Age | Commit message (Collapse) | Author |
|
container: T5829: verify container network used supports the given AFI (backport)
|
|
accel-ppp: T5688: Standardized pool configuration in accel-ppp (backport #2501)
|
|
conmon 402de34b31388b5a2e1c <error>: Unable to send container stderr message to parent Broken pipe
https://github.com/containers/conmon/issues/438
(cherry picked from commit 6c84ff41b92d7c2e0b239dca59955e8a247fecdb)
|
|
Fixed migration script for pppoe-server
(cherry picked from commit 17722f3ee1151d2e4ccf23655f7079615bf61e24)
|
|
Standardized pool configuration for all accel-ppp services.
1. Only named pools are used now.
2. Allows all services to use range in x.x.x.x/mask
and x.x.x.x-x.x.x.y format
3. next-pool can be used in all services
2. Allows to use in ipoe gw-ip-address without pool configuration
which allows to use Fraimed-IP-Address attribute by radius.
3. Default pool name should be explicidly configured
with default-pool.
4. In ipoe netmask and range subnet can be different.
(cherry picked from commit 422eb463d413da812eabc28706e507a9910d7b53)
|
|
(cherry picked from commit 405cc66041d8035500f7b7116301983c48464a9b)
|
|
(cherry picked from commit e70ca62c474b4e2cc135851a6e5cceee037bf378)
|
|
We always enable HTTPS in ddclient configuration, however
`http://checkip.dyndns.org` is HTTP only and does not support HTTPS.
Warn the user if they are using this service.
Also, make `url` in `web-options` mandatory.
|
|
Legacy ddclient allowed arbitrary URLs in web-options, but the new
has stricter validations. Apply migration to the old URLs.
Also migrate checkip.dyndns.org to https://domains.google.com/checkip
for better TLS support.
|
|
When migrating from `service dns dynamic interface <interface> ...` to
`service dns dynamic address <address> ...`, the config name can
potentially have a conflict when `address == 'web'`.
Although the `/run/ddclient/ddclient.conf` that was generated earlier
was incorrect, one could still potentially have misconfigured VyOS
config without realizing it.
We now append the old <interface> name to the config name to avoid
conflict.
|
|
Since `service dns dynamic address <address> service <service> ...`
changed to `service dns dynamic name <service> address <address> ...`,
the resulting service and address config flip can result in conflicting
`service` name.
Additionally, since dynamic DNS service name now have name constraint,
we need to normalize the service name to conform with the constraint.
We now migrate the service name to (service|rfc2136)-<service>-<address>
to avoid the conflict and optionally append an index if there is still a
name conflict after normalization.
|
|
|
|
(cherry picked from commit a9201e77110ce0695e2ba879304aef41b7ac9a0c)
|
|
(cherry picked from commit 2490f22408ad811ff9f63ec970d0167ecbf4ab59)
|
|
node_changed() will return a list of changed keys under "path". We are not
always interested what changed, sometimes we are only interested if something
changed at all, that what vyos.configdict.is_node_changed() is for.
(cherry picked from commit 5e7a8288d06a6d6beee5e1abd2e06698ab778650)
|
|
When deleting SNMP from CLI the 'delete' key was not honored in the config
dictionary, leading to a false process startup causing the following error:
Job for snmpd.service failed because the control process exited with error code.
See "systemctl status snmpd.service" and "journalctl -xeu snmpd.service" for details.
(cherry picked from commit 20b98e780fda4131eb242921884d4955147ce51a)
|
|
Match mark allows to use firewall marks of packet to use
a specific pool
Example of instance config /run/jool/instance-100.json
```
...
"pool4": [
{
"protocol": "TCP",
"prefix": "192.0.2.10",
"port range": "1-65535",
"mark": 23
},
...
```
(cherry picked from commit 8e1e79cfa24c155c8d504822fbbd3c20f890fb70)
|
|
nat66: T2898: build fix after ndp-proxy backport
|
|
|
|
T2898: add ndp-proxy service (backport #2665)
|
|
VyOS CLI command
set service ndp-proxy interface eth0 prefix 2001:db8::/64 mode 'static'
Will generate the following NDP proxy configuration
$ cat /run/ndppd/ndppd.conf
# autogenerated by service_ndp-proxy.py
# This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route
route-ttl 30000
# This sets up a listener, that will listen for any Neighbor Solicitation
# messages, and respond to them according to a set of rules
proxy eth0 {
# Turn on or off the router flag for Neighbor Advertisements
router no
# Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds)
timeout 500
# Control how long a valid or invalid entry remains in the cache (milliseconds)
ttl 30000
# This is a rule that the target address is to match against. If no netmask
# is provided, /128 is assumed. You may have several rule sections, and the
# addresses may or may not overlap.
rule 2001:db8::/64 {
static
}
}
(cherry picked from commit 4d721a58020971d00ab854c37b68e88359999f9c)
|
|
The Linux Kernel needs to be told if IPv6 SR enabled packets whether should be
processed or not. This is done using
/proc/sys/net/conf/<iface>/seg6_* variables:
seg6_enabled - BOOL
Accept or drop SR-enabled IPv6 packets on this interface.
Relevant packets are those with SRH present and DA = local.
0 - disabled (default)
not 0 - enabled
Or the VyOS CLI command:
* set protocols segment-routing interface eth0 srv6
(cherry picked from commit 774cc97eda61eb0b91df820797fb3c705d0073d5)
|
|
Enable/Disable VRF strict mode, when net.vrf.strict_mode=0 (default) it is
possible to associate multiple VRF devices to the same table. Conversely, when
net.vrf.strict_mode=1 a table can be associated to a single VRF device.
A VRF table can be used by the VyOS CLI only once (ensured by verify()), this
simply adds an additional Kernel safety net, but a requirement for IPv6 segment
routing headers.
(cherry picked from commit 10701108fecb36f7be7eb7ef5f1e54e63da5fb4e)
|
|
was set to <any>.
(cherry picked from commit 5cb95aed965b45a900c6ba97c0bccefed83332b6)
|
|
Refactor DUID XML definition in conf-mode to be reusable. Additionally, remove
explicit call to a separate validator `ipv6-duid` and inline the regex into the
XML definition.
(cherry picked from commit 51e7832fc5c88f9956b26157a80947bad4495a4e)
|
|
and use only PAM auth and JWT
(cherry picked from commit 495bf4732439ebd55edfbf6050af8b2064993d86)
|
|
when no API keys are set
(cherry picked from commit 7bad0e115ecc25224a0c3a2720a2697442624229)
|
|
Add ability to configure multiple SSL certificates for
frontend/service
set load-balancing reverse-proxy service web mode http
set load-balancing reverse-proxy service web port 443
set load-balancing reverse-proxy service web ssl certificate cert1
set load-balancing reverse-proxy service web ssl certificate cert2
(cherry picked from commit fe99c45e05fd5794905145ddca80e6078145c2e8)
|
|
Add recursive_defaults values for BGP "get_config" dictionary.
(cherry picked from commit 4d5445740a1529691594263af22f2a9d07bbfe70)
|
|
Add BMP feature.
BMP (BGP Monitoring Protocol, RFC 7854) is used to send monitoring
data from BGP routers to network management entities
https://docs.frrouting.org/en/latest/bmp.html
Example:
set system frr bmp
commit
run restart bgp
set protocols bgp system-as '65001'
set protocols bgp neighbor 192.0.2.11 address-family ipv4-unicast
set protocols bgp neighbor 192.0.2.11 remote-as '65001'
set protocols bgp bmp mirror-buffer-limit '256000000'
set protocols bgp bmp target foo address '127.0.0.1'
set protocols bgp bmp target foo port '5000'
set protocols bgp bmp target foo min-retry '1000'
set protocols bgp bmp target foo max-retry '2000'
set protocols bgp bmp target foo mirror
set protocols bgp bmp target foo monitor ipv4-unicast post-policy
set protocols bgp bmp target foo monitor ipv4-unicast pre-policy
set protocols bgp bmp target foo monitor ipv6-unicast post-policy
set protocols bgp bmp target foo monitor ipv6-unicast pre-policy
(cherry picked from commit 5523fccf4f7d05444c36c568128e94cd7b08c34f)
|
|
(cherry picked from commit 7ee9297a90625609e568394c9f5ea63e8c95a54b)
|
|
(cherry picked from commit d01aba1f5055cdaa43c8429a2c13580679ec12f7)
|
|
(cherry picked from commit d2b29be237b790bb1a258647adf30c8b96c0b526)
|
|
(cherry picked from commit 2f8b22685065f25183133431502322decede6371)
|
|
(cherry picked from commit 90f2d9865051b00290dd5b7328a046e823b658dc)
|
|
(cherry picked from commit e3cd779d0bd8dd8be6231c7b2028326a03e6a06c)
|
|
(cherry picked from commit cf83979636c686a459d6dc75dcd98e342c70b1b3)
|
|
Restore scanning previous installations for config data and ssh host
keys on install.
(cherry picked from commit 32551842bb0f710f590e8c030395a3a7902aa1df)
|
|
(cherry picked from commit 393b3ccf02902e765bd5cf603d770ba8cad22e75)
|
|
(cherry picked from commit 35f69340ef189e27b380074bb687ad58f29e9433)
|
|
(cherry picked from commit 0fae5b412a359874f1d61a5330064e87a7e6b899)
|
|
(cherry picked from commit bb578a1cab177e8cee6e4d02144d21387ba13a93)
|
|
(cherry picked from commit 0b97bde2cb04cf5e23350798f972abcee4bfe4ee)
|
|
(cherry picked from commit e036f783bc85e4d2bad5f5cbfd688a03a352223e)
|
|
(cherry picked from commit bd701768796d6ebb03ca943faf96d1dbea030edd)
|
|
(cherry picked from commit fc5dc00a3892fa26d03213854ea5091d6b0c2c18)
|
|
(cherry picked from commit 9ffa3e82d951756696367578dd5e82ef0f690065)
|
|
(cherry picked from commit 3d15cfd484e8c2732d9f10e4065f2282f1f5d334)
|
|
(cherry picked from commit cdc5fddfd796ccf7cfe35d2501cb1da380df53b2)
|
|
An attempt to upgrade to 1.2.x is caught, but error is of failed
checksum verification; add check and message.
(cherry picked from commit aae1247da61206d7a1b0b4d6ee20d36d194dbaba)
|