summaryrefslogtreecommitdiff
path: root/data/templates
AgeCommit message (Collapse)Author
2023-11-20Merge pull request #2508 from c-po/t5762-https-api-socketDaniil Baturin
http: T5762: api: make API socket backend communication the one and only default
2023-11-20http: T5762: api: make API socket backend communication the one and only defaultChristian Breunig
Why: Smoketests fail as they can not establish IPv6 connection to uvicorn backend server. https://github.com/vyos/vyos-1x/pull/2481 added a bunch of new smoketests. While debugging those failing, it was uncovered, that uvicorn only listens on IPv4 connections vyos@vyos# netstat -tulnp | grep 8080 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN - As the CLI already has an option to move the API communication from an IP to a UNIX domain socket, the best idea is to make this the default way of communication, as we never directly talk to the API server but rather use the NGINX reverse proxy.
2023-11-19dhcp-client: T5760: add CLI option to pass user-class parameterChristian Breunig
Example: set interfaces ethernet eth0 dhcp-options user-class VyOS or set interfaces ethernet eth0 dhcp-options user-class 56:79:4f:53
2023-11-19dhcp-client: T5760: add constraints for dhclient string optionsChristian Breunig
The string data type specifies either an NVT ASCII string enclosed in double quotes, or a series of octets specified in hexadecimal, separated by colons. For example: set interfaces ethernet eth0 dhcp-options client-id CLIENT-FOO or set interfaces ethernet eth0 dhcp-options client-id 43:4c:49:45:54:2d:46:4f:4f As of now there was no input validation performed.
2023-11-16image: T4516: ensure compatibility with legacy RAID 1 installsJohn Estabrook
2023-11-16image: T4516: use copy of pw_reset script for install, link for compatJohn Estabrook
Note that this was updated for the fix in T5739.
2023-11-15image: T4516: support for interoperability of legacy/new image toolsJohn Estabrook
This commit allows management of system images with either new or legacy tools: 'add/delete/rename system image' and 'set default' are translated appropriately on booting between images with the old and new tools. Consequently, the warning of the initial commit of T4516 is dropped.
2023-11-15image: T4516: Added system image toolszsdc
This commit adds the whole set of system image tools written from the scratch in Python that allows performing all the operations on images: * check information * perform installation and deletion * versions management Also, it contains a new service that will update the GRUB menu and keep tracking its version in the future. WARNING: The commit contains non-reversible changes. Because of boot menu changes, it will not be possible to manage images from older VyOS versions after an update.
2023-11-15Merge pull request #2476 from c-po/frr-pim-T5733Christian Breunig
pim(6): T5733: add missing FRR related features
2023-11-13pim6: T5733: add missing FRR PIM6 related featuresChristian Breunig
2023-11-13igmp: T5736: support per interface "disable" CLI nodeChristian Breunig
2023-11-13pim: T5733: fix CLI level of global PIM commandsChristian Breunig
2023-11-13igmp: T5736: migrate "protocols igmp" to "protocols pim"Christian Breunig
IGMP and PIM are two different but related things. FRR has both combined in pimd. As we use get_config_dict() and FRR reload it is better to have both centrally stored under the same CLI node (as FRR does, too) to just "fire and forget" the commit to the daemon. "set protocols igmp interface eth1" -> "set protocols pim interface eth1 igmp"
2023-11-13pim: T5733: rename watermark-warn -> watermark-warningChristian Breunig
2023-11-13pim: T5733: add missing FRR PIM related featuresChristian Breunig
Migrate CLI configuration retrival to common get_config_dict(). In addition add new functionality to VyOS that is PIM related and already available in FRR.
2023-11-12T5728: OpenVPN server replace first_host_address to vpn_gatewayViacheslav Hletenko
Some OpenVPN clients (OpenVPN3) do not understand address of gateway for the pushed networks. It leads that pushed routes are not installed at all. Replace `subnet | first_host_address` to the `vpn_gateway` to fix it
2023-11-08ddclient: T5708: Ensure password is always wrapped in quotesIndrajit Raychaudhuri
Migration to 3.11.1 follow-up: This should make `ddclient.conf` parsing more resilient to edge cases (particularly when `password` isn't the last option right before the host parameter). ddclient config parser applies special treatment to the password field and would unwrap the quotes automatically. Also, switch from now deprecated `use=no` to `use=disabled`.
2023-11-08Merge pull request #2459 from indrajitr/mdns-streamlineViacheslav Hletenko
mdns: T5723: Always reload systemd daemon before applying changes
2023-11-07mdns: T5723: Always reload systemd daemon before applying changesIndrajit Raychaudhuri
Additionally, templatize system service override and move it to the runtime path.
2023-11-07Merge pull request #2434 from sever-sever/T5702Christian Breunig
T5702: SNMP add interface-mib max-interfaces-number and prefix
2023-11-06Merge pull request #2440 from sever-sever/T5716Christian Breunig
T5716: Fix accel-ppp template down-limiter does not rely on fwmark
2023-11-06T5716: Fix accel-ppp template down-limiter does not rely on fwmarkViacheslav Hletenko
accel-ppp template shaper `down-limiter` does not rely on `fwmark` Fix it
2023-11-06T5702: SNMP add interface-mib max-interfaces-number and prefixViacheslav Hletenko
- Allow to configure only required interface prefixes set service snmp mib interface 'eth' set service snmp mib interface 'bond' include_ifmib_iface_prefix eth bond Sets the interface name prefixes to include in the IF-MIB data collection. For servers with a large number of interfaces (ppp, dummy, bridge, etc) the IF-MIB processing will take a large chunk of CPU for ioctl calls. A set of space separated interface name prefixes will reduce the CPU load for IF-MIB processing. For example, configuring "include_ifmib_iface_prefix eth dummy lo" will include only interfaces with these prefixes and ignore all others for IF-MIB processing. - Allow to configure maximum interface number set service snmp mib interface-max '100' ifmib_max_num_ifaces NUM Sets the maximum number of interfaces included in IF-MIB data collection. For servers with a large number of interfaces (ppp, dummy, bridge, etc) the IF-MIB processing will take a large chunk of CPU for ioctl calls (on Linux). Setting a reasonable maximum for the CPU used will reduce the CPU load for IF-MIB processing. For example, configuring "ifmib_max_num_ifaces 500" will include only the first 500 interfaces based on ifindex and ignore all others for IF-MIB processing.
2023-11-05ddclient: T5708: Migrate `timeout` to `interval`Indrajit Raychaudhuri
Time interval in seconds to wait between DNS updates would be a bit more intuitive as `interval` than `timeout`.
2023-11-02Merge pull request #2416 from c-po/evpn-mh-t5698Christian Breunig
T5698 EVPN ESI Multihoming
2023-11-02Merge pull request #2427 from sever-sever/T5704Christian Breunig
T5704: PPPoE L2TP SSTP IPoE add option max-concurrent-sessions
2023-11-02Merge pull request #2425 from sever-sever/T5700Viacheslav Hletenko
T5700: Fix deprecate telegraf plugin input net
2023-11-02T5704: PPPoE L2TP SSTP IPoE add option max-concurrent-sessionsViacheslav Hletenko
Add `max-starting` option: [common] max-starting=N Specifies maximum concurrent session attempts which server may processed set service pppoe-server max-concurrent-sessions '30' Useful to prevent high CPU utilization and compat execution scripts per time.
2023-11-02T5700: Fix deprecate telegraf plugin input netViacheslav Hletenko
DeprecationWarning: Value "false" for option "ignore_protocol_stats" of plugin "inputs.net" deprecated since version 1.27.3 and will be removed in 1.36.0: use the 'inputs.nstat' plugin instead
2023-11-02T5705: rsyslog: fix error when level=all. Replace <all> with wildcard <*>, ↵Nicolas Fort
as it's done with facility. Create basic smoketest for syslog
2023-11-01Merge pull request #2370 from sever-sever/T1797Viacheslav Hletenko
T1797: Delete VPP from vyos-1x as it is implemented in addon
2023-10-30bgp: T5698: add support for EVPN MultihomingChristian Breunig
2023-10-30bond: T5698: add support for EVPN MultihomingChristian Breunig
set interfaces bonding bond10 evpn es-df-pref '50' set interfaces bonding bond10 evpn es-id '10' set interfaces bonding bond10 evpn es-sys-mac '01:23:45:67:89:ab' set interfaces bonding bond10 member interface 'eth3' set interfaces bonding bond10 mode '802.3ad'
2023-10-25T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher ↵Nicolas Fort
(valid for interfaces and groups) in firewal, nat and nat66.
2023-10-19Merge pull request #2362 from nicolas-fort/T5541Christian Breunig
T5541: firewall zone: re add firewall zone-base firewall
2023-10-19Merge pull request #2344 from nicolas-fort/T5637Christian Breunig
T5637: add new rule at the end of base chains for default-actions and log capabilities
2023-10-17T1797: Delete VPP from vyos-1x as it is implemented in addonViacheslav Hletenko
2023-10-14Merge pull request #2361 from zdc/T5232-circinusChristian Breunig
pmacct: T5232: Fixed pmacct service control via systemctl
2023-10-13T5541: firewall zone: re add firewall zone-base firewallNicolas Fort
2023-10-12pmacct: T5232: Fixed pmacct service control via systemctlzsdc
pmacct daemons have one very important specific - they handle control signals in the same loop as packets. And packets waiting is blocking operation. Because of this, when systemctl sends SIGTERM to uacctd, this signal has no effect until uacct receives at least one packet via nflog. In some cases, this leads to a 90-second timeout, sending SIGKILL, and improperly finished tasks. As a result, a working folder is not cleaned properly. This commit contains several changes to fix service issues: - add a new nftables table for pmacct with a single rule to get the ability to send a packet to nflog and unlock uacctd - remove PID file options from the uacctd and a systemd service file. Systemd can detect proper PID, and PIDfile is created by uacctd too late, which leads to extra errors in systemd logs - KillMode changed to mixed. Without this, SIGTERM is sent to all plugins and the core process exits with status 1 because it loses connection to plugins too early. As a result, we have errors in logs, and the systemd service is in a failed state. - added logging to uacctd - systemctl service modified to send packets to specific address during a service stop which unlocks uacctd and allows systemctl to finish its work properly
2023-10-11ldpd: T5648: Fix ldpd template errorsDevon Mar
Bug introduced in https://github.com/vyos/vyos-1x/commit/8fb6e715d32e7eff77e413d8577059dd55b24c0a
2023-10-11Merge pull request #2353 from dmbaturin/T5634-no-more-blowfishJohn Estabrook
openvpn: T5634: Remove support for insecure DES and Blowfish ciphers
2023-10-12openvpn: T5634: Remove support for insecure DES and Blowfish ciphersDaniil Baturin
2023-10-09http-api: T2612: reload server within configsession for api self-configJohn Estabrook
2023-10-08Merge pull request #2263 from Cheeze-It/currentViacheslav Hletenko
T5530: isis: Adding loop free alternate feature
2023-10-06T5637: add new rule at the end of base chains for default-actions. This ↵Nicolas Fort
enables log capabilities for default-action in base chains. And of course, add option for enabling log for default-action
2023-10-06T5530: isis: Adding loop free alternate featureCheeze_It
2023-10-03pppoe: T5630: allow to specify MRU in addition to already configurable MTUChristian Breunig
Set the MRU (Maximum Receive Unit) value to n. PPPd will ask the peer to send packets of no more than n bytes. The value of n must be between 128 and 16384, the default was always 1492 to match PPPoE MTU. A value of 296 works well on very slow links (40 bytes for TCP/IP header + 256 bytes of data). Note that for the IPv6 protocol, the MRU must be at least 1280. CLI: set interfaces pppoe pppoe0 mru 1280
2023-09-30ddclient: T5574: Support per-service cache management for servicesIndrajit Raychaudhuri
Add support for per-service cache management for ddclient providers via `wait-time` and `expiry-time` options. This allows for finer-grained control over how often a service is updated and how long the hostname will be cached before being marked expired in ddclient's cache. More specifically, `wait-time` controls how often ddclient will attempt to check for a change in the hostname's IP address, and `expiry-time` controls how often ddclient to a forced update of the hostname's IP address. These options intentionally don't have any default values because they are provider-specific. They get treated similar to the other provider- specific options in that they are only used if defined.
2023-09-30Merge pull request #2303 from indrajitr/ddclient-misc-1Christian Breunig
ddclient: T5612: Miscellaneous improvements and fixes for dynamic DNS