Age | Commit message (Collapse) | Author |
|
Standardized pool configuration for all accel-ppp services.
1. Only named pools are used now.
2. Allows all services to use range in x.x.x.x/mask
and x.x.x.x-x.x.x.y format
3. next-pool can be used in all services
2. Allows to use in ipoe gw-ip-address without pool configuration
which allows to use Fraimed-IP-Address attribute by radius.
3. Default pool name should be explicidly configured
with default-pool.
4. In ipoe netmask and range subnet can be different.
(cherry picked from commit 422eb463d413da812eabc28706e507a9910d7b53)
|
|
ddclient: T5144,T5791: Consolidated backport for dynamic dns updates and fixes
|
|
We always enable HTTPS in ddclient configuration, however
`http://checkip.dyndns.org` is HTTP only and does not support HTTPS.
Warn the user if they are using this service.
Also, make `url` in `web-options` mandatory.
|
|
Legacy ddclient allowed arbitrary URLs in web-options, but the new
has stricter validations. Apply migration to the old URLs.
Also migrate checkip.dyndns.org to https://domains.google.com/checkip
for better TLS support.
|
|
When migrating from `service dns dynamic interface <interface> ...` to
`service dns dynamic address <address> ...`, the config name can
potentially have a conflict when `address == 'web'`.
Although the `/run/ddclient/ddclient.conf` that was generated earlier
was incorrect, one could still potentially have misconfigured VyOS
config without realizing it.
We now append the old <interface> name to the config name to avoid
conflict.
|
|
Since `service dns dynamic address <address> service <service> ...`
changed to `service dns dynamic name <service> address <address> ...`,
the resulting service and address config flip can result in conflicting
`service` name.
Additionally, since dynamic DNS service name now have name constraint,
we need to normalize the service name to conform with the constraint.
We now migrate the service name to (service|rfc2136)-<service>-<address>
to avoid the conflict and optionally append an index if there is still a
name conflict after normalization.
|
|
Enforce constraint on Dynamic DNS service name to be alphanumeric
(including hyphens and underscores).
|
|
|
|
|
|
ethernet: T5566: disable energy efficient ethernet (EEE) for interfaces (backport #2689)
|
|
VyOS is a routing (packet pushing) platform, thus supporting EEE which
potentially causes issues is not a good idea. Some recent Intel drivers enable
EEE by default, thus we will disable this for every NIC supporting EEE.
(cherry picked from commit ab30509b25d54dac99294b76ba03fd49c3d2c946)
|
|
snmp: T5855: migrate "set service lldp snmp enable" to "set service lldp snmp" (backport #2687)
|
|
(cherry picked from commit a9201e77110ce0695e2ba879304aef41b7ac9a0c)
|
|
(cherry picked from commit 2490f22408ad811ff9f63ec970d0167ecbf4ab59)
|
|
configdict: T5837: add support to return added nodes when calling node_changed() (backport #2682)
|
|
In the past, node_changed() suggested it would also return nodes that got added
(function comment) but in reality only deleted keys got accounted for.
This commit changes the signature and adds an argument expand_nodes to specify
the users interest of a node was deleted (default), added (expand_nodes=Diff.ADD)
or even both (expand_nodes=Diff.ADD|Diff.DELETE).
(cherry picked from commit 4ee4064705ebd1e1a6a59be0c6df3b96755a067e)
|
|
node_changed() will return a list of changed keys under "path". We are not
always interested what changed, sometimes we are only interested if something
changed at all, that what vyos.configdict.is_node_changed() is for.
(cherry picked from commit 5e7a8288d06a6d6beee5e1abd2e06698ab778650)
|
|
snmp: 5856: fix service removal error (backport #2683)
|
|
When deleting SNMP from CLI the 'delete' key was not honored in the config
dictionary, leading to a false process startup causing the following error:
Job for snmpd.service failed because the control process exited with error code.
See "systemctl status snmpd.service" and "journalctl -xeu snmpd.service" for details.
(cherry picked from commit 20b98e780fda4131eb242921884d4955147ce51a)
|
|
T160: NAT64 add match firewall mark feature (backport #2677)
|
|
Match mark allows to use firewall marks of packet to use
a specific pool
Example of instance config /run/jool/instance-100.json
```
...
"pool4": [
{
"protocol": "TCP",
"prefix": "192.0.2.10",
"port range": "1-65535",
"mark": 23
},
...
```
(cherry picked from commit 8e1e79cfa24c155c8d504822fbbd3c20f890fb70)
|
|
xml: T5854: clear empty paths left by embedded override of defaultValue (backport #2679)
|
|
(cherry picked from commit 89cd75b8dbe5cc145a4423bf10faa76fd6bdcdbf)
|
|
(cherry picked from commit c4f9c936c9fdd32e7f6258c0dfa8c8cf6057998d)
|
|
nat66: T2898: build fix after ndp-proxy backport
|
|
|
|
T2898: add ndp-proxy service (backport #2665)
|
|
VyOS CLI command
set service ndp-proxy interface eth0 prefix 2001:db8::/64 mode 'static'
Will generate the following NDP proxy configuration
$ cat /run/ndppd/ndppd.conf
# autogenerated by service_ndp-proxy.py
# This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route
route-ttl 30000
# This sets up a listener, that will listen for any Neighbor Solicitation
# messages, and respond to them according to a set of rules
proxy eth0 {
# Turn on or off the router flag for Neighbor Advertisements
router no
# Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds)
timeout 500
# Control how long a valid or invalid entry remains in the cache (milliseconds)
ttl 30000
# This is a rule that the target address is to match against. If no netmask
# is provided, /128 is assumed. You may have several rule sections, and the
# addresses may or may not overlap.
rule 2001:db8::/64 {
static
}
}
(cherry picked from commit 4d721a58020971d00ab854c37b68e88359999f9c)
|
|
srv6: T591: enable SR enabled packet processing on defined interfaces (backport #2663)
|
|
The Linux Kernel needs to be told if IPv6 SR enabled packets whether should be
processed or not. This is done using
/proc/sys/net/conf/<iface>/seg6_* variables:
seg6_enabled - BOOL
Accept or drop SR-enabled IPv6 packets on this interface.
Relevant packets are those with SRH present and DA = local.
0 - disabled (default)
not 0 - enabled
Or the VyOS CLI command:
* set protocols segment-routing interface eth0 srv6
(cherry picked from commit 774cc97eda61eb0b91df820797fb3c705d0073d5)
|
|
Enable/Disable VRF strict mode, when net.vrf.strict_mode=0 (default) it is
possible to associate multiple VRF devices to the same table. Conversely, when
net.vrf.strict_mode=1 a table can be associated to a single VRF device.
A VRF table can be used by the VyOS CLI only once (ensured by verify()), this
simply adds an additional Kernel safety net, but a requirement for IPv6 segment
routing headers.
(cherry picked from commit 10701108fecb36f7be7eb7ef5f1e54e63da5fb4e)
|
|
T5804: nat: remove inbound|outbound interface from old configuration when it was set to <any>. (backport #2611)
|
|
dhcp: T5846: Ensure DUID regex range is bound (backport #2670)
|
|
was set to <any>.
(cherry picked from commit 5cb95aed965b45a900c6ba97c0bccefed83332b6)
|
|
The DUID regex was missing a lower bound, which could cause it not to
match when it should.
We have to specify the lower bound explicitly as 0 to keep the regex
behavior similar to that in Python (in Python, omitting the lower bound
is equivalent to specifying 0).
(cherry picked from commit 551f06218755076cde588c848c01ce5ca1bf5e6b)
|
|
frr: T4020: re-enable watchfrr in config as it is always running (backport #2668)
|
|
(cherry picked from commit 42614633901713e6472b43f95065d215344843b1)
|
|
dhcp: T5846: Refactor and simplify DUID definition (backport #2664)
|
|
(cherry picked from commit 5768bc2d56cc8aabd8d276a2afc30608c1bc9838)
|
|
Refactor DUID XML definition in conf-mode to be reusable. Additionally, remove
explicit call to a separate validator `ipv6-duid` and inline the regex into the
XML definition.
(cherry picked from commit 51e7832fc5c88f9956b26157a80947bad4495a4e)
|
|
Allow the HTTPS API server to start without any configured keys when GraphQL JWT auth is configured (backport #2661)
|
|
and use only PAM auth and JWT
(cherry picked from commit 495bf4732439ebd55edfbf6050af8b2064993d86)
|
|
when no API keys are set
(cherry picked from commit 7bad0e115ecc25224a0c3a2720a2697442624229)
|
|
T5798: load-balancing revese-proxy add multiple SSL certificates (backport #2590)
|
|
Add ability to configure multiple SSL certificates for
frontend/service
set load-balancing reverse-proxy service web mode http
set load-balancing reverse-proxy service web port 443
set load-balancing reverse-proxy service web ssl certificate cert1
set load-balancing reverse-proxy service web ssl certificate cert2
(cherry picked from commit fe99c45e05fd5794905145ddca80e6078145c2e8)
|
|
smoketest: bgp: T4163: use explicit kill to respawn bgpd process
|
|
T5823: Add recursive_defaults for BGP get_config dictionary (backport #2637)
|
|
(cherry picked from commit b873112dd7253b64d323e183758dbabaa0f28b6e)
|
|
(cherry picked from commit 259a3d637081fad9f86a8edb39814d8f0fbf7b95)
|
|
Add recursive_defaults values for BGP "get_config" dictionary.
(cherry picked from commit 4d5445740a1529691594263af22f2a9d07bbfe70)
|