Age | Commit message (Collapse) | Author |
|
We cannot use both 'port' and 'port-group' for the same direction
in one rule at the same time
Otherwise it generates wrong rules that don't block anything
set P_pgrp {
type inet_service
flags interval
auto-merge
elements = { 101-105 }
}
chain NAME_foo {
tcp dport 22 tcp dport @P_pgrp counter drop comment "foo-10"
counter return comment "foo default-action accept"
}
|
|
T1237: Failover route add checks for multiple targets
|
|
T4770: Ability to get OpenVPN iface state and description for raw
|
|
Jinja2 template uses {{ plugin_dir }} that it gets from the
interface-openvpn.py variable 'plugin_dir' but the correct var
should be as part of 'openvpn' dictionary i.e. openvpn['plugin_dir']
|
|
|
|
|
|
There is only one target for checking ICMP/ARP
Extend it for checking multiple targets
set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '203.0.113.1'
set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '203.0.113.11'
The route will be installed only if all targets are 'alive'
|
|
Networks are started only as soon as there is a consumer. If only a network is
created in the first place, no need to assign it to a VRF as there's no
consumer, yet.
|
|
opennhrp: T5135: Rewritten opennhrp script using vyos.ipsec
|
|
maxsyslogins
maximum number of all logins on system; user is not
allowed to log-in if total number of all user logins is
greater than specified number (this limit does not apply
to user with uid=0)
set system login max-login-session 2
|
|
Rewritten opennhrp script using vyos.ipsec library
|
|
T5125: Sflow op-mode add event_samples_suppressed option
|
|
Add numbers for all dhclient-exit-hooks.d to enforce script order execution
Also, move '99-run-user-hooks' to '98-run-user-hooks' due to
vyatta-dhclient-hook bug and exit with 'exit 1' it is
described in the https://vyos.dev/T4856, so we should move this hook
to the end. Rename 'vyatta-dhclient-hook' to '99-vyatta-dhclient-hook'
|
|
Add "Packet drops suppressed" option
Rename "Samples drop events sent" to "Packet drops sent"
|
|
Container networks now can be bound to a specific VRF instance.
set vrf name <foo> table <xxx>
set container network <name> vrf <foo>
|
|
Add new metric, the number of packet-drop-events sent
|
|
Commit fe82d86d ("container: T4959: add registry authentication option") looked
up the wrong config dict level when validating that both username and password
need to be specified when registries are in use.
|
|
We now support assigning discrete IPv6 addresses to a container.
|
|
Commit 52e51ffb ("container: T5047: restart only containers that changed")
started to iterate over a NoneType which is invalid. This happened when a
network description was changed but no container was due for restart.
|
|
ipsec: T5093: Fixed 'reset vpn ipsec profile' command
|
|
|
|
Add op-mode for sFlow based on hsflowd "show sflow"
Add machine readable format '--raw' and formatted output
|
|
|
|
Fixed 'reset vpn ipsec profile' command
using vici library and new op-mode style.
Added ability to use 'reset vpn ipsec profile' command
with 'remote-host' option.
|
|
|
|
|
|
dns: T5115: Support custom port for name servers for forwarding zones
|
|
interfaces: T4885: add 'clear interfaces counters' to op-mode
|
|
ntp: T5118: Remove vestigial ntp completion script
|
|
Commit cb872efb ("frr: T5045: lift LimitNOFILE 1024 -> 4096") added both
LimitNOFILE and LimitNOFILESoft parameters for FRR, as "systemctl cat frr.service"
showed both versions.
During daemon startup systemd complains:
Unknown key name 'LimitNOFILESoft' in section 'Service', ignoring.
So the key got removed again.
|
|
This isn't used anymore after migration from ntpd to chrony as part of
T3008.
|
|
By default VyOS used to restart all containers it managed. This makes no sense
as it will be service disrupting. Instead only restart the containers that had
changes on the CLI beeing made.
|
|
As podman is going to use netavark as new default we must explicitly select
the old driver until we have migrated to netavark.
|
|
|
|
This would allow using custom ports in name server operating on non-
default port for forwarding zones.
This is a follow-up to T5113 for sake of completeness and having
consistent treatment of all name servers configured in PowerDNS recursor.
Additionally, migrate `service dns forwarding domain example.com server`
to `service dns forwarding domain foo3.com name-server` for consistency
and reusability.
|
|
|
|
|
|
graphql: T5106: extend generation of API client requests to configsession and composite requests
|
|
dns: T5113: Support custom port for name-server forwarders
|
|
Support custom port for name-server forwarders that would allow using
custom ports in name server forwarders to enable forwarding to
alternative name servers (unbound, stubby, dnscrypt-proxy etc.)
operating on non-default port.
This would also allow using DNS Over TLS in PowerDNS Recursor 4.6 onwards
(pdns doesn't support certificate check for validity yet) by enabling
'dot-to-port-853'. This is set by default if compiled in with DoT support.
See: https://doc.powerdns.com/recursor/settings.html#dot-to-port-853
This also partially implements T921, T2195 (DoT without certificate check).
Implementation details:
- In 'dns/forwarding' configuration, 'name-server' now allows optional
'port' (defaults to 53).
- Instead of modifying 'name-server-ipv4-ipv6.xml.i' to add optional
'port', a new file 'name-server-ipv4-ipv6-port.xml.i' has been used
to avoid impacting other places where it is reused because not all of
them honor ports (mostly VPN related).
- The `host:port` entries to be used by PowerDNS recursor config are
normalized eagerly at the point of loading VyOS `Config` instead of
doing them lazily while rendering the Jinja2 template to keep the
implementation less intrusive. The alternative would entail making
quite a bit of change in how 'vyos-hostsd' processes 'static'
'name_servers' entries or persists their runtime states.
|
|
'show interfaces counters' correctly displays counter stats after a call
to 'clear interfaces counters', however, 'show interfaces detail' does
not. Add missing update to counter stats.
|
|
T5099: IPoE-server add option next-pool for named ip pools
|
|
T5108: Add option rate-limit for l2tp pptp sstp ipoe raw format
|
|
There is a missing usefull option 'rate-limit' for
L2TP/PPTP/SSTP/IPoE raw output format
|
|
|
|
|
|
|
|
|
|
|
|
|