summaryrefslogtreecommitdiff
path: root/data/templates
AgeCommit message (Collapse)Author
2023-12-08T5805: telegraf: re-add network metricsVladimir F
2023-12-05ddclient: T5791: Update dynamic dns configuration pathIndrajit Raychaudhuri
Modify the configuration path to be consistent with the usual dialects of VyoS configuration (wireguard, dns, firewall, etc.) This would also shorten the configuration path and have a unified treatment for RFC2136-based updates and other 'web-service' based updates. While at it, add support for per-service web-options. This would allow for probing different external URLs on a per-service basis.
2023-12-02 T5796:add/fixed OCSERV HTTP security headersfett0
(cherry picked from commit db51546edd653d3637cb26d6957ce5222d44d395)
2023-12-01Merge pull request #2555 from indrajitr/sagitta-ddclient-backportsChristian Breunig
ddclient: T5573,T5574,T5612,T5708: Backport ddclient related changes
2023-12-01mdns: T5723: Always reload systemd daemon before applying changesIndrajit Raychaudhuri
Additionally, templatize system service override and move it to the runtime path. (cherry picked from commit eb906739047187c322b6ce9efe7c9479bed9a024)
2023-11-30ddclient: T5708: Ensure password is always wrapped in quotesIndrajit Raychaudhuri
Migration to 3.11.1 follow-up: This should make `ddclient.conf` parsing more resilient to edge cases (particularly when `password` isn't the last option right before the host parameter). ddclient config parser applies special treatment to the password field and would unwrap the quotes automatically. Also, switch from now deprecated `use=no` to `use=disabled`.
2023-11-30ddclient: T5708: Migrate `timeout` to `interval`Indrajit Raychaudhuri
Time interval in seconds to wait between DNS updates would be a bit more intuitive as `interval` than `timeout`.
2023-11-30ddclient: T5574: Support per-service cache management for servicesIndrajit Raychaudhuri
Add support for per-service cache management for ddclient providers via `wait-time` and `expiry-time` options. This allows for finer-grained control over how often a service is updated and how long the hostname will be cached before being marked expired in ddclient's cache. More specifically, `wait-time` controls how often ddclient will attempt to check for a change in the hostname's IP address, and `expiry-time` controls how often ddclient to a forced update of the hostname's IP address. These options intentionally don't have any default values because they are provider-specific. They get treated similar to the other provider- specific options in that they are only used if defined.
2023-11-30ddclient: T5612: Generate more reliable ddclient configIndrajit Raychaudhuri
Adjust the jinja template to avoid generating incorrect ddclient.conf in some cases. The template is reformatted to guarantee whitespacing and empty line separation.
2023-11-30ddclient: T5612: Enable TTL support for web-service based protocolsIndrajit Raychaudhuri
Enable TTL support for web-service based protocols in addition to RFC2136 based (nsupdate) protocol. Since TTL is not supported by all protocols, and thus cannot have a configuration default, the existing XML snippet `include/dns/time-to-live.xml.i` does not have common `<defaultValue>300</defaultValue>` anymore and is instead added explicitly whenever necessary.
2023-11-30ddclient: T5612: Fix VRF support for ddclient serviceIndrajit Raychaudhuri
Fix VRF support interface definition and configuration mode for ddclient to actually capture the VRF name and pass it to the template.
2023-11-30ddclient: T5573: Update config generation aligning with caching fixesIndrajit Raychaudhuri
Now that the caching fixes are in place, we can update the config to remove legacy treatment of ipv4 related properties.
2023-11-22Merge pull request #2521 from vyos/mergify/bp/sagitta/pr-2516Daniil Baturin
T5767: HTTPS API add reboot and poweroff endpoints (backport #2516)
2023-11-22Merge pull request #2517 from nicolas-fort/T5419-FT-SagittaDaniil Baturin
T5419: firewall: backport firewall flowtable to Sagitta.
2023-11-22Merge pull request #2510 from vyos/mergify/bp/sagitta/pr-2506Daniil Baturin
dhcp-client: T5760: add CLI option to pass user-class parameter (backport #2506)
2023-11-21T5767: HTTPS API add reboot and poweroff endpointsViacheslav Hletenko
Add ability to reboot and poweroff the system via API curl -k --location --request POST 'https://vyos/reboot' \ --form data='{"op": "reboot", "path": ["now"]}' \ --form key='apikey' curl -k --location --request POST 'https://vyos/poweroff' \ --form data='{"op": "poweroff", "path": ["now"]}' \ --form key='apikey' (cherry picked from commit 36f3c329c2df0e78f2f5da933d9729a872fb2a11)
2023-11-21T5419: firewall: backport firewall flowtable to Sagitta.Nicolas Fort
2023-11-20http: T5762: api: make API socket backend communication the one and only defaultChristian Breunig
Why: Smoketests fail as they can not establish IPv6 connection to uvicorn backend server. https://github.com/vyos/vyos-1x/pull/2481 added a bunch of new smoketests. While debugging those failing, it was uncovered, that uvicorn only listens on IPv4 connections vyos@vyos# netstat -tulnp | grep 8080 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN - As the CLI already has an option to move the API communication from an IP to a UNIX domain socket, the best idea is to make this the default way of communication, as we never directly talk to the API server but rather use the NGINX reverse proxy. (cherry picked from commit f5e43b1361fb59a9c260739bdb28729d5119507c)
2023-11-20dhcp-client: T5760: add CLI option to pass user-class parameterChristian Breunig
Example: set interfaces ethernet eth0 dhcp-options user-class VyOS or set interfaces ethernet eth0 dhcp-options user-class 56:79:4f:53 (cherry picked from commit 260645d0c6ff078cc89601f3a586195902f9c18e)
2023-11-20dhcp-client: T5760: add constraints for dhclient string optionsChristian Breunig
The string data type specifies either an NVT ASCII string enclosed in double quotes, or a series of octets specified in hexadecimal, separated by colons. For example: set interfaces ethernet eth0 dhcp-options client-id CLIENT-FOO or set interfaces ethernet eth0 dhcp-options client-id 43:4c:49:45:54:2d:46:4f:4f As of now there was no input validation performed. (cherry picked from commit bed1cd01904ef89b5d31bd47de0f230214900f16)
2023-11-20Merge pull request #2509 from c-po/pim6-frr-daemon-fixupDaniil Baturin
frr: T5733: enable pim6 daemon
2023-11-20frr: T5733: enable pim6 daemonChristian Breunig
2023-11-19Merge pull request #2498 from nicolas-fort/T4072-sagittaChristian Breunig
T4072: firewall: backport bridge firewall to sagitta
2023-11-16T4072: firewall: backport bridge firewall to sagittaNicolas Fort
2023-11-15pim6: T5733: add missing FRR PIM6 related featuresChristian Breunig
(cherry picked from commit 403d2ffd6e46cb082b1d16ddf515e1784bee968c) # Conflicts: # data/templates/frr/pim6d.frr.j2 # interface-definitions/protocols-pim6.xml.in # smoketest/scripts/cli/test_protocols_pim6.py # src/conf_mode/protocols_pim6.py
2023-11-15igmp: T5736: support per interface "disable" CLI nodeChristian Breunig
(cherry picked from commit 6ce2ecb10884a4b79a7643e22596a2d03d805a91)
2023-11-15pim: T5733: fix CLI level of global PIM commandsChristian Breunig
(cherry picked from commit dd13213ae94f071bc30cc17f5fabef02fbf95939)
2023-11-15igmp: T5736: migrate "protocols igmp" to "protocols pim"Christian Breunig
IGMP and PIM are two different but related things. FRR has both combined in pimd. As we use get_config_dict() and FRR reload it is better to have both centrally stored under the same CLI node (as FRR does, too) to just "fire and forget" the commit to the daemon. "set protocols igmp interface eth1" -> "set protocols pim interface eth1 igmp" (cherry picked from commit bc83fb097719f5c4c803808572f690fbc367b9e5)
2023-11-15pim: T5733: rename watermark-warn -> watermark-warningChristian Breunig
(cherry picked from commit 45ea9ed72ee11809f69619a40ae243df562de39f)
2023-11-15pim: T5733: add missing FRR PIM related featuresChristian Breunig
Migrate CLI configuration retrival to common get_config_dict(). In addition add new functionality to VyOS that is PIM related and already available in FRR. (cherry picked from commit 9abc02edcc237760f1f8aa1b3f08d7f4d18f866c) # Conflicts: # python/vyos/frr.py # src/op_mode/restart_frr.py
2023-11-14T5728: OpenVPN server replace first_host_address to vpn_gatewayViacheslav Hletenko
Some OpenVPN clients (OpenVPN3) do not understand address of gateway for the pushed networks. It leads that pushed routes are not installed at all. Replace `subnet | first_host_address` to the `vpn_gateway` to fix it (cherry picked from commit 480711c329a38b773bb0b8f64f0e50dfc4ea4437)
2023-11-09T1797: Delete VPP from vyos-1x as it is implemented in addonViacheslav Hletenko
(cherry picked from commit 59c8d5febb2b1333643372f8956fa8f219d022cb)
2023-11-07T5702: SNMP add interface-mib max-interfaces-number and prefixViacheslav Hletenko
- Allow to configure only required interface prefixes set service snmp mib interface 'eth' set service snmp mib interface 'bond' include_ifmib_iface_prefix eth bond Sets the interface name prefixes to include in the IF-MIB data collection. For servers with a large number of interfaces (ppp, dummy, bridge, etc) the IF-MIB processing will take a large chunk of CPU for ioctl calls. A set of space separated interface name prefixes will reduce the CPU load for IF-MIB processing. For example, configuring "include_ifmib_iface_prefix eth dummy lo" will include only interfaces with these prefixes and ignore all others for IF-MIB processing. - Allow to configure maximum interface number set service snmp mib interface-max '100' ifmib_max_num_ifaces NUM Sets the maximum number of interfaces included in IF-MIB data collection. For servers with a large number of interfaces (ppp, dummy, bridge, etc) the IF-MIB processing will take a large chunk of CPU for ioctl calls (on Linux). Setting a reasonable maximum for the CPU used will reduce the CPU load for IF-MIB processing. For example, configuring "ifmib_max_num_ifaces 500" will include only the first 500 interfaces based on ifindex and ignore all others for IF-MIB processing. (cherry picked from commit 30a05ee1d447c6f92627162a506225f833a80f8c)
2023-11-07Merge pull request #2450 from vyos/mergify/bp/sagitta/pr-2440Christian Breunig
T5716: Fix accel-ppp template down-limiter does not rely on fwmark (backport #2440)
2023-11-07T5716: Fix accel-ppp template down-limiter does not rely on fwmarkViacheslav Hletenko
accel-ppp template shaper `down-limiter` does not rely on `fwmark` Fix it (cherry picked from commit cf9229544a30e5aa47e307c021d4798a0162d291)
2023-11-07ldpd: T5648: Fix ldpd template errorsDevon Mar
Bug introduced in https://github.com/vyos/vyos-1x/commit/8fb6e715d32e7eff77e413d8577059dd55b24c0a (cherry picked from commit df6ced3811ebe6446039277ff3fc301a83776dc1)
2023-11-06bgp: T5698: add support for EVPN MultihomingChristian Breunig
(cherry picked from commit 1d67620e656766731ad6825fd8961140eb50d8a7)
2023-11-06bond: T5698: add support for EVPN MultihomingChristian Breunig
set interfaces bonding bond10 evpn es-df-pref '50' set interfaces bonding bond10 evpn es-id '10' set interfaces bonding bond10 evpn es-sys-mac '01:23:45:67:89:ab' set interfaces bonding bond10 member interface 'eth3' set interfaces bonding bond10 mode '802.3ad' (cherry picked from commit 937685608e61151275c4f60c6d00c0154f2ca06d)
2023-11-06T5541: firewall: fix ZBF template and ruleset generation for loca-zone rules.Nicolas Fort
2023-11-02Merge pull request #2430 from vyos/mergify/bp/sagitta/pr-2427Viacheslav Hletenko
T5704: PPPoE L2TP SSTP IPoE add option max-concurrent-sessions (backport #2427)
2023-11-02T5704: PPPoE L2TP SSTP IPoE add option max-concurrent-sessionsViacheslav Hletenko
Add `max-starting` option: [common] max-starting=N Specifies maximum concurrent session attempts which server may processed set service pppoe-server max-concurrent-sessions '30' Useful to prevent high CPU utilization and compat execution scripts per time. (cherry picked from commit 47645f9d0243ce48a473ab7f8cdbd22c19f69f28)
2023-11-02T5700: Fix deprecate telegraf plugin input netViacheslav Hletenko
DeprecationWarning: Value "false" for option "ignore_protocol_stats" of plugin "inputs.net" deprecated since version 1.27.3 and will be removed in 1.36.0: use the 'inputs.nstat' plugin instead (cherry picked from commit 5476daef7f0fc271089189239599fc8077acba00)
2023-11-02T5705: rsyslog: fix error when level=all. Replace <all> with wildcard <*>, ↵Nicolas Fort
as it's done with facility. Create basic smoketest for syslog (cherry picked from commit c5ae7c9e2a141d92b8a716b3dbe3e5b41ee4aaba)
2023-11-01T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher ↵Nicolas Fort
firewal, nat and nat66. (cherry picked from commit 51abbc0f1b2ccf4785cf7f29f1fe6f4af6007ee6)
2023-10-23T5637: Firewall: add new rule at the end of base chains for default-actions. ↵Nicolas Fort
This enables logs capabilities for default-action in base chains.
2023-10-20T5541: firewall: re-add zone-based firewall.Nicolas Fort
2023-10-14pmacct: T5232: Fixed pmacct service control via systemctlzsdc
pmacct daemons have one very important specific - they handle control signals in the same loop as packets. And packets waiting is blocking operation. Because of this, when systemctl sends SIGTERM to uacctd, this signal has no effect until uacct receives at least one packet via nflog. In some cases, this leads to a 90-second timeout, sending SIGKILL, and improperly finished tasks. As a result, a working folder is not cleaned properly. This commit contains several changes to fix service issues: - add a new nftables table for pmacct with a single rule to get the ability to send a packet to nflog and unlock uacctd - remove PID file options from the uacctd and a systemd service file. Systemd can detect proper PID, and PIDfile is created by uacctd too late, which leads to extra errors in systemd logs - KillMode changed to mixed. Without this, SIGTERM is sent to all plugins and the core process exits with status 1 because it loses connection to plugins too early. As a result, we have errors in logs, and the systemd service is in a failed state. - added logging to uacctd - systemctl service modified to send packets to specific address during a service stop which unlocks uacctd and allows systemctl to finish its work properly (cherry picked from commit e364e9813b6833f6b108e7177ef7ea2d9e7bac33)
2023-10-10http-api: T2612: reload server within configsession for api self-configJohn Estabrook
(cherry picked from commit 93d2ea7d635c7aa5acf3000654393ea48b7c6405)
2023-10-07pppoe: T5630: allow to specify MRU in addition to already configurable MTUChristian Breunig
Set the MRU (Maximum Receive Unit) value to n. PPPd will ask the peer to send packets of no more than n bytes. The value of n must be between 128 and 16384, the default was always 1492 to match PPPoE MTU. A value of 296 works well on very slow links (40 bytes for TCP/IP header + 256 bytes of data). Note that for the IPv6 protocol, the MRU must be at least 1280. CLI: set interfaces pppoe pppoe0 mru 1280 (cherry picked from commit e062a8c11856f213983f5b41f50d4f9dbc0dde0f)
2023-09-28mdns: T5615: Rename avahi-daemon config fileIndrajit Raychaudhuri
Rename avahi-daemon config file to avahi-daemon.conf.j2 to match the convention used by other config files. (cherry picked from commit 3a3123485f2ea7b253caa1c49f19c82a0eaa0b37)