Age | Commit message (Collapse) | Author |
|
T4550: router-advert: Add deprecate-prefix & decrement-lifetimes options
|
|
|
|
DeprecatePrefix and DecrementLifetimes options in radvd is useful in a DHCPv6-PD environment to accommodate prefix changes from ISP's delegating router. Though there is currently no integration between the DHCP PD client (wide-dhcpv6-client) and radvd, it could be a good start point to have the 2 options configurable by the user.
https://phabricator.vyos.net/T4550
- deprecate-prefix: Upon shutdown, deprecate the prefix. This is useful
in a DHCPv6 PD environment: When ISP re-assigns a new prefix,
deprecate the old prefix that was advertised.
- decrement-lifetimes: Decrement the values of the preferred and valid
lifetimes for the prefix over time. This is also useful in a DHCPv6
PD environment to keep the advertised prefix's lifetimes in sync with
the prefix from delegating router.
|
|
|
|
Fix for IPv6 netflow_plugin name
When we use IPv6 uacctd.conf doesnt expect coluns in the plugin
name. Replace dots and colons to dash.
|
|
As we have specific configuration for each plugin:
set service monitoring telegraf xxx
- azure-data-explorer
- prometheus-client
- splunk
We should to move configuration that related to influxdb under
influxdb node
Replace:
set service monitoring telegraf
- authentication xxx
- bucket xxx
- port xxx
- url
To:
set service monitoring telegraf influxdb xxx
|
|
After discussion with @zsdc this was decided the better long term fix
* Removes hourly logrotate cron in favour of systemd timer override
|
|
|
|
dns: T4509: Add dns64-prefix option
|
|
rfc6147: DNS Extensions for Network Address Translation
from IPv6 Clients to IPv4 Servers
set service dns forwarding dns64-prefix 2001:db8:aabb::/96
|
|
When clients only use DHCP for interface addressing we can not bind NTPd to
an address - as it will fail if the address changes. This commit adds support
to bind ntpd to a given interface in addition to a given address.
set system ntp interface <name>
|
|
Add rate-limit options: attribute, muptiplier and vendor
set service ipoe-server auth radius rate-limit attribute 'Mikrotik-Rate-Limit'
set service ipoe-server auth radius rate-limit enable
set service ipoe-server auth radius rate-limit multiplier '0.001'
set service ipoe-server auth radius rate-limit vendor 'Miktorik'
|
|
set service router-advert interface eth0 name-server-lifetime <value>
|
|
Commit a2ab95ff68b ("pppoe: T4384: replace default-route CLI option with common
CLI nodes already present for DHCP") had an issue as the PPPoE interface options
and also DHCP interface options did not honor the no-default-route option.
This has been fixed.
|
|
|
|
* Refactor nftables clean-up code
* Adds policy route test for using firewall groups
|
|
|
|
|
|
* 'sstp_port' of https://github.com/goodNETnick/vyos-1x:
sstp: T4444. Port number changing support
|
|
firewall: T970: Add firewall group domain-group
|
|
for ipv4
|
|
OWAMP is a command line client application and a policy daemon used
to determine one way latencies between hosts.
OWAMP session control uses traditional client-server communication
between a control-client and a server,
TWAMP (two-way active measurement protocol)
Add configuration and operation modes
set service sla owamp-server
set service sla twamp-server
run force owping 192.0.2.120
run force twping 192.0.2.190
|
|
|
|
prefix-len on both matches. Also change help properties of route-source node.
|
|
|
|
* 'T4449' of https://github.com/nicolas-fort/vyos-1x:
Policy: T4449: Extend matching options for route-map ip nexthop
|
|
|
|
Domain group allows to filter addresses by domain main
Resolved addresses as elements are stored to named "nft set"
that used in the nftables rules
Also added a dynamic "resolver" systemd daemon
vyos-domain-group-resolve.service which starts python script
for the domain-group addresses resolving by timeout 300 sec
set firewall group domain-group DOMAINS address 'example.com'
set firewall group domain-group DOMAINS address 'example.org'
set firewall name FOO rule 10 action 'drop'
set firewall name FOO rule 10 source group domain-group 'DOMAINS'
set interfaces ethernet eth0 firewall local name 'FOO'
nft list table ip filter
table ip filter {
set DOMAINS {
type ipv4_addr
flags interval
elements = { 192.0.2.1, 192.0.2.85,
203.0.113.55, 203.0.113.58 }
}
chain NAME_FOO {
ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10"
counter packets 0 bytes 0 return comment "FOO default-action accept"
}
}
|
|
|
|
|
|
|
|
Add action 'reset' (op-mode) for HTTP-API
http://localhost/reset
curl --unix-socket /run/api.sock -X POST -Fkey=mykey \
-Fdata='{"op": "reset", "path": ["ip", "bgp", "192.0.2.14"]}' \
http://localhost/reset
|
|
FRR: T4020: Added CLI options for FRR daemons
|
|
|
|
monitoring: T4418: Add output plugin azure-data-explorer
|
|
Add output telegraf Plugin Azure Data Explorer
set service monitoring telegraf azure-data-explorer authentication client-id 'x'
set service monitoring telegraf azure-data-explorer authentication client-secret 'x'
set service monitoring telegraf azure-data-explorer authentication tenant-id 'x'
set service monitoring telegraf azure-data-explorer database 'x'
set service monitoring telegraf azure-data-explorer group-metrics 'single-table'
set service monitoring telegraf azure-data-explorer url 'http://localhost.loc'
|
|
ppppoe-server: T4373: Add option multiplier for correct shaping
|
|
Multiplier option is required by some vendors for correct shaping
For RADIUS based rate-limits
edit service pppoe-server
set authentication radius rate-limit multiplier '0.001'
|
|
We do not only allow individual host addresses but also prefixes.
|
|
Sshguard protects hosts from brute-force attacks
Can inspect logs and block "bad" addresses by threshold
Auto-generate rules for nftables
When service stopped all generated rules are deleted
nft "type filter hook input priority filter - 10"
set service ssh dynamic-protection
set service ssh dynamic-protection block-time 120
set service ssh dynamic-protection detect-time 1800
set service ssh dynamic-protection threshold 30
set service ssh dynamic-protection whitelist-address 192.0.2.1
|
|
Do no longer store container images which are pulled from any registry to
/config/containers. Instead save them to a unified location that is the same
accross all images on the system: /usr/lib/live/mount/persistence/container/storage
Reason for this change is, while living under /config/containers a VyOS image
upgrade copied all downloaded container images to the new image - doubling the
used space per image on every upgrade. With the new location the images are
all the same for every VyOS image running. Container userdata can still be
stored under /config and copied to a newer image making rollbacks still
efficient.
|
|
|
|
|
|
|
|
monitoring: T4410: Add telegraf output Plugin http for Splunk
|
|
|
|
Ability to send HTTP output to Splunk via telegraf
set service monitoring telegraf splunk authentication insecure
set service monitoring telegraf splunk authentication token 'xxx'
set service monitoring telegraf splunk url 'https://x.x.x.x'
|
|
Add output Plugin "prometheus-client" for telegraf:
set service monitoring telegraf prometheus-client
|
|
|
|
|