summaryrefslogtreecommitdiff
path: root/data
AgeCommit message (Collapse)Author
2024-04-11T5871: ipsec remote access VPN: specify "cacerts" for client auth.Lucas Christian
2024-04-09T5169: Add PoC for generating CGNAT rules rfc6888Viacheslav Hletenko
Add PoC for generating CGNAT rules https://datatracker.ietf.org/doc/html/rfc6888 Not all requirements are implemented, but some of them. Implemented: REQ-2 ``` A CGN MUST have a default "IP address pooling" behavior of "Paired" CGN must use the same external IP address mapping for all sessions associated with the same internal IP address, be they TCP, UDP, ICMP, something else, or a mix of different protocols. ``` REQ-3 ``` The CGN function SHOULD NOT have any limitations on the size or the contiguity of the external address pool ``` REQ-4 ``` A CGN MUST support limiting the number of external ports (or, equivalently, "identifiers" for ICMP) that are assigned per subscriber ``` CLI: ``` set nat cgnat pool external ext1 external-port-range '1024-65535' set nat cgnat pool external ext1 per-user-limit port '1000' set nat cgnat pool external ext1 range 192.0.2.222/32 set nat cgnat pool internal int1 range '100.64.0.0/28' set nat cgnat rule 10 source pool 'int1' set nat cgnat rule 10 translation pool 'ext1' ```
2024-04-06conntrack-sync: T1244: add CLI support for StartupResyncNataliia Solomko
2024-04-02Merge pull request #3229 from c-po/multi-vrfChristian Breunig
T6192: allow binding SSH to multiple VRF instances
2024-04-02T6196: Fixed applying parameters for aggregation in BGPaapostoliuk
Fixed using 'route-map', 'as-set' and 'summary-only' together in aggregation in BGP
2024-04-01Merge pull request #3212 from fett0/T6151fett0
bgp: T6151: Allow configuration of disable-ebgp-connected-route-check
2024-04-01ssh: T6192: allow binding to multiple VRF instancesChristian Breunig
Currently VyOS only supports binding a service to one individual VRF. It might become handy to have the services (initially it will be VRF, NTP and SNMP) be bound to multiple VRFs. Changed VRF from leafNode to multi leafNode with defaultValue: default - which is the name of the default VRF.
2024-04-01dhcpv6-client: T2590: fix vyos-hostsd update for nameserver and search domainsChristian Breunig
After migrating from ISC DHCLIENT for IPv6 to wide-dhcp-client the logic which was present to update /etc/resolv.conf with the DHCP specified nameservers and also the search domain list was no longer present. This commit adds a per interface rendered script to inform vyos-hostsd about the received IPv6 nameservers and search domains.
2024-03-29bgp: T6010: Allow configuration of disable-ebgp-connected-route-checkfett0
2024-03-28Merge pull request #3200 from sever-sever/T5832Daniil Baturin
T5832: VRRP allow set interface for exluded-address
2024-03-28Merge pull request #2965 from lucasec/t5872Daniil Baturin
T5872: ipsec remote access VPN: support dhcp-interface.
2024-03-28T5832: VRRP allow set interface for exluded-addressViacheslav Hletenko
Ability to set interface for `excluded-address` The excluded-addresses are not listed in the VRRP packet (adverts packets). We have this ability for `address`, add the same feature for the excluded-address ``` set high-availability vrrp group GRP-01 excluded-address 192.0.2.202 interface 'dum2' set high-availability vrrp group GRP-01 excluded-address 192.0.2.203 interface 'dum3' ```
2024-03-28op-mode: T6175: "renew dhcp interface <name>" does not check for DHCP interfaceChristian Breunig
The current op-mode script simply calls sudo systemctl restart "dhclient@$4.service" with no additional information about a client interface at all. This results in useless dhclient processes root 47812 4.7 0.0 5848 3584 ? Ss 00:30 0:00 /sbin/dhclient -4 -d root 48121 0.0 0.0 4188 3072 ? S 00:30 0:00 \_ /bin/sh /sbin/dhclient-script root 48148 50.0 0.2 18776 11264 ? R 00:30 0:00 \_ python3 - Which also assign client leases to all local interfaces, if we receive one valid DHCPOFFER vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address MAC VRF MTU S/L Description ----------- ----------------- ----------------- ------- ----- ----- ------------- eth0 - 00:50:56:bf:c5:6d default 1500 u/u eth0.10 172.16.33.102/24 00:50:56:bf:c5:6d default 1500 u/u eth1 172.16.33.131/24 00:50:56:b3:38:c5 default 1500 u/u 172.16.33.102/24 and 172.16.33.131/24 are stray DHCP addresses. This commit moved the renew command to the DHCP op-mode script to properly validate if the interface we request a renew for, has actually a dhcp address configured. In additional this exposes the renew feature to the API.
2024-03-25T6171: migrate <set service dhcp-server failover> to <set service ↵Nicolas Fort
dhcp-server high-availability>.
2024-03-16Merge pull request #3112 from Ingramz/add-rtsp-2Christian Breunig
conntrack: T4022: add RTSP conntrack helper
2024-03-12radvd: T6118: add nat64prefix support RFC8781Christian Breunig
Add support for pref64 option, as defined in RFC8781. The prefix valid lifetime must not be smaller than the "interface interval max" definition which defaults to 600. set service router-advert interface eth1 nat64prefix 64:ff9b::/96
2024-03-12conntrack: T4022: add RTSP conntrack helperIndrek Ardel
2024-03-11T5872: re-write exit hook to always regenerate configLucas Christian
2024-03-10T5872: fix ipsec dhclient exit hookLucas Christian
2024-03-10T5872: ipsec remote access VPN: support dhcp-interface.Lucas Christian
2024-03-07http-api: T6107: add an option to increase the request body size limitDaniil Baturin
2024-03-07Merge pull request #2966 from HollyGurza/T6020Daniil Baturin
vrrp: T6020: vrrp health-check script not applied correctly
2024-03-07snmp: T2998: SNMP v3 oid "exclude" option fixNataliia Solomko
2024-03-06conntrack-sync: T6057: Add ability to disable syslog for conntrackdNataliia Solomko
2024-03-04T6084: Add NHRP dependency for IPsec and fix NHRP empty config bugViacheslav Hletenko
If we have any `vpn ipsec` and `protocol nhrp` configuration we get the empty configuration file `/run/opennhrp/opennhrp.conf` after rebooting the system. Use config dependency instead of the old `resync_nhrp` function fixes this issue
2024-03-02Merge pull request #3073 from c-po/ospfv3-redistribution-T5717Christian Breunig
ospfv3: allow metric and metric-type on redistributed routes
2024-03-02ospf: T5717: sync code with ospfv3 implementationChristian Breunig
2024-03-02ospfv3: T5717: allow metric and metric-type on redistributed routesChristian Breunig
Example: vyos@vyos# set protocols ospfv3 redistribute bgp Possible completions: metric OSPF default metric metric-type OSPF metric type for default routes (default: 2) route-map Specify route-map name to use
2024-03-01banner: T6077: dehardcode URLs in MOTD templateChristian Breunig
Use URLs provided by flavor build system and version.json file
2024-03-01vrrp: T6020: vrrp health-check script not applied correctly in keepalived.confkhramshinr
Added health-check to sync-group in CLI Don't use instance health-check when instance in sync group member Disallow wrong healtch-check configurations New smoke test
2024-02-29vyos-hostsd: T4270: resolve only hostname without domain name to 127.0.1.1Christian Breunig
This is a fix for commit 665ae50729 ("vyos-hostsd: T4270: do not resolve local router FQDN to 127.0.1.1") as it made calls to sudo super slow due to: sudo: unable to resolve host vyos: System error To avoid the initial issue we only add the hostname without domain name, thus the FQDN is not resolved by powerdns.
2024-02-29Merge pull request #3056 from natali-rs1985/T5504-currentChristian Breunig
T5504: Keepalived VRRP ability to set more than one peer-address
2024-02-29Merge pull request #3060 from c-po/bannerDaniil Baturin
banner: T6077: implement ASCII contest winner default logo
2024-02-29vrrp: T6020: vrrp health-check script not applied correctly in keepalived.confkhramshinr
Added health-check to sync-group in CLI Don't use instance health-check when instance in sync group member Disallow wrong healtch-check configurations New smoke test
2024-02-28banner: T6077: implement ASCII contest winner default logoChristian Breunig
Implement VyOS ASCII art contest winners logo as the default for our MOTD
2024-02-28Merge pull request #3055 from sarthurdev/T6073Christian Breunig
vrf: conntrack: T6073: Populate VRF zoning chains only while conntrack is required
2024-02-28T5504 Keepalived VRRP ability to set more than one peer-addressNataliia Solomko
2024-02-27vrf: conntrack: T6073: Populate VRF zoning chains only while conntrack is ↵sarthurdev
required
2024-02-27vyos-hostsd: T4270: do not resolve local router FQDN to 127.0.1.1Christian Breunig
Clients using VyOS as their DNS server and trying to resolve the FQDN of the router will receive 127.0.1.1 as answer. set service dns forwarding allow-from '172.16.0.0/12' set service dns forwarding listen-address '172.31.0.254' set service dns forwarding negative-ttl '60' set system domain-name 'vyos.net' set system host-name 'R1' Will return: $ host R1.vyos.net 172.31.0.254 Using domain server: Name: 172.31.0.254 Address: 172.31.0.254#53 Aliases: R1.vyos.net has address 127.0.1.1 When it should rather return the real IP address assigned via DNS.
2024-02-23T6054: WLB: fix rules parsing when using multiple ports in one ruleNicolas Fort
2024-02-21conntrack: T5376: Fix priority for CT helperssarthurdev
Ref: https://www.spinics.net/lists/netfilter/msg59549.html
2024-02-16Merge pull request #3016 from c-po/nhtChristian Breunig
T6001: add option to disable next-hop-tracking resolve-via-default
2024-02-16T6001: add option to disable next-hop-tracking resolve-via-default in VRF ↵Christian Breunig
context * set vrf name <name> ip nht no-resolve-via-default * set vrf name <name> ipv6 nht no-resolve-via-default
2024-02-16T6001: add option to disable next-hop-tracking resolve-via-defaultChristian Breunig
* set system ip nht no-resolve-via-default * set system ipv6 nht no-resolve-via-default
2024-02-15Merge pull request #3004 from aapostoliuk/T6029-circinusDaniil Baturin
T6029: Rewritten Accel-PPP services to an identical feature set
2024-02-15T6029: Rewritten Accel-PPP services to an identical feature setaapostoliuk
Removed dhcp-interface option (l2tp) Added wins-server (sstp) Added description (ipoe, pppoe, sstp, pptp) Added exteded-script (l2tp, sstp, pptp) Added shaper (ipoe, pptp, sstp, l2tp) Added limits (ipoe, pptp, sstp, l2tp) Added snmp ( ipoe, pptp,sstp, l2tp) Refactoring and reformated code.
2024-02-14eigrp: T2472: improve code for later testsChristian Breunig
2024-02-13Merge pull request #2987 from c-po/evpn-macvrf-sooChristian Breunig
bgp: T6032: add EVPN MAC-VRF Site-of-Origin support
2024-02-13Merge pull request #2988 from c-po/pki-rpki-t6034Christian Breunig
rpki: T6034: move file based SSH keys for authentication to PKI subsystem
2024-02-12pki: T6034: add dependencies to trigger rpki re-run on openssh key updateChristian Breunig