summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-03-27dns: T5113: Support custom port for name-server forwardersIndrajit Raychaudhuri
Smoketest update for T5113 with optional port for name-server forwarders.
2023-03-27dns: T5113: Support custom port for name-server forwardersIndrajit Raychaudhuri
Support custom port for name-server forwarders that would allow using custom ports in name server forwarders to enable forwarding to alternative name servers (unbound, stubby, dnscrypt-proxy etc.) operating on non-default port. This would also allow using DNS Over TLS in PowerDNS Recursor 4.6 onwards (pdns doesn't support certificate check for validity yet) by enabling 'dot-to-port-853'. This is set by default if compiled in with DoT support. See: https://doc.powerdns.com/recursor/settings.html#dot-to-port-853 This also partially implements T921, T2195 (DoT without certificate check). Implementation details: - In 'dns/forwarding' configuration, 'name-server' now allows optional 'port' (defaults to 53). - Instead of modifying 'name-server-ipv4-ipv6.xml.i' to add optional 'port', a new file 'name-server-ipv4-ipv6-port.xml.i' has been used to avoid impacting other places where it is reused because not all of them honor ports (mostly VPN related). - The `host:port` entries to be used by PowerDNS recursor config are normalized eagerly at the point of loading VyOS `Config` instead of doing them lazily while rendering the Jinja2 template to keep the implementation less intrusive. The alternative would entail making quite a bit of change in how 'vyos-hostsd' processes 'static' 'name_servers' entries or persists their runtime states.
2023-03-25Merge pull request #1913 from indrajitr/chrony-ntsChristian Breunig
ntp: T5112: Enable support for NTS (Network Time Security) in chrony
2023-03-25ntp: T5112: Enable support for NTS (Network Time Security) in chronyIndrajit Raychaudhuri
This is basic configuration to enable NTS support in chrony.
2023-03-24xml: T5109: use common include file for alpha-numeric, hyphen and underscore ↵Christian Breunig
regex
2023-03-23Merge pull request #1901 from sever-sever/T5099Christian Breunig
T5099: IPoE-server add option next-pool for named ip pools
2023-03-23Merge pull request #1908 from sever-sever/T5086-kernChristian Breunig
T5086: Add smoketest DROP_MONITOR kernel option
2023-03-23Merge pull request #1909 from sever-sever/T5108Christian Breunig
T5108: Add option rate-limit for l2tp pptp sstp ipoe raw format
2023-03-23Merge pull request #1910 from sarthurdev/ipsec_testChristian Breunig
ipsec: T5003: Resolve issue with IPsec DHCP test
2023-03-23T5108: Add option rate-limit for l2tp pptp sstp ipoe raw formatViacheslav Hletenko
There is a missing usefull option 'rate-limit' for L2TP/PPTP/SSTP/IPoE raw output format
2023-03-23ipsec: T2816: Cleanup dhcp hook file if not requiredsarthurdev
2023-03-23ipsec: T5003: Resolve issue with ipsec DHCP testsarthurdev
tearDown checks for existence of charon process, however this test does not create any connections by design.
2023-03-23op-mode: T5107: raise error instead of calling exitJohn Estabrook
2023-03-23T5086: Add smoketest DROP_MONITOR kernel optionViacheslav Hletenko
2023-03-22Merge pull request #1905 from nicolas-fort/T5105Christian Breunig
T5105: dhcp-server: Fix error message from dhcp-server
2023-03-22T5105: Fix error message from dhcp-serverNicolas Fort
2023-03-21Merge pull request #1894 from aapostoliuk/T5043-sagittaChristian Breunig
ipsec: T5043: Rewritten and fixed 'reset vpn' commands
2023-03-21Merge pull request #1903 from bstepler/T5104Christian Breunig
dhcp: pppoe: T5104: fix VRF comparisons
2023-03-21ospf: T5102: do not always redistribute babel routesChristian Breunig
2023-03-21dhcp: pppoe: T5104: fix VRF comparisonsBrandon Stepler
2023-03-21Merge pull request #1902 from nicolas-fort/T5050-logChristian Breunig
T5050: fix smoketest policy_route, which was failing after previos co…
2023-03-21T5050: fix smoketest policy_route, which was failing after previos commit ↵Nicolas Fort
was merged
2023-03-21T5099: IPoE-server add option next-pool for named ip poolsViacheslav Hletenko
In cases with multiple named IP pools, it is required the option 'next' to be sure that if IP addresses ended in one pool, then they would begin to be allocated from the next named pool. For accel-ppp it requires specific order as pool must be defined before we can use it with the 'next-option' set service ipoe-server client-ip-pool name first-pool subnet '192.0.2.0/25' set service ipoe-server client-ip-pool name first-pool next-pool 'second-pool' set service ipoe-server client-ip-pool name second-pool subnet '203.0.113.0/25' [ip-pool] 203.0.113.0/25,name=second-pool 192.0.2.0/25,name=first-pool,next=second-pool
2023-03-21Merge pull request #1889 from nicolas-fort/T5050-logViacheslav Hletenko
T5050: Firewall: Add log options
2023-03-21T5050: Firewall: Add log optionsNicolas Fort
2023-03-21Merge pull request #1899 from rgwan/currentChristian Breunig
pppoe: T5098: allow user to set pppd holdoff option
2023-03-21pppoe: T5098: allow user to set pppd holdoff optionZhiyuan Wan
2023-03-20Merge pull request #1896 from jestabro/raw-list-openvpnDaniil Baturin
openvpn: T5095: raw output should return list instead of dict
2023-03-17Merge pull request #1898 from sever-sever/T5086-defChristian Breunig
T5086: Fix sflow fix default values for server
2023-03-17T5086: Fix sflow fix default values for serverViacheslav Hletenko
We drop default values 'port' but don't set it again per server Fix it
2023-03-17Merge pull request #1897 from sever-sever/T5086Christian Breunig
T5086: Add sFlow drop-monitor-limit option
2023-03-17T5086: Add sFlow drop-monitor-limit optionViacheslav Hletenko
hsflowd will export the headers of dropped packets (along with the name of the function in the Linux kernel where that skb was dropped) as part of the standard sFlow feed. This measurement complements the sFlow packet sampling and counter-telemetry well because it provides visibility into the traffic that is not flowing. Very helpful for troubleshooting. The limit (a rate limit max of N drops per second sent out in the sFlow datagrams) is the parameter you would set in the CLI. set system sflow drop-monitor-limit 50
2023-03-16Merge pull request #1895 from sever-sever/T5091Christian Breunig
T5091: IPoE-server verify RADIUS settings
2023-03-16opmode: T4837: support ip route display for specific prefixes inside VRFChristian Breunig
2023-03-16Merge pull request #1893 from sever-sever/T5092Christian Breunig
T5092: IPoE-server named pool must not rely on auth type
2023-03-16Merge pull request #1891 from sever-sever/T5086Christian Breunig
T5086: Add sFlow feature based on hsflowd
2023-03-16openvpn: T5095: raw output should return list instead of dictJohn Estabrook
2023-03-16ipsec: T5043: Rewritten and fixed 'reset vpn' commandsaapostoliuk
1. Rewritten CLI of 'reset vpn' commands. 2. Created 'reset vpn ipsec remote-access' commands to reset RA IKEv2 session. 3. Created 'reset vpn ipsec site-to-site all' command to reset all configured IPSec site-to-site peers sessions. 4. Rewritten 'reset vpn l2t|pptp|sstp' commands to new opmode style.
2023-03-16T5091: IPoE-server verify RADIUS settingsViacheslav Hletenko
As we don't have global option 'gateway-address' for ipoe-server we cannot use general configverify.verify_accel_ppp_base_service Add verify radius setting for configuration mode 'radius' Radius authentication required at least one RADIUS server
2023-03-16T5092: IPoE-server named pool must not rely on auth typeViacheslav Hletenko
Named pools for ipoe-server must not rely on autentication type It is a separate global option for [ipoe] and [ip-pool] sections
2023-03-16T5086: Add sFlow feature based on hsflowdViacheslav Hletenko
Add sFlow feature based on hsflowd According to user reviews, it works more stable and more productive than pmacct I haven't deleted 'pmacct' 'system flow-accounting sflow' yet It could be migrated or deprecated later set system sflow agent-address '192.0.2.14' set system sflow interface 'eth0' set system sflow interface 'eth1' set system sflow polling '30' set system sflow sampling-rate '100' set system sflow server 192.0.2.1 port '6343' set system sflow server 192.0.2.11 port '6343'
2023-03-14Merge pull request #1890 from nicolas-fort/T5055Viacheslav Hletenko
T5055: NAT: extend packet-type to NAT
2023-03-14T5055: NAT: extend packet-type match option which was previously introduced ↵Nicolas Fort
in firewall, to NAT
2023-03-14Merge pull request #1888 from sever-sever/T5085Christian Breunig
T5085: Fix ipv6 route-map for ospfv3
2023-03-14T5085: Fix ipv6 route-map for ospfv3Viacheslav Hletenko
Add template to generate zebra "ipv6 protocol ospf6 route-map xxx"
2023-03-13Merge pull request #1886 from sever-sever/T2516Christian Breunig
T2516: Exclude veth interfaces from duplex and speed check
2023-03-13T2516: Exclude veth interfaces from duplex and speed checkViacheslav Hletenko
Exclude interfaces with 'veth' driver from duplex and speed check
2023-03-12Debian: bump compat (debian helper) version 10 -> 12Christian Breunig
2023-03-12Revert "Debian: T2216: add netavark dependency for podman containers"Christian Breunig
This reverts commit 9ed4113d6c4809a0126d04c99d60eaa76a7b6b15.
2023-03-11container: T5003: add dependency on fuse-overlayfsChristian Breunig
Fix podman error about invalid storage: [graphdriver] prior storage driver overlay failed: 'overlay' is not supported over overlayfs, a mount_program is required: backing file system is unsupported for this graph driver" Error: 'overlay' is not supported over overlayfs, a mount_program is required: backing file system is unsupported for this graph driver.