summaryrefslogtreecommitdiff
path: root/data
AgeCommit message (Collapse)Author
2023-06-03dns: T5144: Modernize dynamic dns operationIndrajit Raychaudhuri
Apply next round of configuration tree updates to 'service dns dynamic' with the following changes: - Migrate `service dns dynamic interface <interface> [use-web]` to `service dns dynamic address <interface>` or `service dns dynamic address web [web-options]` This communicates the intent that dynamic dns IP address is detected in only one way - using the `<interface>` or using an external web request, not both. - When using external web request, (`service dns dynamic address web`), external url is optional (`web-options url`). Ddclient defaults are used when unspecified, - Rename all config `login` to `username` for consistency and also to align better with alternative ddclient backends in consideration. - Apply global 'ipv6-enable' to per service 'ip-version: ipv6'. Selecting usage of IPv4 or IPv6 (or both simultaneously) is now at per service (protocol) level instead of global level. This allows more control on the ability to select IPv4 in some cases and IPv6 in some other cases wherever supported by the underlying ddclient protocol. - While the IP address (and by extension, the detection mechanism) is global, the way it is applied to a particular ddclient protocol depends on whether it supports IPv4 or IPv6 or both. - Related to the above, this also prevents generating incorrect config file (`ddclient.conf`) with multiple global sections leading to an unpredictable behavior of ddclient. - Implement provider (protocol) specific custom tweaks whenever possible (e.g., `zone`, `username`, `server` are not necessary in all cases). - Move service name from a combination of 'protocol' (with protocol config autodetected) and custom (with protocol config specified) to a single 'service' key. This allows for consisent setup of multiple config for the same ddclient protocol (with different options and credentials). This also avoid ambiguity with usual networking term 'protocol' and ddclient specific term 'protocol' (and can change with a move to a different backend). - Apply upfront XML constraints and validations consistently wherever applicable. - RFC2136 specific change: Rename rfc2136 config `record` to `host-name` for consistency. - Cloudflare specific change: While ddclient still supports authenticating with email and global auth key, skipping `username` in config will indicate the intent to use API token authentication (with special 'token' literal as `username`).
2023-06-03T5257: Fix netflow VRF and bracketize v6 source addresses for netflow/sflowWered
2023-05-28container: T5003: add new mandatory option runrootChristian Breunig
2023-05-19T5230: remove trailing tabs causing j2lint errorJohn Estabrook
2023-05-19Merge pull request #2014 from ServerForge/currentChristian Breunig
T5230: Added missing enforce-first-as option to bgp protocol common c…
2023-05-19T5230: Added missing enforce-first-as option to bgp protocol common config ↵Wered
and frr bgp jinja template.
2023-05-19T5222: reverse-proxy add send-proxy option for backend serverViacheslav Hletenko
To accept a Proxy Protocol header on incoming TCP connections, add an accept-proxy parameter to the bind line in a frontend section. This parameter detects both Proxy Protocol version 1 (text format) and Proxy Protocol version 2 (binary format). set load-balancing reverse-proxy backend <tag> server <tag> send-proxy
2023-05-19T5222: reverse-proxy fix template for listen-addressViacheslav Hletenko
Load-balancing reverse-proxy listen-address is multi-value node Use bracketize for correct set bind config for IPv6 addresses Listen by default IPv4 and IPv6 if listen-address is not defined
2023-05-19T5222: Refactoring load-balancing reverse-proxyViacheslav Hletenko
Improve and refactoring "load-balancing reverse-proxy" - replace 'reverse-proxy server <tag>' => 'reverse-proxy service <tag>' - replace 'reverse-proxy global-parameters tls <xxx>' => 'reverse-proxy global-parameters tls-version-min xxx' => 'reverse-proxy global-parameters ssl-bind-ciphers xxx' - replace 'reverse-proxy service https rule <tag> set server 'xxx' => 'reverse-proxy service https rule <tag> set backend 'xxx' 'service https rule <tag> domain-name xxx' set as multinode
2023-05-17Merge pull request #2004 from sever-sever/T5222Christian Breunig
T5222: Add load-balancing for web traffic
2023-05-17T5222: Add load-balancing for web trafficViacheslav Hletenko
2023-05-17mdns: T5227: Add support for browse domains and service filtersIndrajit Raychaudhuri
Allow listing additional browse domains (in addition to the default 'local') so that custom domains can be reflected. Additionally, allow filtering the services that are allowed to be reflected across multiple (V)LANs.
2023-05-12ocserv: T3896: improve XML definition and add warning about 3rd party configsChristian Breunig
When enabling identity-based-config, users can add arbitrary config keys that are processed by ocserv. The user "must know" what he is been doing, as invalid config option will make the ocserv daemon go ... whoop! Thus add a warning and inform the user about this setting.
2023-05-12T2778: Fix syslog octet_counted formatBᴇʀɴᴅ Sᴄʜᴏʀɢᴇʀs
2023-05-12Merge pull request #1783 from PeppyH/T3896-ocserv-config-per-xChristian Breunig
ocserv: T3896: add CLI options to configure ocserv config-per-user/group
2023-05-12T5219: ddclient: Cloudflare doesn't require loginZen3515
2023-05-10Merge pull request #1987 from dmbaturin/T5251-vrrp-group-pingChristian Breunig
T5215: add a built-in ping check for VRRP groups
2023-05-10vrrp: T5215: Add built-in ping check for VRRP groupsDaniil Baturin
2023-05-10T5213: Add accounting-interim-interval option for PPTP-serverViacheslav Hletenko
Add RADIUS accounting-interim-interval option for PPTP-server Specifies interval in seconds to send accounting information (may be overridden by radius Acct-Interim-Interval attribute) set vpn pptp remote-access authentication radius accounting-interim-interval '52'
2023-05-10T5213: Add accounting-interim-interval option for L2TP-serverViacheslav Hletenko
Add RADIUS accounting-interim-interval option for L2TP-server Specifies interval in seconds to send accounting information (may be overridden by radius Acct-Interim-Interval attribute) set vpn l2tp remote-access authentication radius accounting-interim-interval '120'
2023-05-09Merge pull request #1978 from zdc/T5190-sagittaChristian Breunig
cloud-init: T5190: Added Cloud-init pre-configurator
2023-05-09Merge pull request #1985 from c-po/t2778-syslogChristian Breunig
syslog: T2778: T2769: refactoring and VRF support
2023-05-09T5213: Add accounting-interim-interval option for PPPoE IPoE SSTPViacheslav Hletenko
Add RADIUS accounting-interim-interval option for PPPoE/IPoE/SSTP servers. Specifies interval in seconds to send accounting information (may be overridden by radius Acct-Interim-Interval attribute) set service pppoe-server authentication radius accounting-interim-interval '60'
2023-05-08syslog: T2769: add VRF supportChristian Breunig
Allow syslog messages to be sent through a VRF (e.g. management).
2023-05-08syslog: T2778: migrate to get_config_dict()Christian Breunig
2023-05-04cloud-init: T5190: Added Cloud-init pre-configuratorzsdc
Added a new service that starts before Cloud-init, waits for all network interfaces initialization, and if requested by config, checks which interfaces can get configuration via DHCP server and creates a corresponding Cloud-init network configuration. This protects from two situations: * when Cloud-init tries to get meta-data via eth0 (default and fallback variant for any data source which depends on network), but the real network is connected to another interface * when Cloud-init starts simultaneously with udev and initializes the first interface to get meta-data before it is renamed to eth0 by udev
2023-05-04Merge pull request #1973 from sever-sever/T5171Christian Breunig
T5171: Use XML for loadbalancing wan instead of old templates
2023-05-02T5171: Rewrite load-balancing wan to XML and python3Viacheslav Hletenko
Use XML and python3 for 'load-balancing wan' Use Jinja2 templates instead of old vyatta-wanloadbalance.pl to generate configuration '/run/load-balance/wlb.conf' wich used by /opt/vyatta/sbin/wan_lb
2023-05-02T5163: Add match protocol filter for route-mapViacheslav Hletenko
Ability to match 'source-protocol' for the route-map filters set policy route-map foo rule 10 action 'permit' set policy route-map foo rule 10 match protocol 'bgp'
2023-04-29static: T5161: add BFD monitoring for static routesfett0
2023-04-27bgp: T5010: fix for-loop copy/paste errorChristian Breunig
Commit 923d7f1d7 (bgp: T5010: add missing for-loop when iterating over "both" route-target) referenced export rt instead of both. This happened while improperly copy-pasting the line.
2023-04-27bgp: T5010: add missing for-loop when iterating over "both" route-targetChristian Breunig
2023-04-26vrf: T5174: ensure no duplicate VNIs can be definedChristian Breunig
2023-04-24Merge pull request #1968 from nagua/patch-1Daniil Baturin
openvpn: T4402: Update openvpn server.conf.j2
2023-04-24OpenVPN: T4402: Update OpenVPN server.conf.j2 templateNicolas Riebesel
The ifconfig-pool command requires the arguments separated by a space. Hence the space was added before the subnet mask.
2023-04-22frr: T4353: fix "exit-vrf" indentionChristian Breunig
2023-04-21vrf: T5150: l3vni must be removed prior to removing BGP VRF processChristian Breunig
2023-04-20ocserv: T3896: refactor: change ocserv config-per-x node nameJamie Austin
Changes the node name from config-per-x to identity-based-config, as a result the j2 templates and vpn_openeconnect.py has been refactored to update the node name when accessing it's child nodes.
2023-04-14T5162: Updated configd-include.json to remove extra comma.KyleM
removed extra comma invalidating json.
2023-04-13T5150: initial VRF support for Kernel/Zebra route-map filteringChristian Breunig
2023-04-13T5150: do not apply zebra route-map from routing-daemon config levelChristian Breunig
2023-04-13T5150: initial implementation of new Kernel/Zebra route-map supportChristian Breunig
It is possible to install a route-map which filters the routes between routing daemons and the OS kernel (zebra) As of now this can be done by e.g. * set protocols ospf route-map foo * set protocols ospfv3 route-map foo * set protocols bgp route-map foo Which in turn will install the following lines into FRR * ip protocol ospf route-map foo * ipv6 protocol ospf6 route-map foo * ip protocol bgp route-map foo The current state of the VyOS CLI is incomplete as there is no way to: * Install a filter for BGP IPv6 routes * Install a filter for static routes * Install a filter for connected routes Thus the CLI should be redesigned to close match what FRR does for both the default and any other VRF * set system ip protocol ospf route-map foo * set system ipv6 protocol ospfv3 route-map foo * set system ip protocol bgp route-map foo * set system ipv6 protocol bgp route-map foo The configuration can be migrated accordingly. This commit does not come with the migrator, it will be comitted later.
2023-04-12Merge pull request #1904 from Cheeze-It/currentChristian Breunig
T5081: ISIS and OSPF syncronization with IGP-LDP sync
2023-04-11T4727: Change and fix RADIUS rate-limit option for pptpViacheslav Hletenko
Initially the option 'rate-limit' was implemented with the wrong place in the CLI: set vpn pptp remote-access authentication rate-limit <xxx> Expected under 'radius' section: set vpn pptp remote-access authentication radius rate-limit <xxx> Configuration for 'rate-limit' (Jinja2 template) never worked for pptp, fix it.
2023-04-11T5152: Get default hostname for telegraf from FQDN or hostnameViacheslav Hletenko
Fix for Telegraf agent hostname isn't qualified Try to get hostname from FQDN and then from hostname Used for metrics You may have more than one machine with different domain names r1 domain-name foo.local, hostname myhost r2 domain-name bar.local, hostname myhost It helps to detect from which exectly host we get metric for InfluxDB2
2023-04-09eapol: T5151: Allow TLSv1.0/1.1 for EAP-TLSAndrew Gunnerson
The Debian 12 upgrade in T5003 caused a regression for connecting to legacy networks that only support TLSv1.0/1.1 for EAP-TLS. Debian allows this by default in their wpa_supplicant package, but their `allow-tlsv1.patch` patch does not work properly with VyOS' newer wpa_supplicant package, which is based on the latest code in git. As a result, wpa_supplicant always respects the system-wide openssl crypto policy, disallowing TLSv1. The commit uses the documented way of allowing TLSv1, which takes precedence over the system crypto policy. Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>
2023-04-04T5081: ISIS and OSPF syncronization with IGP-LDP syncCheeze_It
2023-04-04T5145: Add maximum number of all logins on systemViacheslav Hletenko
maxsyslogins maximum number of all logins on system; user is not allowed to log-in if total number of all user logins is greater than specified number (this limit does not apply to user with uid=0) set system login max-login-session 2
2023-04-01container: T5082: switch to netavark network stackChristian Breunig
We now support assigning discrete IPv6 addresses to a container.
2023-03-31http-api: T5126: allow restricting client IP addressJohn Estabrook