Age | Commit message (Collapse) | Author |
|
Commit dafb0da2 ("static: T4883: add a description field for routing tables")
added an iproute2 description table but lacked checking if the key exists.
This has been fixed and also converted to Jinja2 to keep the "common" style
inside the routing protocols. It might feel overengineered indeed.
|
|
|
|
Allow multiple ports for high-availability virtual-server
The current implementation allows balance only one "virtual" address
and port between between several "real servers"
Allow matching "fwmark" to set traffic which should be balanced
Allow to set port 0 (all traffic) if we use "fwmark"
Add health-check script
set high-availability virtual-server 203.0.113.1 fwmark '111'
set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 health-check script '/bin/true'
set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 port '0'
|
|
Add ppp-options IPv6 interface id for vpn L2TP
- fixed or random interface identifier for IPv6
- peer interface identifier for IPv6
- whether to accept peer’s interface identifier
set vpn l2tp remote-access ppp-options ipv6-accept-peer-intf-id
set vpn l2tp remote-access ppp-options ipv6-intf-id 'random'
set vpn l2tp remote-access ppp-options ipv6-peer-intf-id 'calling-sid'
|
|
overlay2 is the preferred storage driver for all currently supported Linux
distributions, and requires no extra configuration.
|
|
container: T4870: Update podman to use overlay storage driver
|
|
T4866: rewrite show_interfaces.py show* functions to standardized op-mode
|
|
|
|
Commit 13071a4a ("T4809: radvd: Allow the use of AdvRASrcAddress") added a new
feature to set the RA source-address. Unfortunately it missed a semicolon.
|
|
|
|
T4832: dhcp: Add IPv6-only dhcp option support (RFC 8925)
|
|
T4780: Firewall: add firewall groups in firewall. Extend matching cri…
|
|
T4884: snmpd: add community6 fallback
|
|
1. Added in script update webproxy blacklists generation of all DBs
2. Fixed: if the blacklist category does not have generated db,
the template generates an empty dest category
in squidGuard.conf and a Warning message.
3. Added template generation for local's categories
in the rule section.
4. Changed syntax in the generation dest section for blacklist's
categories
4. Fixed generation dest local sections in squidGuard.conf
5. Fixed bug in syntax. The word 'allow' changed to the word 'any'
in acl squidGuard.conf
|
|
T4809: radvd: Allow the use of AdvRASrcAddress
|
|
routing: T1237: Add new feature failover route
|
|
This add the AdvRASrcAddress configuration option to configure
a source address for the router advertisements. The source
address still must be configured on the system. This is useful
for VRRP setups where you want fe80::1 on the VRRP interface
for cleaner VRRP failovers.
|
|
If no client and network is defined only a `community` config
is created. This also adds the `community6` part
|
|
Failover route allows to install static routes to the kernel routing
table only if required target or gateway is alive
When target or gateway doesn't respond for ICMP/ARP checks this route
deleted from the routing table
Routes are marked as protocol 'failover' (rt_protos)
cat /etc/iproute2/rt_protos.d/failover.conf
111 failover
ip route add 203.0.113.1 metric 2 via 192.0.2.1 dev eth0 proto failover
$ sudo ip route show proto failover
203.0.113.1 via 192.0.2.1 dev eth0 metric 1
So we can safely flush such routes
|
|
openvpn: T4770: rewrite op-mode show/reset to use vyos.opmode
|
|
|
|
vyos@vyos# show interfaces sstpc
sstpc sstpc10 {
authentication {
password vyos
user vyos
}
server sstp.vyos.net
ssl {
ca-certificate VyOS-CA
}
}
|
|
|
|
L2TP 'ppp-options ipv6 x' can work without declaring IPv6 pool
As we can get addresses via RADIUS attributes:
- Framed-IPv6-Prefix
- Delegated-IPv6-Prefix
|
|
Fix l2tp dae server template and python config dict for correctlly
handling Dynamic Authorization Extension server configuration
|
|
Added the generation in the config file /etc/squid/squid.conf
for command: set service webroxy domain-block <domain>
|
|
|
|
|
|
|
|
|
|
Adding the parameters that were missing to the OSPF FRR template.
|
|
The variable 'client' was accidently used where 'network should
have been used. This lead to missing community6 string when
an IPv6 network was defined instead of an IPv6 client.
|
|
Remote TS for transport mode GRE must be remote-address and
not peer name
|
|
Clients supporting this DHCP option (DHCP option 108, RFC 8925) will
disable its IPv4 network stack for configured number of seconds
and operate in IPv6-only mode.
This option is known to work on iOS 15+ and macOS 12.0.1+.
Example command:
```sh
set service dhcp-server shared-network-name LAN6 subnet 192.168.64.0/24 ipv6-only-preferred 0
```
|
|
Commit 66288ccfee ("dns-forwarding: T4578: Rewrite show dns forwarding") added
the implementation for the new standardized op-mode definitions/implementation.
As the API daemon has the proper permissions and also the CLI op-mode calls the
script already with "sudo", there is no need to call "sudo" inside this script,
again.
Also add dns.py to data/op-mode-standardized.json for the GraphQL schema to be
generated.
|
|
so this new group can be used in inbound and outbound matcher
|
|
policy: T2199: T4605: Migrate policy route interface node
|
|
|
|
<name> interface <ifname>`
* Include refactor to policy route to allow for deletion of mangle table instead of complex cleanup
* T4605: Rename mangle table to vyos_mangle
|
|
T4789: Ability to get op-mode raw data for PPPoE L2TP SSTP IPoE
|
|
Ability to get 'raw' data sessions and statistics for accel-ppp
protocols IPoE/PPPoE/L2TP/PPTP/SSTP server
|
|
|
|
firewall: T970: T1877: Add source/destination fqdn, refactor domain resolver, firewall groups in NAT
|
|
|
|
`fqdn` node
|
|
|
|
Rewrite op-mode DHCP and DHCPv6 leases to vyos.opmode format
Abbility to show 'raw' format
show dhcp server leases
show dhcpv6 server leases
|
|
T4771: Ability to get raw format for op-mode BGP commands
|
|
Ability to get logs in JSON format
Possible filter by unit. Options for count lines,
UTC time, facility or logs since boot
|
|
This enabled users to also use 2FA/MFA authentication with a radius backend as
there is enough time to enter the second factor.
|