summaryrefslogtreecommitdiff
path: root/interface-definitions/include
AgeCommit message (Collapse)Author
4 daysMerge pull request #4242 from nvollmar/T6953Christian Breunig
T6953: merges node and frr exporter under prometheus section
5 daysT6953: add migration for old configurationNicolas Vollmar
6 daysMerge pull request #4233 from HollyGurza/T6934Christian Breunig
T6934: Add preshared key for zabbix-agent monitoring service
6 daysMerge pull request #4223 from HollyGurza/T6874Christian Breunig
T6874: [QoS] Add class filter by ether
6 daysMerge pull request #4236 from opswill/currentDaniil Baturin
T6918: Accept invalid PPPoE Session in stateful bridge firewall.
7 daysT6874: [QoS] Add class filter by etherkhramshinr
Implement a command to configure QoS policy filters by ether properties. The supported match types include: - Destination: Specify the Ethernet destination address. - Protocol: Define the Ethernet protocol. - Source: Set the Ethernet source address. `set qos policy <type> <name> class <id> match <match-id> ether <destination|protocol|source> <val>`
8 daysT6918: Fix punctuationopswill
Co-authored-by: Daniil Baturin <daniil@baturin.org>
8 daysstatic: T6746: migrate BFD CLI nodesChristian Breunig
Migrate "set protocols static route <x.x.x.x/x> next-hop <y.y.y.y> bfd multi-hop source <z.z.z.z> profile <NAME>" to: "set protocols static route <x.x.x.x/x> next-hop <y.y.y.y> bfd profile bar" FRR supports only one source IP address per BFD multi-hop session. VyOS had CLI cupport for multiple source addresses which made no sense.
8 daysfrr: T6747: migrate protocols to unified FRRender classChristian Breunig
With FRR 10.0 daemons started to be migrated to integrated FRR mgmtd and a northbound interface. This led to some drawbacks in the current state how changes to FRR are handled. The current implementation will use frr-reload.py and specifies excatly WHICH daemon needs a config update and will only replace this part inside FRR. With FRR10 and mgmtd when a partial configuration is sent to mgmtd, it will remove configuration parts from other daemons like bgpd or ospfd which have not yet been migrated to mgmtd. It's not possible to call frr-reload.py with daemon mgmtd - it will error out. This commit will also change the CLI for static routes: CLI command "set protocols static route 10.0.0.0/8 next-hop 1.2.3.4 bfd multi-hop source 1.1.1.1" will be split into: * set protocols static route 10.0.0.0/8 next-hop 1.2.3.4 bfd source-address 1.1.1.1 * set protocols static route 10.0.0.0/8 next-hop 1.2.3.4 bfd multi-hop To make the XML blocks reusable, and comply with the FRR CLI - this was actually a wrong implementation from the beginning as you can not have multiple BFD source addresses. CLI command "set protocols static route 10.0.0.0/8 next-hop 1.2.3.4 bfd multi-hop source 1.1.1.1 profile bar" is changed to: * set protocols static route 10.0.0.0/8 next-hop 1.2.3.4 bfd profile bar CLI commands "set protocols static multicast interface-route" is moved to: * set protocols static multicast route <x.x.x.x/x> interface To have an identical look and feel with regular static routes.
8 daysospf: T6747: add retransmit-window CLI optionChristian Breunig
8 daysMerge pull request #4211 from natali-rs1985/T4214Daniil Baturin
static: T4214: Allow several dhcp-interfaces to the same static rote
8 daysT6934: Add preshared key for zabbix-agent monitoring servicekhramshinr
- Allow configure preshared key for zabbix-agent - Added op mode command for generatre random psk secret - Removed duplicate xml definition for psk settings Configure authentication mode: ``` # set service monitoring zabbix-agent authentication mode Possible completions: pre-shared-secret Use a pre-shared secret key ``` Configure PSK Settings: ``` # set service monitoring zabbix-agent authentication psk Possible completions: id ID for authentication secret pre-shared secret key ``` Generate Random PSK: ``` $ generate psk random Possible completions: <Enter> Execute the current command size Key size in bytes ```
11 daysT6918: Accept invalid PPPoE Session in stateful bridge firewall.opswill
12 daysT6863: Fix default distance for PPPoE (#4229)Roman Khramshin
set `default-route-distance` to 1
2024-11-29static: T4214: Allow several dhcp-interfaces to the same static roteNataliia Solomko
2024-11-21T6806: Rework QoS Policy for HFSC Shaper (#4181)Roman Khramshin
- Removed default `m1` and `m2` values from interface definitions - Adjusted filter priorities for shapers - Fixed SFQ qdisc and HFSC class creation to fully support `m1`, `d`, and `m2` parameters - Added validation logic similar to VyOS 1.3 to improve error handling and user experience
2024-11-20T6790: QoS: Improve CAKE Policy (#4173)Roman Khramshin
- Fixed handling of flow isolation parameters. - Corrected support for `nat` and `nonat` in flow isolation. - Extended RTT values to cover the full range supported by `tc`. - Make migration script 2-to-3 qos
2024-11-12babel: T6866: IPv6 distribute-lists in access-list6 format have names not ↵Christian Breunig
numbers
2024-11-12babel: T4977: use common include for IPv4/IPv6 route redistributionChristian Breunig
2024-11-07T3501: Allow using more than one tuned profileNataliia Solomko
2024-10-09haproxy: T6745: Rename `reverse-proxy` to `haproxy`sarthurdev
2024-10-07xml: T6430: add re-usable vrf CLI node for firewall and pbrChristian Breunig
2024-10-04Merge pull request #4110 from jestabro/distinct-apiChristian Breunig
http-api: T6736: move REST API to a node distinct from GraphQL API
2024-10-03T6760: firewall: add packet modifications existing in policy route to ↵Nicolas Fort
regular firewall ruleset.
2024-09-30Merge pull request #4024 from nicolas-fort/T6687Daniil Baturin
T6687: add fqdn support to nat rules.
2024-09-29http-api: T6736: add migration script and update versionJohn Estabrook
2024-09-16T6687: add fqdn support to nat rules.Nicolas Fort
2024-09-12Merge pull request #4021 from natali-rs1985/T6652-currentDaniil Baturin
openfabric: T6652: Add support for OpenFabric protocol
2024-09-10T6698: firewall: add matcher for vlan type. (#4027)Nicolás Fort
2024-09-04openfabric: T6652: Add support for OpenFabric protocolNataliia Solomko
OpenFabric is a routing protocol providing link-state routing with efficient flooding for topologies like spine-leaf networks. FRR implements OpenFabric in a daemon called fabricd
2024-08-28T6647: firewall. Introduce patch for accepting ARP and DHCP replies on ↵Nicolas Fort
stateful bridge firewall. This patch is needed because ARP and DHCP are marked as invalid connections. Also, add ehternet-type matcher in bridge firewall.
2024-08-15T6649: Accel-ppp separate vlan-mon from listen interfacesNataliia Solomko
2024-08-12T6648: dhcpv6-server: align stateless DHCPv6 options with statefulLucas Christian
2024-08-05firewall: T4694: fix GRE key include path in XMLChristian Breunig
2024-08-04firewall: T4694: Adding GRE flags & fields matches to firewall rulesAndrew Topp
* Only matching flags and fields used by modern RFC2890 "extended GRE" - this is backwards-compatible, but does not match all possible flags. * There are no nftables helpers for the GRE key field, which is critical to match individual tunnel sessions (more detail in the forum post) * nft expression syntax is not flexible enough for multiple field matches in a single rule and the key offset changes depending on flags. * Thus, clumsy compromise in requiring an explicit match on the "checksum" flag if a key is present, so we know where key will be. In most cases, nobody uses the checksum, but assuming it to be off or automatically adding a "not checksum" match unless told otherwise would be confusing * The automatic "flags key" check when specifying a key doesn't have similar validation, I added it first and it makes sense. I would still like to find a workaround to the "checksum" offset problem. * If we could add 2 rules from 1 config definition, we could match both cases with appropriate offsets, but this would break existing FW generation logic, logging, etc. * Added a "test_gre_match" smoketest
2024-08-02T4072: change same helpers in xml definitions; add notrack action for ↵Nicolas Fort
prerouting chain; re introduce <set vrf> in policy; change global options for passing traffic to IPvX firewall; update smoketest
2024-08-01T6570: firewall: add global-option to configure sysctl parameter for ↵Nicolas Fort
enabling/disabling sending traffic from bridge layer to ipvX layer
2024-08-01T4072: firewall: extend firewall bridge capabilities, in order to include ↵Nicolas Fort
new chains, priorities, and firewall groups
2024-08-01Merge pull request #3221 from lucasec/t5873Christian Breunig
T5873: ipsec remote access VPN: support VTI interfaces.
2024-07-30pbr: T6430: Allow forwarding into VRFs by name as well as route table IDsAndrew Topp
* PBR can only target table IDs up to 200 and the previous PR to extend the range was rejected * PBR with this PR can now also target VRFs directly by name, working around targeting problems for VRF table IDs outside the overlapping 100-200 range * Validation ensures rules can't target both a table ID and a VRF name (internally they are handled the same) * Added a simple accessor (get_vrf_table_id) for runtime mapping a VRF name to table ID, based on vyos.ifconfig.interface._set_vrf_ct_zone(). It does not replace that usage, as it deliberately does not handle non-VRF interface lookups (would fail with a KeyError). * Added route table ID lookup dict, global route table and VRF table defs to vyos.defaults. Table ID references have been updated in code touched by this PR. * Added a simple smoketest to validate 'set vrf' usage in PBR rules
2024-07-29Merge pull request #3804 from HollyGurza/T6362Daniil Baturin
T6362: Create conntrack logger daemon
2024-07-29Merge pull request #3823 from srividya0208/T6571Daniil Baturin
OpenVPN CLI-option: T6571: rename ncp-ciphers with data-ciphers
2024-07-28firewall: T4694: Adding rt ipsec exists/missing match to firewall configs ↵talmakion
(#3616) * Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for fw rules * Add ipsec match-ipsec-out and match-none-out * Change all the points where the match-ipsec.xml.i include was used before, making sure the new includes (match-ipsec-in/out.xml.i) are used appropriately. There were a handful of spots where match-ipsec.xml.i had snuck back in for output hooked chains already (the common-rule-* includes) * Add the -out generators to rendered templates * Heavy modification to firewall config validators: * I needed to check for ipsec-in matches no matter how deeply nested under an output-hook chain(via jump-target) - this always generates an error. * Ended up retrofitting the jump-targets validator from root chains and for named custom chains. It checks for recursive loops and improper IPsec matches. * Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation" smoketests
2024-07-25OpenVPN CLI-option: T6571: rename ncp-ciphers with data-cipherssrividya0208
2024-07-22T5873: vpn ipsec remote-access: support VTI interfacesLucas Christian
2024-07-19T6362: Create conntrack logger daemonkhramshinr
2024-07-18openvpn: T6591: deprecate OpenVPN server net30 topology (#3825)Daniil Baturin
2024-07-03T6539: add logging options to load-balancer reverse-proxyJonathan Voss
2024-06-24T5735: Stunnel CLI and configurationkhramshinr
Add CLI commands Add config Add conf_mode Add systemd config Add stunnel smoketests Add log level config
2024-06-16wireless: T6318: move country-code to a system wide configurationChristian Breunig
Wireless devices are subject to regulations issued by authorities. For any given AP or router, there will most likely be no case where one wireless NIC is located in one country and another wireless NIC in the same device is located in another country, resulting in different regulatory domains to apply to the same box. Currently, wireless regulatory domains in VyOS need to be configured per-NIC: set interfaces wireless wlan0 country-code us This leads to several side-effects: * When operating multiple WiFi NICs, they all can have different regulatory domains configured which might offend legislation. * Some NICs need additional entries to /etc/modprobe.d/cfg80211.conf to apply regulatory domain settings, such as: "options cfg80211 ieee80211_regdom=US" This is true for the Compex WLE600VX. This setting cannot be done per-interface. Migrate the first found wireless module country-code from the wireless interface CLI to: "system wireless country-code"