Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
This srv recors looks valid:
```
set service dns forwarding authoritative-domain _tcp.db.mongors1.example.com records srv _mongodb entry 0 hostname 'mongors1.example.com'
```
But FQDN validator cannot validate it correctly, use regex to fix
|
|
T6273: Allowed the use of "-" and "_" in PPPoE access-concentrator name
|
|
Allowed the use of "-" and "_" in PPPoE access-concentrator name
|
|
|
|
Add abiilty to change `base_reachable_time_ms` option
/proc/sys/net/ipv6/neigh/{ifname}/base_reachable_time_ms
|
|
T6226: add HAPROXY tcp-request related block to load-balancing reverse proxy config
|
|
config
|
|
xml: T5738: fix typo in radius-additions.xml.i
|
|
|
|
T6237: IPSec remote access VPN: ability to set EAP ID of clients
|
|
|
|
T6246: improve haproxy http check configuration
|
|
|
|
|
|
|
|
T5722: Failover route add option onlink
|
|
server certificates
|
|
onlink pretend that the nexthop is directly attached to this link,
even if it does not match any interface prefix.
Useful when gateway not in the same interface network
set interfaces ethernet eth0 vif 10 address '10.20.30.1/32'
set protocols static route 10.20.30.0/32 interface eth0.10
set protocols failover route 192.0.2.11/32 next-hop 10.20.30.0 onlink
```
vyos@r4# sudo ip route add 192.0.2.111/32 via 10.20.30.0 dev eth0.10 metric 1 proto failover
Error: Nexthop has invalid gateway.
[edit]
vyos@r4#
[edit]
vyos@r4# sudo ip route add 192.0.2.111/32 via 10.20.30.0 dev eth0.10 onlink metric 1 proto failover
[edit]
vyos@r4#
```
|
|
to firewall global-optinos
|
|
qos: T6035: QoS policy shaper queue-type random-detect requires limit avpkt
|
|
Added params for configuration red on the shaper policy
|
|
T5169: Add PoC for generating CGNAT rules rfc6888
|
|
T6214: T6213: change constraint <alpha-numeric-hyphen-underscore-dot.xml.i>
|
|
in order to not allow string starting with dot character; use such constraint in firewall group definitions.
|
|
|
|
Add PoC for generating CGNAT rules
https://datatracker.ietf.org/doc/html/rfc6888
Not all requirements are implemented, but some of them.
Implemented:
REQ-2
```
A CGN MUST have a default "IP address pooling" behavior of "Paired"
CGN must use the same external IP
address mapping for all sessions associated with the same internal
IP address, be they TCP, UDP, ICMP, something else, or a mix of
different protocols.
```
REQ-3
```
The CGN function SHOULD NOT have any limitations on the size
or the contiguity of the external address pool
```
REQ-4
```
A CGN MUST support limiting the number of external ports (or,
equivalently, "identifiers" for ICMP) that are assigned per
subscriber
```
CLI:
```
set nat cgnat pool external ext1 external-port-range '1024-65535'
set nat cgnat pool external ext1 per-user-limit port '1000'
set nat cgnat pool external ext1 range 192.0.2.222/32
set nat cgnat pool internal int1 range '100.64.0.0/28'
set nat cgnat rule 10 source pool 'int1'
set nat cgnat rule 10 translation pool 'ext1'
```
|
|
ethernet: T5862: default MTU is not acceptable in some environments
|
|
Containers have the ability to add Linux system capabilities to them, this is
done using the "set container name <name> cap-add" command.
The CLI node sounds off and rather should be "set container name <name>
capability" instead as we use and pass a capability to a container and not
add/invent new ones.
|
|
In order to lower the Ethernet default MTU we need to drop the common
defaultValue from the XML mtu-68-16000.xml.i building block. Per interface
default MTU is later overloaded by XML.
|
|
|
|
T6068: dhcp-server: add command <set service dhcp-server high-availability mode>
|
|
mode> so user can define what type of ha use: active-active or active-passive
|
|
T6192: allow binding SSH to multiple VRF instances
|
|
bgp: T6151: Allow configuration of disable-ebgp-connected-route-check
|
|
Currently VyOS only supports binding a service to one individual VRF. It might
become handy to have the services (initially it will be VRF, NTP and SNMP) be
bound to multiple VRFs.
Changed VRF from leafNode to multi leafNode with defaultValue: default - which
is the name of the default VRF.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
T5832: VRRP allow set interface for exluded-address
|
|
ipsec: T5606: T5871: Use multi node for CA certificates
|
|
T5872: ipsec remote access VPN: support dhcp-interface.
|
|
This changes behaviour from fetching CA chain in PKI, to the user manually setting CA certificates.
Prevents unwanted parent CAs existing in PKI from being auto-included as may not be desired/intended.
|
|
Ability to set interface for `excluded-address`
The excluded-addresses are not listed in the VRRP packet (adverts packets).
We have this ability for `address`, add the same feature for the
excluded-address
```
set high-availability vrrp group GRP-01 excluded-address 192.0.2.202 interface 'dum2'
set high-availability vrrp group GRP-01 excluded-address 192.0.2.203 interface 'dum3'
```
|
|
Extent the service config-sync for sections:
- qos interface
- qos policy
- system conntrack
- system flow-accounting
- system option
- system sflow
- system static-host-mapping
- system sysctl
|