summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-11-06T5702: SNMP add interface-mib max-interfaces-number and prefixViacheslav Hletenko
- Allow to configure only required interface prefixes set service snmp mib interface 'eth' set service snmp mib interface 'bond' include_ifmib_iface_prefix eth bond Sets the interface name prefixes to include in the IF-MIB data collection. For servers with a large number of interfaces (ppp, dummy, bridge, etc) the IF-MIB processing will take a large chunk of CPU for ioctl calls. A set of space separated interface name prefixes will reduce the CPU load for IF-MIB processing. For example, configuring "include_ifmib_iface_prefix eth dummy lo" will include only interfaces with these prefixes and ignore all others for IF-MIB processing. - Allow to configure maximum interface number set service snmp mib interface-max '100' ifmib_max_num_ifaces NUM Sets the maximum number of interfaces included in IF-MIB data collection. For servers with a large number of interfaces (ppp, dummy, bridge, etc) the IF-MIB processing will take a large chunk of CPU for ioctl calls (on Linux). Setting a reasonable maximum for the CPU used will reduce the CPU load for IF-MIB processing. For example, configuring "ifmib_max_num_ifaces 500" will include only the first 500 interfaces based on ifindex and ignore all others for IF-MIB processing.
2023-11-05vxlan: T3700: add bridge dependency call when altering member interfacesChristian Breunig
Commit 7f6624f5a6f8bd ("vxlan: T3700: support VLAN tunnel mapping of VLAN aware bridges") added support for Single VXLAN Device (SVD) containers supported by the Linux Kernel. When working with bridge VIFs it turned out that when deleting a VIF all the VXLAN tunnel mappings got deleted, too. In order to avoid this, if the bridge has a VXLAN member interface which vlan-to-vni mapping enabled, we add a dependency that we call VXLAN conf-mode script after messing arround with the bridge VIFs and re-create tunnel mappings.
2023-11-05ddclient: T5708: Migration to 3.11.1 and related improvementsIndrajit Raychaudhuri
- Migrate to ddclient 3.11.1 and enforce debian/control dependency - Add dual stack support for additional protocols - Restrict usage of `porkbun` protocol, VyOS configuration structure isn't compatible with porkbun yet - Improve and cleanup error messages
2023-11-05ddclient: T5708: Validate proper use of `web-options`Indrajit Raychaudhuri
`web-options` is only applicable when using HTTP(S) web request to obtain the IP address. Apply guard for that.
2023-11-05ddclient: T5708: Migrate `timeout` to `interval`Indrajit Raychaudhuri
Time interval in seconds to wait between DNS updates would be a bit more intuitive as `interval` than `timeout`.
2023-11-05T5713: Strip string after "secret" in IPSEC configRageLtMan
Make "strip-private" strip the string after "secret"
2023-11-04T5706: Add custom systemd udev rules to exclude dynamic interfacesViacheslav Hletenko
Add custom systemd udev rules to exclude some regular and dynamic interfaces from "systemd-sysctl" calls. It fixes high CPU utilization (100%) as we have a lot of calls per interface for dynamic interfaces like ppp|ipoe|sstp etc. /lib/systemd/systemd-udevd should not be called for those interfaces
2023-11-03Merge pull request #2431 from c-po/wireguard-t5707Christian Breunig
wireguard: T5707: remove previously deconfigured peer
2023-11-02wireguard: T5707: remove previously deconfigured peerChristian Breunig
Changing the public key of a peer (updating the key material) left the old WireGuard peer in place, as the key removal command used the new key. WireGuard only supports peer removal based on the configured public-key, by deleting the entire interface this is the shortcut instead of parsing out all peers and removing them one by one. Peer reconfiguration will always come with a short downtime while the WireGuard interface is recreated.
2023-11-02Merge pull request #2416 from c-po/evpn-mh-t5698Christian Breunig
T5698 EVPN ESI Multihoming
2023-11-02Merge pull request #2427 from sever-sever/T5704Christian Breunig
T5704: PPPoE L2TP SSTP IPoE add option max-concurrent-sessions
2023-11-02Merge pull request #2425 from sever-sever/T5700Viacheslav Hletenko
T5700: Fix deprecate telegraf plugin input net
2023-11-02Merge pull request #2423 from sever-sever/T4726Daniil Baturin
T4726: Remove accel-ppp RADIUS vendor validators
2023-11-02T5704: PPPoE L2TP SSTP IPoE add option max-concurrent-sessionsViacheslav Hletenko
Add `max-starting` option: [common] max-starting=N Specifies maximum concurrent session attempts which server may processed set service pppoe-server max-concurrent-sessions '30' Useful to prevent high CPU utilization and compat execution scripts per time.
2023-11-02Merge pull request #2424 from nicolas-fort/T5705Christian Breunig
T5705: rsyslog: fix error when level=al
2023-11-02T5700: Fix deprecate telegraf plugin input netViacheslav Hletenko
DeprecationWarning: Value "false" for option "ignore_protocol_stats" of plugin "inputs.net" deprecated since version 1.27.3 and will be removed in 1.36.0: use the 'inputs.nstat' plugin instead
2023-11-02T5705: rsyslog: fix error when level=all. Replace <all> with wildcard <*>, ↵Nicolas Fort
as it's done with facility. Create basic smoketest for syslog
2023-11-01T4726: Remove accel-ppp RADIUS vendor validatorsViacheslav Hletenko
The vendor name could contain Uppercase or lowercase symbols and not rely on the dictionary name but on dictionary value / # cat /usr/share/freeradius/dictionary.cisco | grep -i vendor VENDOR Cisco 9 Another example VENDOR Alcatel-IPD 6527 This way if we use `vendor=cisco` instead of `vendor=Cisco` it will not work at all Delete vendor validators
2023-11-01T5559: Add static neighbor-proxy featureViacheslav Hletenko
Ability to set ip neigbhor proxy set protocols static neighbor-proxy arp 192.0.2.1 interface 'eth0' set protocols static neighbor-proxy arp 192.0.2.2 interface 'eth0' set protocols static neighbor-proxy nd 2001:db8::1 interface 'eth1'
2023-11-01smoketest: vxlan: T5699: fix "external" CLI optionChristian Breunig
After commit cc7ba8824 ('vxlan: T5699: migrate "external" CLI know to "parameters external"') We also need to adjust the testcase for ARP/ND suppression.
2023-11-01Merge pull request #2370 from sever-sever/T1797Viacheslav Hletenko
T1797: Delete VPP from vyos-1x as it is implemented in addon
2023-10-31nat: T5681: fix CLI versionChristian Breunig
Fix commit 51abbc0f1b2 ("T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher (valid for interfaces and groups) in firewal, nat and nat66") that added a migrator but did not bump the version number.
2023-10-31T5558: smoketest: fix nat definitions on dialup-router-medium-vpn #2Christian Breunig
This extends commit 6248b2ae1 ("T5558: smoketest: fix nat definitions on dialup-router-medium-vpn") that missed out eth1 interface.
2023-10-31Merge pull request #2413 from c-po/t5668-vxlanChristian Breunig
vxlan: T5668: add CLI knob to enable ARP/ND suppression
2023-10-30Merge pull request #2417 from c-po/vxlan-t5699Christian Breunig
vxlan: T5699: migrate "external" CLI know to "parameters external"
2023-10-30vxlan: T5699: migrate "external" CLI know to "parameters external"Christian Breunig
As we have a bunch of options under "paramteres" already and "external" is clearly one of them it should be migrated under that node as well.
2023-10-30vxlan: T5668: add CLI knob to enable ARP/ND suppressionChristian Breunig
In order to minimize the flooding of ARP and ND messages in the VXLAN network, EVPN includes provisions [1] that allow participating VTEPs to suppress such messages in case they know the MAC-IP binding and can reply on behalf of the remote host. In Linux, the above is implemented in the bridge driver using a per-port option called "neigh_suppress" that was added in kernel version 4.15. [1] https://www.rfc-editor.org/rfc/rfc7432#section-10
2023-10-30bgp: T5698: add support for EVPN MultihomingChristian Breunig
2023-10-30bond: T5698: add support for EVPN MultihomingChristian Breunig
set interfaces bonding bond10 evpn es-df-pref '50' set interfaces bonding bond10 evpn es-id '10' set interfaces bonding bond10 evpn es-sys-mac '01:23:45:67:89:ab' set interfaces bonding bond10 member interface 'eth3' set interfaces bonding bond10 mode '802.3ad'
2023-10-29Merge pull request #2414 from nicolas-fort/T5558-fix-natChristian Breunig
T5558: smoketest: fix nat definitions on dialup-router-medium-vpn.
2023-10-29T5558: smoketest: fix nat definitions on dialup-router-medium-vpn.Nicolas Fort
2023-10-29Merge pull request #2408 from nicolas-fort/T5513-show-fwallChristian Breunig
T5513: firewall: update op-mode command show firewall.
2023-10-29op-mode: T5661: add "monitor ssh dynamic-protection" command to follow the ↵Christian Breunig
logfile
2023-10-29op-mode: T5661: remove call to sudo in ssh.py and move it to XML definitionChristian Breunig
Try to have as few calls to sudo in the op-mode scripts as possible. The XML definitions can deal with it.
2023-10-29op-mode: T5661: use common journalctl syntax for sshguardChristian Breunig
This makes the code more easy to maintain in the future if everyone uses the same structure when calling journalctl.
2023-10-26Merge pull request #2369 from JeffWDH/currentDaniil Baturin
T5661: Add show show ssh dynamic-protection attacker and show log ssh…
2023-10-26T5513: T5564: update op-mode command show firewall. Counter available for ↵Nicolas Fort
default actions and extend references for firewall groups
2023-10-25Merge pull request #2406 from nicolas-fort/T5681Christian Breunig
T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher
2023-10-25Merge pull request #2405 from sever-sever/T5683Christian Breunig
T5683: Fix reverse-proxy PKI filenames mismatch
2023-10-25T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher ↵Nicolas Fort
(valid for interfaces and groups) in firewal, nat and nat66.
2023-10-25T5683: Fix reverse-proxy PKI filenames mismatchViacheslav Hletenko
The current named for certificates are hardcoded in generated config to: - ca.pem - cert.pem.key - cert.pem It cause a generated config certificates and certificates itself are different (test-cert-1.pem and ca.pem) bind :::8080 v4v6 ssl crt /run/haproxy/test-cert-1.pem /run/haproxy/ca.pem It is a bug of initial impelemtation. Fix required correct names from PKI certificates
2023-10-24Merge pull request #2355 from nicolas-fort/T5643Christian Breunig
T5643: nat: add interface-groups to nat. Use same cli structure for i…
2023-10-23Merge pull request #2395 from yzguy/yzguy/T5676Christian Breunig
T5675: Use addr_prefix instead of addr in NAT66 source rule prefix parsing
2023-10-23Merge pull request #2396 from yzguy/yzguy/T5677Christian Breunig
T5677: show lldp neighbors shows empty platform if descr not in lldpctl output
2023-10-23T5677: lldp shows empty platform if descr not in lldpctl outputAdam Smith
2023-10-22T5675: use addr_prefix instead of addr in NAT66 ruleAdam Smith
2023-10-22Merge pull request #2391 from sever-sever/T5299Viacheslav Hletenko
T5299: Add missed option ceiling for QoS shaper
2023-10-22Merge pull request #2386 from c-po/vxlan-t5671Christian Breunig
vxlan: T5671: change port to IANA assigned default port
2023-10-22vxlan: T5671: warn about changed default port numberChristian Breunig
2023-10-22T5299: Add missed option ceiling for QoS shaperViacheslav Hletenko
Add missed option `ceil` for QoS class 'trafficshaper'