Age | Commit message (Collapse) | Author |
|
firewall: policy: T4741: T4742: Verify zone `from` is defined, autocomplete policy route tables
|
|
ssh: T4716: Ability to configure RekeyLimit data and time
|
|
conntrack-sync: T4730: Fix listen-address jinja2 template
|
|
|
|
|
|
Listen address has option 'multi'
As resulte we have incorrect template value for listen address
- conntrack-sync listen-address '192.0.2.11' in template
It looks like "IPv4_address ['192.0.2.11']" in the conntrackd.conf
but the correct string expected without brackets
Fix it
|
|
Ability to configure SSH RekeyLimit data (in Megabytes) and
time (in Minutes)
set service ssh rekey data 1024
set service ssh rekey time 60
|
|
firewall: T3907: Fix firewall state-policy logging
|
|
When log-level was introduced node `state-policy x log` was removed without migrator. This commit adds it back and improves log handling.
|
|
T4738: generate schema definitions for configsession functions and use single directive/resolver
|
|
|
|
|
|
|
|
|
|
|
|
ospf: T4707: Add OSPF segment routing for FRR
|
|
T4726: add completion help and validation for accel-ppp vendor option
|
|
|
|
In this commit we add OSPF segment routing, smoke tests, handlers,
FRR template changes, and CLI commands.
|
|
vyos-1x automatically adds a "(default: ...)" hint to the CLI help if the
<defaultValue> XML tag is used. No need to specify this manually.
|
|
Section.interfaces() now as an option if it should return also VLAN interfaces
or not. No need to keep a custom logic for it.
|
|
policy: T4660: Changed CLI syntax in route-map set community
|
|
|
|
|
|
|
|
Changed CLI syntax in route-map set community,
set large-community, set extcommunity
Allows to add multiple communities, large-communities
and extcommunities in clear view.
Added new well-known communities.
Added non-transitive feature in extcommunities.
Fixed community's validators.
|
|
T4722: consistent use of the official spelling for RADIUS and IPsec
|
|
|
|
|
|
FRR supports multiple route-targets to be used for import/export:
address-family l2vpn evpn
route-target import 20:10
route-target import 20:11
route-target import 20:12
route-target import 40:40
route-target export 1:2
route-target export 1:3
route-target export 40:40
exit-address-family
Thus the <multi/> property is added to the relevant CLI nodes.
|
|
firewall: T2199: Fix op-mode script for interface migration and vyos_filter table name
|
|
table name
|
|
login: T4715: Auto logout user after inactivity
|
|
Commit bd4588827b ("ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer")
changed the CLI syntax of ipsec. This resulted in a node not renamed in the
op-mode generator when generating IKEv2 IPSec iOS configuration profiles.
|
|
ids: T4557: Update xml-component-version
|
|
nat: T4713: Fix op-mode nat translation output
|
|
|
|
Ability to terminate interactive sessions (TTY/PTS) after a period
of inactivity.
set system login timeout '300'
|
|
|
|
|
|
|
|
conserver: T4717: Support for setting a name for console-server devices
|
|
This adds a new 'alias' property to the console-server device definition
to allow users to connect to a console using a human-readable name
rather than just the device name.
For a configuration like:
service {
console-server {
device ttyUSB0 {
speed 115200
alias my-server
}
}
}
Users can connect either by doing `connect console ttyUSB0`, or
`connect console my-server`.
Names:
* Must be unique
* Are limited to 128 characters
* Are optional - if not specified, only the `connect console ttyX`
form can be used
|
|
login: T4711: Terminate user TTY and PTS sessions
|
|
T4700: Firewall: add interface matching criteria
|
|
Ability to terminate user TTY and PTS sessions
clear session pts/1
|
|
The initial implementation from commit ac4e07f9 ("rfs: T4689: Support RFS
(Receive Flow Steering)") always adjusted the global rps_sock_flow_entries
configuration. So if RFS was enabled for one NIC but not the other - it did not
work.
According to the documentation:
RFS is only available if the kconfig symbol CONFIG_RPS is enabled (on by
default for SMP). The functionality remains disabled until explicitly
configured. The number of entries in the global flow table is set through:
/proc/sys/net/core/rps_sock_flow_entries
The number of entries in the per-queue flow table are set through:
/sys/class/net/<dev>/queues/rx-<n>/rps_flow_cnt
Both of these need to be set before RFS is enabled for a receive queue. Values
for both are rounded up to the nearest power of two. The suggested flow count
depends on the expected number of active connections at any given time, which
may be significantly less than the number of open connections. We have found
that a value of 32768 for rps_sock_flow_entries works fairly well on a
moderately loaded server.
This commit sets rps_sock_flow_entries via sysctl on bootup leafing the RFS
configuration to the interface level.
|
|
ids: T4557: Migrate threshold and add new threshold types
|
|
Migrate "service ids ddos-protection threshold xxx" to
"service ids ddos-protection general threshold xxx"
Add new threshold types:
set service ids ddos-protection threshold tcp xxx
set service ids ddos-protection threshold udp xxx
set service ids ddos-protection threshold icmp xxx
|
|
|