| Age | Commit message (Collapse) | Author |
|
router-advert: T7389: Duplicate prefix safeguard
|
|
collectors.textfile
|
|
T7382: adds podman log driver configuration option
|
|
Automatically render HaProxy rules to reverse-proxy ACME challanges when the
requested certificate was issued using ACME.
|
|
If redirect-http-to-https is set we will render a discrete onfiguration in
HAproxy to properly claim port 80 in the system to detect if a service is
alreadey using the port or not.
|
|
firewall: T7358: add offload option to global state policy
|
|
New CLI for static and dynamic NAT:
```
set vpp nat44 interface outside <interface> # multi
set vpp nat44 interface inside <interface> # multi
set vpp nat44 address-pool translation interface <interface> # multi
set vpp nat44 address-pool translation address <address> # multi
set vpp nat44 address-pool twice-nat interface <interface> # multi
set vpp nat44 address-pool twice-nat address <address> # multi
set vpp nat44 static rule <rule> external address <address>
set vpp nat44 static rule <rule> external port <port>
set vpp nat44 static rule <rule> local address <address>
set vpp nat44 static rule <rule> local port <port>
set vpp nat44 static rule <rule> protocol <protocol>
set vpp nat44 static rule <rule> options twice-nat
set vpp nat44 static rule <rule> options self-twice-nat
set vpp nat44 static rule <rule> options out-to-in-only
set vpp nat44 static rule <rule> options twice-nat-address <address>
set vpp nat44 exclude rule <rule> protocol <protocol>
set vpp nat44 exclude rule <rule> local-port <port>
set vpp nat44 exclude rule <rule> local-address <address>
set vpp nat44 exclude rule <rule> external-interface <interface>
```
Settings:
```
set vpp settings nat44 session-limit <limit> # default 64512
set vpp settings nat44 timeout udp <sec> # default 300
set vpp settings nat44 timeout tcp-established <sec> # default 7440
set vpp settings nat44 timeout tcp-transitory <sec> # default 240
set vpp settings nat44 timeout icmp <sec> # default 60
set vpp settings nat44 workers <list>
set vpp settings nat44 no-forwarding
```
|
|
Change autoignoreprefixes config template and add smoketests
|
|
|
|
advertisements (#4463)
|
|
geoip: T5636: Add geoip for policy route/route6
|
|
|
|
|
|
- fixed CI smoketest failures (again)
|
|
- Fixed CI smoketest failures
|
|
T7343: IPsec add traffic-selector handling for VTI interfaces
|
|
Allow to set traffic-selector for VTI interfaces
We can set several local and remote IPv4 and IPv6 prefixes
```
set vpn ipsec site-to-site peer P1 vti traffic-selector local prefix 0.0.0.0/0
set vpn ipsec site-to-site peer P1 vti traffic-selector local prefix :/0
set vpn ipsec site-to-site peer P1 vti traffic-selector remote prefix 192.0.2.0/24
```
|
|
Since the jump to the global state chain is inserted before all rules,
it wasn't possible to use offload with the global state policies
This commit adds a new chain for offloaded traffic in the forward
chain and jumps to that chain. Please enter the commit message for your changes. Lines starting
|
|
When running dhcp6c on top of a PPPoE interface, properly honor the dependency
chain with systemd. On shutdown we need to stop the wide-dhcpv6-client prior
to shutting down the ppp portion of the interface.
|
|
kea: T7281: Add ping-check, use built-in option for classless static routes
|
|
ids: T7241: remove Fastnetmon from the base system
|
|
It will eventually be moved to an addon
|
|
|
|
|
|
Remove legacy windows static route on option 249
|
|
T7254: op-mode: Add spanning-tree op-mode commands
|
|
T7311: syslog: Fix duplicate kernel log entries
|
|
|
|
Fix the IPsec log level option processing
set vpn ipsec log level '2'
Render Jinja2 template to generate correct log for IPsec for
the file /etc/strongswan.d/charon-systemd.conf
|
|
* T7283: VPP add static NAT support
Add static mapping NAT implementation
```
set vpp nat44 static rule 10 outbound-interface 'eth0'
set vpp nat44 static rule 10 inbound-interface 'eth1'
set vpp nat44 static rule 10 destination address 192.168.122.10 # optional, if not set outbound interface ip address is used
set vpp nat44 static rule 10 destination port 6545 # optional
set vpp nat44 static rule 10 protocol tcp|udp|icmp|all # optional, defaults to "all"
set vpp nat44 static rule 10 translation address 100.64.0.10
set vpp nat44 static rule 10 translation port 64010 # optional
```
* Improve help strings (Daniil Baturin)
---------
Co-authored-by: Daniil Baturin <daniil@baturin.org>
|
|
Modified op-mode-standardized.json
|
|
syslog: T7270: fix typos in rsyslog.conf
|
|
If a router has not formed an LDP neighbor adjacency yet, it
answers all received LDP Hello packets from non-neighbors with
new Hello packets.
This leads to flooding LDP packets to all routers for each LDP
incoming packet.
Add configuration option to disable this behavior
```
set protocols mpls ldp interface eth0 disable-establish-hello
```
|
|
|
|
|
|
|
|
|
|
T7181: VPP add initial source NAT implentation
|
|
* bgp: T7157: Allow using route-maps for VRF route leaking in BGP
Added the possibility of using route-map in route leaking.
* Improve the constraint error message
---------
Co-authored-by: Daniil Baturin <daniil@baturin.org>
|
|
|
|
T7092: Add Container Registry Mirror
|
|
|
|
Otherwise rsyslog will report an error:
omfwd: could not get addrinfo for hostname '[2001:db8::2]':'514': System error
|
|
|
|
Commit e97d86e ("T6617: T6618: vpn ipsec remote-access: fix profile generators")
added a bug when working with DiffieHellmanGroup, it started becoming a boolead
and no longer referencing the DH groups itself.
This has been fixed.
|
|
If this is unset, loading the iOS VPN profile will error out on the device
giving:
Profile Installation Failed
configuration is invalid:
Missing identity
My first assumption was an empty string in LocalIdentifier for IKE, but turned
out only adding this flag solved it.
This was made optional in commit e97d86e ("T6617: T6618: vpn ipsec
remote-access: fix profile generators") but got reverted now.
|
|
ipsec: T7225: "generate ipsec profile ios-remote-access" throws UndefinedError
|
|
Calling "generate ipsec profile ios-remote-access rw remote ipsec.vyos.net name
VYOS-NET profile VYOS" in op-mode causes
File "/usr/share/vyos/templates/ipsec/ios_profile.j2", line 58, in top-level template code
{% if authentication.client_mode.startswith("eap") %}
^^^^^^^^^^^^^^^^^^^^^^^^^
jinja2.exceptions.UndefinedError: 'dict object' has no attribute 'client_mode'
|
|
|
|
New CLI command
set system syslog marker disable
|