Age | Commit message (Collapse) | Author |
|
We must only search and replace for "vrf red" or "vrf green" - the regex
used infact matched on all VRFs which is wrong. This would remove all VRF VNI
configurations when only changing a single VRf.
|
|
ipsec: T5042: Rewritten 'show vpn ipsec remote-access' command
|
|
|
|
Add policy (any-available|all-available) for target checking for failover route
set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check policy 'any-available'
set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '192.168.122.1'
set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '192.168.122.11'
It depends if we need that all targets must be alive on just one target.
|
|
Apply validations and completions to dynamic DNS protocols supported.
This also opens up additional protocols supported by ddclient 3.10.
Additional details:
- Validation and constraint have been added for interface names as well.
- While at it, the help texts got some copyedit and rewording.
|
|
Changes the node name from config-per-x to identity-based-config, as a result the j2 templates and vpn_openeconnect.py has been refactored to update the node name when accessing it's child nodes.
|
|
pki: T3642: Fix show command if no CA certs are present
|
|
op-mode: T5159: dhcpv6 incorrect warning message
|
|
The operational command "show dhcpv6 server leases" shows a warning message e
ven if dhcpv6 setting are configured and ipv6 address
got assigned to clients.
|
|
|
|
Adjust the output of dynamic dns status to be compatible with both
legacy and new ddclient cache format. This is necessary because the
legacy format is still used by some of the dyndns2 family of protocols.
This is a follow-up to commit 3f3621b6874354.
|
|
Split script to small functions for flexible output reports.
Improve header for commands.
Each funciton easily can be modified or extended.
Remove splitting command/output via percent symbol.
Remove old commands and directiories like /etc/rc.local, iptables,
brctl, etc.
Remove ethtool operation for subinterfaces.
Extend ethtool debug output.
Add correct nftables command.
|
|
Now 'show vpn ipsec remote-access' shows only IKEv2 Remote access
VPN IPSec connections.
Added option 'summary' that shows a summary table for
these connections.
Added option 'detail' that shows only RA SAs output of 'swanctl -l'
Added options 'username' and 'connection-id' that filters output.
Fixed output 'show vpn ipsec sa detail', the previous was
'show vpn ipsec sa verbose'.
|
|
With commit 0ea3e1420 ("container: T5082: switch to netavark network stack")
moving to a new network stack we should also enable the new DNS plugin provided
by default.
TODO: add CLI nodes to manually disable DNS and/or supply external DNS servers
to the container.
|
|
If the name of the network + the length of the podman- prefix exceeds
the maximum supported length of netavark we get an error:
Error: netavark: get bridge interface: Netlink error: Numerical result out of
range (os error 34)
|
|
T5150: implementation of new Kernel/Zebra route-map support
|
|
T5137: refactoring the tech-support command
|
|
|
|
|
|
|
|
It is possible to install a route-map which filters the routes between routing
daemons and the OS kernel (zebra)
As of now this can be done by e.g.
* set protocols ospf route-map foo
* set protocols ospfv3 route-map foo
* set protocols bgp route-map foo
Which in turn will install the following lines into FRR
* ip protocol ospf route-map foo
* ipv6 protocol ospf6 route-map foo
* ip protocol bgp route-map foo
The current state of the VyOS CLI is incomplete as there is no way to:
* Install a filter for BGP IPv6 routes
* Install a filter for static routes
* Install a filter for connected routes
Thus the CLI should be redesigned to close match what FRR does for both the
default and any other VRF
* set system ip protocol ospf route-map foo
* set system ipv6 protocol ospfv3 route-map foo
* set system ip protocol bgp route-map foo
* set system ipv6 protocol bgp route-map foo
The configuration can be migrated accordingly. This commit does not come with
the migrator, it will be comitted later.
|
|
|
|
Initially the option 'rate-limit' was implemented with the
wrong place in the CLI:
set vpn pptp remote-access authentication rate-limit <xxx>
Expected under 'radius' section:
set vpn pptp remote-access authentication radius rate-limit <xxx>
Configuration for 'rate-limit' (Jinja2 template) never worked for
pptp, fix it.
|
|
Fix for Telegraf agent hostname isn't qualified
Try to get hostname from FQDN and then from hostname
Used for metrics
You may have more than one machine with different domain names
r1 domain-name foo.local, hostname myhost
r2 domain-name bar.local, hostname myhost
It helps to detect from which exectly host we get metric for
InfluxDB2
|
|
dns: T5144: Improve dns dynamic status output
|
|
T5065: Add verify for firewall port-group and port
|
|
We cannot use both 'port' and 'port-group' for the same direction
in one rule at the same time
Otherwise it generates wrong rules that don't block anything
set P_pgrp {
type inet_service
flags interval
auto-merge
elements = { 101-105 }
}
chain NAME_foo {
tcp dport 22 tcp dport @P_pgrp counter drop comment "foo-10"
counter return comment "foo default-action accept"
}
|
|
Debian's `debian/2%2.10-12` update of the hostap packaging added a
ConditionFileNotEmpty directive for `/etc/hostapd/<...>` paths, which
doesn't match the `/run/hostapd/<...>` paths that VyOS uses. This commit
updates the override file to use the proper VyOS paths.
https://salsa.debian.org/debian/wpa/-/commit/d204ceb5a2dc33db888eb55b5fee542a1005e69c
Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>
|
|
T1237: Failover route add checks for multiple targets
|
|
T4770: Ability to get OpenVPN iface state and description for raw
|
|
Jinja2 template uses {{ plugin_dir }} that it gets from the
interface-openvpn.py variable 'plugin_dir' but the correct var
should be as part of 'openvpn' dictionary i.e. openvpn['plugin_dir']
|
|
|
|
|
|
There is only one target for checking ICMP/ARP
Extend it for checking multiple targets
set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '203.0.113.1'
set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '203.0.113.11'
The route will be installed only if all targets are 'alive'
|
|
Refactoring the tech-support command from .sh to .py
|
|
Networks are started only as soon as there is a consumer. If only a network is
created in the first place, no need to assign it to a VRF as there's no
consumer, yet.
|
|
opennhrp: T5135: Rewritten opennhrp script using vyos.ipsec
|
|
maxsyslogins
maximum number of all logins on system; user is not
allowed to log-in if total number of all user logins is
greater than specified number (this limit does not apply
to user with uid=0)
set system login max-login-session 2
|
|
Rewritten opennhrp script using vyos.ipsec library
|
|
Improve and fix the output of dynamic dns status to be compatible with
new ddclient cache format.
Additional details:
- The status output is now formatted as a table with per-host dual-stack
information in rows. Columns not having actual value present in the
output will be kept empty.
- The 'Last update' column is now formatted in Local time format instead
of UTC.
|
|
T5125: Sflow op-mode add event_samples_suppressed option
|
|
Add numbers for all dhclient-exit-hooks.d to enforce script order execution
Also, move '99-run-user-hooks' to '98-run-user-hooks' due to
vyatta-dhclient-hook bug and exit with 'exit 1' it is
described in the https://vyos.dev/T4856, so we should move this hook
to the end. Rename 'vyatta-dhclient-hook' to '99-vyatta-dhclient-hook'
|
|
Add "Packet drops suppressed" option
Rename "Samples drop events sent" to "Packet drops sent"
|
|
Container networks now can be bound to a specific VRF instance.
set vrf name <foo> table <xxx>
set container network <name> vrf <foo>
|
|
Add new metric, the number of packet-drop-events sent
|
|
Commit fe82d86d ("container: T4959: add registry authentication option") looked
up the wrong config dict level when validating that both username and password
need to be specified when registries are in use.
|
|
We now support assigning discrete IPv6 addresses to a container.
|
|
Commit 52e51ffb ("container: T5047: restart only containers that changed")
started to iterate over a NoneType which is invalid. This happened when a
network description was changed but no container was due for restart.
|
|
ipsec: T5093: Fixed 'reset vpn ipsec profile' command
|
|
|