| Age | Commit message (Collapse) | Author |
|---|
|
server certificates
|
|
fails (#3296)
|
|
|
|
Add PoC for generating CGNAT rules
https://datatracker.ietf.org/doc/html/rfc6888
Not all requirements are implemented, but some of them.
Implemented:
REQ-2
```
A CGN MUST have a default "IP address pooling" behavior of "Paired"
CGN must use the same external IP
address mapping for all sessions associated with the same internal
IP address, be they TCP, UDP, ICMP, something else, or a mix of
different protocols.
```
REQ-3
```
The CGN function SHOULD NOT have any limitations on the size
or the contiguity of the external address pool
```
REQ-4
```
A CGN MUST support limiting the number of external ports (or,
equivalently, "identifiers" for ICMP) that are assigned per
subscriber
```
CLI:
```
set nat cgnat pool external ext1 external-port-range '1024-65535'
set nat cgnat pool external ext1 per-user-limit port '1000'
set nat cgnat pool external ext1 range 192.0.2.222/32
set nat cgnat pool internal int1 range '100.64.0.0/28'
set nat cgnat rule 10 source pool 'int1'
set nat cgnat rule 10 translation pool 'ext1'
```
|
|
|
|
T6192: allow binding SSH to multiple VRF instances
|
|
Fixed using 'route-map', 'as-set' and 'summary-only' together in
aggregation in BGP
|
|
bgp: T6151: Allow configuration of disable-ebgp-connected-route-check
|
|
Currently VyOS only supports binding a service to one individual VRF. It might
become handy to have the services (initially it will be VRF, NTP and SNMP) be
bound to multiple VRFs.
Changed VRF from leafNode to multi leafNode with defaultValue: default - which
is the name of the default VRF.
|
|
After migrating from ISC DHCLIENT for IPv6 to wide-dhcp-client the logic which
was present to update /etc/resolv.conf with the DHCP specified nameservers and
also the search domain list was no longer present.
This commit adds a per interface rendered script to inform vyos-hostsd about
the received IPv6 nameservers and search domains.
|
|
|
|
T5832: VRRP allow set interface for exluded-address
|
|
T5872: ipsec remote access VPN: support dhcp-interface.
|
|
Ability to set interface for `excluded-address`
The excluded-addresses are not listed in the VRRP packet (adverts packets).
We have this ability for `address`, add the same feature for the
excluded-address
```
set high-availability vrrp group GRP-01 excluded-address 192.0.2.202 interface 'dum2'
set high-availability vrrp group GRP-01 excluded-address 192.0.2.203 interface 'dum3'
```
|
|
The current op-mode script simply calls sudo systemctl restart "dhclient@$4.service"
with no additional information about a client interface at all.
This results in useless dhclient processes
root 47812 4.7 0.0 5848 3584 ? Ss 00:30 0:00 /sbin/dhclient -4 -d
root 48121 0.0 0.0 4188 3072 ? S 00:30 0:00 \_ /bin/sh /sbin/dhclient-script
root 48148 50.0 0.2 18776 11264 ? R 00:30 0:00 \_ python3 -
Which also assign client leases to all local interfaces, if we receive one
valid DHCPOFFER
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address MAC VRF MTU S/L Description
----------- ----------------- ----------------- ------- ----- ----- -------------
eth0 - 00:50:56:bf:c5:6d default 1500 u/u
eth0.10 172.16.33.102/24 00:50:56:bf:c5:6d default 1500 u/u
eth1 172.16.33.131/24 00:50:56:b3:38:c5 default 1500 u/u
172.16.33.102/24 and 172.16.33.131/24 are stray DHCP addresses.
This commit moved the renew command to the DHCP op-mode script to properly
validate if the interface we request a renew for, has actually a dhcp address
configured. In additional this exposes the renew feature to the API.
|
|
dhcp-server high-availability>.
|
|
conntrack: T4022: add RTSP conntrack helper
|
|
Add support for pref64 option, as defined in RFC8781. The prefix valid lifetime
must not be smaller than the "interface interval max" definition which defaults
to 600.
set service router-advert interface eth1 nat64prefix 64:ff9b::/96
|
|
|
|
|
|
|
|
|
|
|
|
vrrp: T6020: vrrp health-check script not applied correctly
|
|
|
|
|
|
ospfv3: allow metric and metric-type on redistributed routes
|
|
|
|
Example:
vyos@vyos# set protocols ospfv3 redistribute bgp
Possible completions:
metric OSPF default metric
metric-type OSPF metric type for default routes (default: 2)
route-map Specify route-map name to use
|
|
Use URLs provided by flavor build system and version.json file
|
|
Added health-check to sync-group in CLI
Don't use instance health-check when instance in sync group member
Disallow wrong healtch-check configurations
New smoke test
|
|
This is a fix for commit 665ae50729 ("vyos-hostsd: T4270: do not resolve local
router FQDN to 127.0.1.1") as it made calls to sudo super slow due to:
sudo: unable to resolve host vyos: System error
To avoid the initial issue we only add the hostname without domain name, thus
the FQDN is not resolved by powerdns.
|
|
T5504: Keepalived VRRP ability to set more than one peer-address
|
|
banner: T6077: implement ASCII contest winner default logo
|
|
Added health-check to sync-group in CLI
Don't use instance health-check when instance in sync group member
Disallow wrong healtch-check configurations
New smoke test
|
|
Implement VyOS ASCII art contest winners logo as the default for our MOTD
|
|
|
|
Clients using VyOS as their DNS server and trying to resolve the FQDN of the
router will receive 127.0.1.1 as answer.
set service dns forwarding allow-from '172.16.0.0/12'
set service dns forwarding listen-address '172.31.0.254'
set service dns forwarding negative-ttl '60'
set system domain-name 'vyos.net'
set system host-name 'R1'
Will return:
$ host R1.vyos.net 172.31.0.254
Using domain server:
Name: 172.31.0.254
Address: 172.31.0.254#53
Aliases:
R1.vyos.net has address 127.0.1.1
When it should rather return the real IP address assigned via DNS.
|
|
|
|
Ref: https://www.spinics.net/lists/netfilter/msg59549.html
|
|
T6001: add option to disable next-hop-tracking resolve-via-default
|
|
context
* set vrf name <name> ip nht no-resolve-via-default
* set vrf name <name> ipv6 nht no-resolve-via-default
|
|
* set system ip nht no-resolve-via-default
* set system ipv6 nht no-resolve-via-default
|
|
T6029: Rewritten Accel-PPP services to an identical feature set
|
|
Removed dhcp-interface option (l2tp)
Added wins-server (sstp)
Added description (ipoe, pppoe, sstp, pptp)
Added exteded-script (l2tp, sstp, pptp)
Added shaper (ipoe, pptp, sstp, l2tp)
Added limits (ipoe, pptp, sstp, l2tp)
Added snmp ( ipoe, pptp,sstp, l2tp)
Refactoring and reformated code.
|
|
|
|
bgp: T6032: add EVPN MAC-VRF Site-of-Origin support
|
|
srv6: T5849: add segment support to "protocols static route6"
|
|
In some EVPN deployments it is useful to associate a logical VTEP's Layer 2
domain (MAC-VRF) with a Site-of-Origin "site" identifier. This provides a BGP
topology-independent means of marking and import-filtering EVPN routes
originated from a particular L2 domain. One situation where this is valuable
is when deploying EVPN using anycast VTEPs
set protocols bgp address-family l2vpn-evpn mac-vrf soo
|
|
* set protocols static route6 <prefix> next-hop <address> segments 'x:x::x:x/y:y::y/z::z'
* set protocols static route6 <prefix> interface <interface> segments 'x:x::x:x/y:y::y/z::z'
|
