Age | Commit message (Collapse) | Author |
|
|
|
Modify the configuration path to be consistent with the usual dialects
of VyoS configuration (wireguard, dns, firewall, etc.)
This would also shorten the configuration path and have a unified
treatment for RFC2136-based updates and other 'web-service' based updates.
While at it, add support for per-service web-options. This would allow
for probing different external URLs on a per-service basis.
|
|
(cherry picked from commit db51546edd653d3637cb26d6957ce5222d44d395)
|
|
ddclient: T5573,T5574,T5612,T5708: Backport ddclient related changes
|
|
Additionally, templatize system service override and move it to the
runtime path.
(cherry picked from commit eb906739047187c322b6ce9efe7c9479bed9a024)
|
|
Migration to 3.11.1 follow-up: This should make `ddclient.conf` parsing
more resilient to edge cases (particularly when `password` isn't the
last option right before the host parameter).
ddclient config parser applies special treatment to the password field
and would unwrap the quotes automatically.
Also, switch from now deprecated `use=no` to `use=disabled`.
|
|
Time interval in seconds to wait between DNS updates would be a bit
more intuitive as `interval` than `timeout`.
|
|
Add support for per-service cache management for ddclient providers
via `wait-time` and `expiry-time` options. This allows for finer-grained
control over how often a service is updated and how long the hostname
will be cached before being marked expired in ddclient's cache.
More specifically, `wait-time` controls how often ddclient will attempt
to check for a change in the hostname's IP address, and `expiry-time`
controls how often ddclient to a forced update of the hostname's IP
address.
These options intentionally don't have any default values because they
are provider-specific. They get treated similar to the other provider-
specific options in that they are only used if defined.
|
|
Adjust the jinja template to avoid generating incorrect ddclient.conf in
some cases. The template is reformatted to guarantee whitespacing and
empty line separation.
|
|
Enable TTL support for web-service based protocols in addition to
RFC2136 based (nsupdate) protocol.
Since TTL is not supported by all protocols, and thus cannot have a
configuration default, the existing XML snippet `include/dns/time-to-live.xml.i`
does not have common `<defaultValue>300</defaultValue>` anymore and is
instead added explicitly whenever necessary.
|
|
Fix VRF support interface definition and configuration mode for ddclient
to actually capture the VRF name and pass it to the template.
|
|
Now that the caching fixes are in place, we can update the config to
remove legacy treatment of ipv4 related properties.
|
|
T5767: HTTPS API add reboot and poweroff endpoints (backport #2516)
|
|
T5419: firewall: backport firewall flowtable to Sagitta.
|
|
dhcp-client: T5760: add CLI option to pass user-class parameter (backport #2506)
|
|
Add ability to reboot and poweroff the system via API
curl -k --location --request POST 'https://vyos/reboot' \
--form data='{"op": "reboot", "path": ["now"]}' \
--form key='apikey'
curl -k --location --request POST 'https://vyos/poweroff' \
--form data='{"op": "poweroff", "path": ["now"]}' \
--form key='apikey'
(cherry picked from commit 36f3c329c2df0e78f2f5da933d9729a872fb2a11)
|
|
|
|
Why: Smoketests fail as they can not establish IPv6 connection to uvicorn
backend server.
https://github.com/vyos/vyos-1x/pull/2481 added a bunch of new smoketests.
While debugging those failing, it was uncovered, that uvicorn only listens on
IPv4 connections
vyos@vyos# netstat -tulnp | grep 8080
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -
As the CLI already has an option to move the API communication from an IP to a
UNIX domain socket, the best idea is to make this the default way of
communication, as we never directly talk to the API server but rather use the
NGINX reverse proxy.
(cherry picked from commit f5e43b1361fb59a9c260739bdb28729d5119507c)
|
|
Example:
set interfaces ethernet eth0 dhcp-options user-class VyOS
or
set interfaces ethernet eth0 dhcp-options user-class 56:79:4f:53
(cherry picked from commit 260645d0c6ff078cc89601f3a586195902f9c18e)
|
|
The string data type specifies either an NVT ASCII string enclosed in double
quotes, or a series of octets specified in hexadecimal, separated by colons.
For example:
set interfaces ethernet eth0 dhcp-options client-id CLIENT-FOO
or
set interfaces ethernet eth0 dhcp-options client-id 43:4c:49:45:54:2d:46:4f:4f
As of now there was no input validation performed.
(cherry picked from commit bed1cd01904ef89b5d31bd47de0f230214900f16)
|
|
frr: T5733: enable pim6 daemon
|
|
|
|
T4072: firewall: backport bridge firewall to sagitta
|
|
|
|
(cherry picked from commit 403d2ffd6e46cb082b1d16ddf515e1784bee968c)
# Conflicts:
# data/templates/frr/pim6d.frr.j2
# interface-definitions/protocols-pim6.xml.in
# smoketest/scripts/cli/test_protocols_pim6.py
# src/conf_mode/protocols_pim6.py
|
|
(cherry picked from commit 6ce2ecb10884a4b79a7643e22596a2d03d805a91)
|
|
(cherry picked from commit dd13213ae94f071bc30cc17f5fabef02fbf95939)
|
|
IGMP and PIM are two different but related things.
FRR has both combined in pimd. As we use get_config_dict() and FRR reload it
is better to have both centrally stored under the same CLI node (as FRR does,
too) to just "fire and forget" the commit to the daemon.
"set protocols igmp interface eth1" -> "set protocols pim interface eth1 igmp"
(cherry picked from commit bc83fb097719f5c4c803808572f690fbc367b9e5)
|
|
(cherry picked from commit 45ea9ed72ee11809f69619a40ae243df562de39f)
|
|
Migrate CLI configuration retrival to common get_config_dict(). In addition
add new functionality to VyOS that is PIM related and already available in FRR.
(cherry picked from commit 9abc02edcc237760f1f8aa1b3f08d7f4d18f866c)
# Conflicts:
# python/vyos/frr.py
# src/op_mode/restart_frr.py
|
|
Some OpenVPN clients (OpenVPN3) do not understand address of
gateway for the pushed networks. It leads that pushed routes are
not installed at all.
Replace `subnet | first_host_address` to the `vpn_gateway` to fix it
(cherry picked from commit 480711c329a38b773bb0b8f64f0e50dfc4ea4437)
|
|
(cherry picked from commit 59c8d5febb2b1333643372f8956fa8f219d022cb)
|
|
- Allow to configure only required interface prefixes
set service snmp mib interface 'eth'
set service snmp mib interface 'bond'
include_ifmib_iface_prefix eth bond
Sets the interface name prefixes to include in the IF-MIB data collection.
For servers with a large number of interfaces (ppp, dummy, bridge, etc)
the IF-MIB processing will take a large chunk of CPU for ioctl calls.
A set of space separated interface name prefixes will reduce the CPU
load for IF-MIB processing. For example, configuring
"include_ifmib_iface_prefix eth dummy lo" will include only interfaces
with these prefixes and ignore all others for IF-MIB processing.
- Allow to configure maximum interface number
set service snmp mib interface-max '100'
ifmib_max_num_ifaces NUM
Sets the maximum number of interfaces included in IF-MIB data collection.
For servers with a large number of interfaces (ppp, dummy, bridge, etc)
the IF-MIB processing will take a large chunk of CPU for ioctl calls
(on Linux). Setting a reasonable maximum for the CPU used will
reduce the CPU load for IF-MIB processing. For example, configuring
"ifmib_max_num_ifaces 500" will include only the first 500 interfaces
based on ifindex and ignore all others for IF-MIB processing.
(cherry picked from commit 30a05ee1d447c6f92627162a506225f833a80f8c)
|
|
T5716: Fix accel-ppp template down-limiter does not rely on fwmark (backport #2440)
|
|
accel-ppp template shaper `down-limiter` does not rely on `fwmark`
Fix it
(cherry picked from commit cf9229544a30e5aa47e307c021d4798a0162d291)
|
|
Bug introduced in https://github.com/vyos/vyos-1x/commit/8fb6e715d32e7eff77e413d8577059dd55b24c0a
(cherry picked from commit df6ced3811ebe6446039277ff3fc301a83776dc1)
|
|
(cherry picked from commit 1d67620e656766731ad6825fd8961140eb50d8a7)
|
|
set interfaces bonding bond10 evpn es-df-pref '50'
set interfaces bonding bond10 evpn es-id '10'
set interfaces bonding bond10 evpn es-sys-mac '01:23:45:67:89:ab'
set interfaces bonding bond10 member interface 'eth3'
set interfaces bonding bond10 mode '802.3ad'
(cherry picked from commit 937685608e61151275c4f60c6d00c0154f2ca06d)
|
|
|
|
T5704: PPPoE L2TP SSTP IPoE add option max-concurrent-sessions (backport #2427)
|
|
Add `max-starting` option:
[common]
max-starting=N
Specifies maximum concurrent session attempts which server may processed
set service pppoe-server max-concurrent-sessions '30'
Useful to prevent high CPU utilization and compat execution
scripts per time.
(cherry picked from commit 47645f9d0243ce48a473ab7f8cdbd22c19f69f28)
|
|
DeprecationWarning: Value "false" for option "ignore_protocol_stats"
of plugin "inputs.net" deprecated since version 1.27.3 and will be
removed in 1.36.0: use the 'inputs.nstat' plugin instead
(cherry picked from commit 5476daef7f0fc271089189239599fc8077acba00)
|
|
as it's done with facility. Create basic smoketest for syslog
(cherry picked from commit c5ae7c9e2a141d92b8a716b3dbe3e5b41ee4aaba)
|
|
firewal, nat and nat66.
(cherry picked from commit 51abbc0f1b2ccf4785cf7f29f1fe6f4af6007ee6)
|
|
This enables logs capabilities for default-action in base chains.
|
|
|
|
pmacct daemons have one very important specific - they handle control signals in
the same loop as packets. And packets waiting is blocking operation.
Because of this, when systemctl sends SIGTERM to uacctd, this signal has no
effect until uacct receives at least one packet via nflog. In some cases, this
leads to a 90-second timeout, sending SIGKILL, and improperly finished tasks.
As a result, a working folder is not cleaned properly.
This commit contains several changes to fix service issues:
- add a new nftables table for pmacct with a single rule to get the ability to
send a packet to nflog and unlock uacctd
- remove PID file options from the uacctd and a systemd service file. Systemd
can detect proper PID, and PIDfile is created by uacctd too late, which leads
to extra errors in systemd logs
- KillMode changed to mixed. Without this, SIGTERM is sent to all plugins and
the core process exits with status 1 because it loses connection to plugins too
early. As a result, we have errors in logs, and the systemd service is in a
failed state.
- added logging to uacctd
- systemctl service modified to send packets to specific address during a service
stop which unlocks uacctd and allows systemctl to finish its work properly
(cherry picked from commit e364e9813b6833f6b108e7177ef7ea2d9e7bac33)
|
|
(cherry picked from commit 93d2ea7d635c7aa5acf3000654393ea48b7c6405)
|
|
Set the MRU (Maximum Receive Unit) value to n. PPPd will ask the peer to send
packets of no more than n bytes. The value of n must be between 128 and 16384,
the default was always 1492 to match PPPoE MTU.
A value of 296 works well on very slow links (40 bytes for TCP/IP header + 256
bytes of data). Note that for the IPv6 protocol, the MRU must be at least 1280.
CLI:
set interfaces pppoe pppoe0 mru 1280
(cherry picked from commit e062a8c11856f213983f5b41f50d4f9dbc0dde0f)
|
|
Rename avahi-daemon config file to avahi-daemon.conf.j2 to match the
convention used by other config files.
(cherry picked from commit 3a3123485f2ea7b253caa1c49f19c82a0eaa0b37)
|