Age | Commit message (Collapse) | Author |
|
Smoketest update for T5113 with optional port for name-server forwarders.
|
|
Support custom port for name-server forwarders that would allow using
custom ports in name server forwarders to enable forwarding to
alternative name servers (unbound, stubby, dnscrypt-proxy etc.)
operating on non-default port.
This would also allow using DNS Over TLS in PowerDNS Recursor 4.6 onwards
(pdns doesn't support certificate check for validity yet) by enabling
'dot-to-port-853'. This is set by default if compiled in with DoT support.
See: https://doc.powerdns.com/recursor/settings.html#dot-to-port-853
This also partially implements T921, T2195 (DoT without certificate check).
Implementation details:
- In 'dns/forwarding' configuration, 'name-server' now allows optional
'port' (defaults to 53).
- Instead of modifying 'name-server-ipv4-ipv6.xml.i' to add optional
'port', a new file 'name-server-ipv4-ipv6-port.xml.i' has been used
to avoid impacting other places where it is reused because not all of
them honor ports (mostly VPN related).
- The `host:port` entries to be used by PowerDNS recursor config are
normalized eagerly at the point of loading VyOS `Config` instead of
doing them lazily while rendering the Jinja2 template to keep the
implementation less intrusive. The alternative would entail making
quite a bit of change in how 'vyos-hostsd' processes 'static'
'name_servers' entries or persists their runtime states.
|
|
ntp: T5112: Enable support for NTS (Network Time Security) in chrony
|
|
This is basic configuration to enable NTS support in chrony.
|
|
regex
|
|
T5099: IPoE-server add option next-pool for named ip pools
|
|
T5086: Add smoketest DROP_MONITOR kernel option
|
|
T5108: Add option rate-limit for l2tp pptp sstp ipoe raw format
|
|
ipsec: T5003: Resolve issue with IPsec DHCP test
|
|
There is a missing usefull option 'rate-limit' for
L2TP/PPTP/SSTP/IPoE raw output format
|
|
|
|
tearDown checks for existence of charon process, however this test does not create any connections by design.
|
|
|
|
|
|
T5105: dhcp-server: Fix error message from dhcp-server
|
|
|
|
ipsec: T5043: Rewritten and fixed 'reset vpn' commands
|
|
dhcp: pppoe: T5104: fix VRF comparisons
|
|
|
|
|
|
T5050: fix smoketest policy_route, which was failing after previos co…
|
|
was merged
|
|
In cases with multiple named IP pools, it is required the option 'next'
to be sure that if IP addresses ended in one pool, then they would
begin to be allocated from the next named pool.
For accel-ppp it requires specific order as pool must be defined
before we can use it with the 'next-option'
set service ipoe-server client-ip-pool name first-pool subnet '192.0.2.0/25'
set service ipoe-server client-ip-pool name first-pool next-pool 'second-pool'
set service ipoe-server client-ip-pool name second-pool subnet '203.0.113.0/25'
[ip-pool]
203.0.113.0/25,name=second-pool
192.0.2.0/25,name=first-pool,next=second-pool
|
|
T5050: Firewall: Add log options
|
|
|
|
pppoe: T5098: allow user to set pppd holdoff option
|
|
|
|
openvpn: T5095: raw output should return list instead of dict
|
|
T5086: Fix sflow fix default values for server
|
|
We drop default values 'port' but don't set it again per server
Fix it
|
|
T5086: Add sFlow drop-monitor-limit option
|
|
hsflowd will export the headers of dropped packets (along with the
name of the function in the Linux kernel where that skb was dropped)
as part of the standard sFlow feed.
This measurement complements the sFlow packet sampling and
counter-telemetry well because it provides visibility into the
traffic that is not flowing.
Very helpful for troubleshooting.
The limit (a rate limit max of N drops per second sent out in the
sFlow datagrams) is the parameter you would set in the CLI.
set system sflow drop-monitor-limit 50
|
|
T5091: IPoE-server verify RADIUS settings
|
|
|
|
T5092: IPoE-server named pool must not rely on auth type
|
|
T5086: Add sFlow feature based on hsflowd
|
|
|
|
1. Rewritten CLI of 'reset vpn' commands.
2. Created 'reset vpn ipsec remote-access' commands to reset
RA IKEv2 session.
3. Created 'reset vpn ipsec site-to-site all' command to reset all
configured IPSec site-to-site peers sessions.
4. Rewritten 'reset vpn l2t|pptp|sstp' commands to
new opmode style.
|
|
As we don't have global option 'gateway-address' for ipoe-server
we cannot use general configverify.verify_accel_ppp_base_service
Add verify radius setting for configuration mode 'radius'
Radius authentication required at least one RADIUS server
|
|
Named pools for ipoe-server must not rely on autentication type
It is a separate global option for [ipoe] and [ip-pool] sections
|
|
Add sFlow feature based on hsflowd
According to user reviews, it works more stable and more productive
than pmacct
I haven't deleted 'pmacct' 'system flow-accounting sflow' yet
It could be migrated or deprecated later
set system sflow agent-address '192.0.2.14'
set system sflow interface 'eth0'
set system sflow interface 'eth1'
set system sflow polling '30'
set system sflow sampling-rate '100'
set system sflow server 192.0.2.1 port '6343'
set system sflow server 192.0.2.11 port '6343'
|
|
T5055: NAT: extend packet-type to NAT
|
|
in firewall, to NAT
|
|
T5085: Fix ipv6 route-map for ospfv3
|
|
Add template to generate zebra
"ipv6 protocol ospf6 route-map xxx"
|
|
T2516: Exclude veth interfaces from duplex and speed check
|
|
Exclude interfaces with 'veth' driver from duplex and speed check
|
|
|
|
This reverts commit 9ed4113d6c4809a0126d04c99d60eaa76a7b6b15.
|
|
Fix podman error about invalid storage:
[graphdriver] prior storage driver overlay failed: 'overlay' is not supported
over overlayfs, a mount_program is required: backing file system is unsupported
for this graph driver" Error: 'overlay' is not supported over overlayfs, a
mount_program is required: backing file system is unsupported for this graph
driver.
|