Age | Commit message (Collapse) | Author |
|
|
|
http-api: T4442: Add action reset
|
|
Add action 'reset' (op-mode) for HTTP-API
http://localhost/reset
curl --unix-socket /run/api.sock -X POST -Fkey=mykey \
-Fdata='{"op": "reset", "path": ["ip", "bgp", "192.0.2.14"]}' \
http://localhost/reset
|
|
configtest: T4382: errors exposed by revision of load-config
|
|
The migration script bgp/0-to-1 did not address
'protocols bgp ASN' -> 'protocols bgp local-as ASN'
under a vrf. Move to configs.no-load for review on extending/adding a
migration script.
|
|
The config vrf-basic reveals a missing block in the migration script
vrf/0-to-1, moving 'next-hop-vrf' to 'vrf'. As this only exists in
Sagitta, modify script 0-to-1. Also, fix the 'system nt' typo seen in
vrf-ospf.
|
|
As a result of the firewall/5-to-6 migration script,
'firewall options interface vtun0 adjust-mss'
is moved to:
'interfaces openvpn vtun0 ip adjust-mss 1380'
however, interfaces-openvpn.xml.in is missing the include file
ipv4-options.xml.i. Add missing include file.
|
|
The pki-ipsec sagitta-era config contains
'vpn ipsec ipsec-interfaces interface eth0'
with ipsec component version ipsec@6, however, this construction is
successfully moved by migration script ipsec/5-to-6. Consequently, this
must have been an error in translation of the config file. Note that
this is unrelated to the corrected error regarding an empty
'ipsec-interfaces' node. Move config to configs.no-load for review.
|
|
bgp_small_as contains set commands such as:
'protocols static route 10.0.0.0/8 MY-NAS distance 254'
which would appear to have no meaning, in any VyOS version.
Move to config.no-load for analysis.
|
|
The component version in bgp-dmvpn-spoke is nat@5, however, 4-to-5
removes the boolean argument. It is confirmed that the migration script
works correctly, hence, it must be a typo in translation; remove
argument 'enable'.
|
|
The config file isis-small has system@20, but 'user level' which was
migrated in system/16-to-17; remove the line in the config, as there is
no problem with the migration script in question.
|
|
This is a typo in vrf-ospf: 'system nt' on the line before 'system ntp'.
|
|
The configs bgp_bfd_communities and bgp_big_as_cloud reveal a
counterexample to the independence of component migration scripts:
quagga migration scripts must precede those of bgp; explicitly reorder
from lexical order.
|
|
Migration of bgp-azure-ipsec-gateway and bgp_dmvpn_hub reveals that
migration script ipsec/5-to-6 leaves the empty node 'ipsec-interfaces'
after moving the interface; fix the migration script, as it is not yet
in 1.3.
|
|
ocserv: T4420: show configured 2FA OTP key
|
|
FRR: T4020: Added CLI options for FRR daemons
|
|
syntax
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
monitoring: T4418: Add output plugin azure-data-explorer
|
|
Add output telegraf Plugin Azure Data Explorer
set service monitoring telegraf azure-data-explorer authentication client-id 'x'
set service monitoring telegraf azure-data-explorer authentication client-secret 'x'
set service monitoring telegraf azure-data-explorer authentication tenant-id 'x'
set service monitoring telegraf azure-data-explorer database 'x'
set service monitoring telegraf azure-data-explorer group-metrics 'single-table'
set service monitoring telegraf azure-data-explorer url 'http://localhost.loc'
|
|
|
|
|
|
T4432: display load averages normalized for the number of CPU cores
|
|
|
|
ppppoe-server: T4373: Add option multiplier for correct shaping
|
|
Multiplier option is required by some vendors for correct shaping
For RADIUS based rate-limits
edit service pppoe-server
set authentication radius rate-limit multiplier '0.001'
|
|
|
|
|
|
We do not only allow individual host addresses but also prefixes.
|
|
|
|
sshguard: T4408: Add service ssh dynamic-protection
|
|
Sshguard protects hosts from brute-force attacks
Can inspect logs and block "bad" addresses by threshold
Auto-generate rules for nftables
When service stopped all generated rules are deleted
nft "type filter hook input priority filter - 10"
set service ssh dynamic-protection
set service ssh dynamic-protection block-time 120
set service ssh dynamic-protection detect-time 1800
set service ssh dynamic-protection threshold 30
set service ssh dynamic-protection whitelist-address 192.0.2.1
|
|
|
|
|
|
systemd has its internal reload or restart logic - we do not need to programm
it on our own.
|
|
|
|
Revert "NHRP : T4399: fix issues restart nhrp when add or del tunnel"
|
|
policy: T4424: Fix incorrect format for IPv6 prefixes
|
|
|
|
This reverts commit d1455f936ca721633fcc04d5c84169b4ccf2f447.
New spokes can't register on hub with 'reload-or-restart' option
And requires option 'restart' for opennhrp.service
|
|
T4405: Fix administrative distance of DHCP routes
|
|
- Default dhclient script only uses value of `$IF_MERIC` envvar for default route recived via `router` option.
- This variable has no effect on rotes received via `rfc3442-classless-static-routes` option
- Considering that Vyos overrrides `ip` command originating from `dhclient` this can be easily fixed in `iptovtysh()` function by using the `$IF_METRIC` envvar directly in the dhclient hook.
(cherry picked from commit 0c00e7bf8b6e68814607fde4ff0cd70ce9f4b486)
|
|
Firewall: T990: Add snat and dnat connection status on firewall
|
|
Do no longer store container images which are pulled from any registry to
/config/containers. Instead save them to a unified location that is the same
accross all images on the system: /usr/lib/live/mount/persistence/container/storage
Reason for this change is, while living under /config/containers a VyOS image
upgrade copied all downloaded container images to the new image - doubling the
used space per image on every upgrade. With the new location the images are
all the same for every VyOS image running. Container userdata can still be
stored under /config and copied to a newer image making rollbacks still
efficient.
|