.). If RADIUS is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
|
|
T5586: Disable by default SNMP for Keeplived VRRP service
|
|
set interfaces vxlan vxlan23 address '100.64.10.2/24'
set interfaces vxlan vxlan23 remote '192.0.2.1'
set interfaces vxlan vxlan23 source-address '192.0.2.5'
set interfaces vxlan vxlan23 vni '23'
commit
set interfaces vxlan vxlan23 port '4789'
commit
vyos@r1# ip -d link show dev vxlan23
12: vxlan23: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 22:6e:6d:33:c5:6b brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535
vxlan id 23 remote 192.0.2.1 local 192.0.2.5 srcport 0 0 dstport 8472
Port remains at the default value of 8472
This has been fixed
|
|
(cherry picked from commit e357258e645cf85de0035d4ecfbf99db4dd90f7e)
|
|
AgentX does not work stable. From time to time we see the system
service crashing/degrading if something is wrong with SNMP from
util net-snmp.
We should disable it by default and enable it only if configured.
set high-availability vrrp snmp
|
|
Checks if an IPv6 address on a specific network interface is
in the tentative state. IPv6 tentative addresses are not fully configured
and are undergoing Duplicate Address Detection (DAD) to ensure they are
unique on the network.
inet6 2001:db8::3/125 scope global tentative
It tentative state the group enters in FAULT state. Fix it.
|
|
|
|
This is a workaround for the priority inversion from T5492 ("CLI node priority
is not inversed on node deletion"). As this is a corner case bug that's only
triggered if an interface is removed from a VRF and also the VRF is removed in
one commit, priorities are not honored.
Thus we implement this workaround which stop the DHCP(v6) client processes on
the VRF associated interfaces to get out the DHCP RELEASE message before
interfaces are shut down.
(cherry picked from commit 005151f77be5cf999689cfd03620bbc39df59018)
|
|
T5506: Add link-local IPv6 address for container interfaces
|
|
Add interface type veth (Virtual ethernet)
One of the usecases it's interconnect different vrf's and
default vrf via bridge
set interfaces virtual-ethernet veth0 peer-name 'veth1010'
set interfaces virtual-ethernet veth1010 address '10.0.0.10/24'
set interfaces virtual-ethernet veth1010 peer-name 'veth0'
set interfaces virtual-ethernet veth1010 vrf 'foo'
set interfaces bridge br0 address '10.0.0.1/24'
set interfaces bridge br0 member interface veth0
vyos@r1:~$ ping 10.0.0.10 count 1
PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.
64 bytes from 10.0.0.10: icmp_seq=1 ttl=64 time=0.082 ms
|
|
Fix for adding IPv6 link-local address for container interfaces
set container network NET01 prefix '10.0.0.0/24'
set container network NET01 prefix '2001:db8:2222::/64'
% ip -6 addr show scope link dev pod-NET01
17: pod-NET01: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet6 fe80::d89c:dfff:fe1a:8689/64 scope link
|
|
(cherry picked from commit ffb798b4678f3b1bd0a40cc42b1f0477470346dc)
|
|
Fix for removing key id from GRE tunnel
Before fix:
del interfaces tunnel tun10 parameters ip key
commit
sudo ip tunnel show tun10
tun10: gre/ip remote 203.0.113.254 local 192.168.122.11 ttl 64 tos inherit key 1234
After the fix:
sudo ip tunnel show tun10
tun10: gre/ip remote 203.0.113.254 local 192.168.122.11 ttl 64 tos inherit
|
|
login: T4790: Added check of the sum of radius timeouts
|
|
Added check of the sum of login radius timeouts.
It has to be less or eq 50 sec.
Added check of a number of login radius servers.
It has to be less or eq 8
Otherwise, log in to the device can be discarded.
Backported from 1.4
|
|
Sshguard protects hosts from brute-force attacks
It can inspect logs and block "bad" addresses by threshold
Auto-generates own tables and rules for nftables, so they are not
intercept with VyOS firewall rules.
When service stops, all generated tables are deleted.
set service ssh dynamic-protection
set service ssh dynamic-protection allow-from '192.0.2.1'
set service ssh dynamic-protection block-time '120'
set service ssh dynamic-protection detect-time '1800'
set service ssh dynamic-protection threshold '30'
|
|
(cherry picked from commit a409b255acc3dc0a67058593e31b3614e20714f0)
|
|
(cherry picked from commit ca7c063666c038d104082542f04ead6062e79246)
|
|
This is a radvd limitation.
(cherry picked from commit 8ef017a3496467433c311af63116af7657c58037)
|
|
Allow syslog messages to be sent through a VRF (e.g. management).
(cherry picked from commit 46d2bcdb0b500b4d1b9d973ab5b9ca3c6cf44e51)
|
|
Users might add the podman network interface to a zone based firewall. This
could cuase breaking configs on upgrades to 1.4.
As container support is not yet released for 1.3 LTS version (will be 1.3.3),
we once rename the network interface to match the schema in VyOS 1.4.
|
|
T4727: Add RADIUS rate-limit attribute for vpn pptp
|
|
Fix for Telegraf agent hostname isn't qualified
Try to get the hostname from FQDN and then from the hostname
Used for metrics
You may have more than one machine with different domain names
r1 domain-name foo.local, hostname myhost
r2 domain-name bar.local, hostname myhost
It helps to detect from which exactly host we get metrics for
InfluxDB2
|
|
Add rate-limit attribute, multiplier, vendor specific attribute
for the [shaper] section
|
|
Container registry CLI node changed from leafNode to tagNode with the same
defaults. In addition we can now configure an authentication option per
registry.
(cherry picked from commit fe82d86d3e87cb8d92ebc9d0652c08e3dd79a12c)
|
|
Commit 52e51ffb ("container: T5047: restart only containers that changed")
started to iterate over a NoneType which is invalid. This happened when a
network description was changed but no container was due for restart.
(cherry picked from commit 86d7b8d1d2b53b9fa93bd456abb4ea1b4f2949b6)
|
|
By default VyOS used to restart all containers it managed. This makes no sense
as it will be service disrupting. Instead only restart the containers that had
changes on the CLI beeing made.
(cherry picked from commit 52e51ffbb84996aee9d5b94eebf64589ead31225)
|
|
(cherry picked from commit 05e00b986a563681b038b226c86c83a29d6da820)
|
|
Event-handler allows executing a custom script when detects
some configured "pattern regex"
set service event-handler event first filter pattern '.*ssh2.*'
set service event-handler event first script arguments '192.0.2.5'
set service event-handler event first script environment interface value 'eth0'
set service event-handler event first script path '/config/scripts/hello.sh'
It is the backport from 1.4
|
|
|
|
Ability setting container hostname
This host name is used as /etc/hostname
set container name <tag> host-name 'mybox'
(cherry picked from commit c68d73e6720a7df2b48df17ac7b9b4c906e0294c)
|
|
options for containers
(cherry picked from commit 53aebddb4ca54b0cc4a296d6cc4c4d960c5f1d73)
|
|
openconnect: T4955: Removed wrong authserver in radiusclient.conf
|
|
As we have the same variable name 'default_values' for container
name, port and volume, it rewrites default container parameters
with default port parameters
Fix it
(cherry picked from commit 679efe8ac7998ba1b8f3c7c4bfc7508d8869907d)
|
|
After merging config dictionary with default values,
radius port the default value was merged not in a proper way.
It is added as a server.
After creating radiusclient.conf added
and the illegal authserver equal 'port'.
Backported from 1.4
|
|
Replace links to the phabricator site from https://phabricator.vyos.net to
https://vyos.dev
(cherry-picked form commit bd9416a6aa9d5d0a746dc2cebc8d0330fd27d1a2)
|
|
This reverts commit 7b36c363cd5b0168bd83c399f50a0a360ba3ee58.
A general solution is implemented in Commit ae9dde04 ("T4975: always sync()
filesystem after commit").
|
|
User profile files are not saved to disk after configuration is fully applied.
Because of this, after a fast system reset, profile files can be empty, and CLI
is broken.
This fix adds a `sync()` call after the user's configuration, which should
protect from data loss and fix the problem with profiles.
|
