Age | Commit message (Collapse) | Author |
|
We now support assigning discrete IPv6 addresses to a container.
|
|
|
|
|
|
|
|
|
|
include at least one wildcarded interface
|
|
|
|
|
|
This would allow using custom ports in name server operating on non-
default port for forwarding zones.
This is a follow-up to T5113 for sake of completeness and having
consistent treatment of all name servers configured in PowerDNS recursor.
Additionally, migrate `service dns forwarding domain example.com server`
to `service dns forwarding domain foo3.com name-server` for consistency
and reusability.
|
|
|
|
|
|
|
|
Support custom port for name-server forwarders that would allow using
custom ports in name server forwarders to enable forwarding to
alternative name servers (unbound, stubby, dnscrypt-proxy etc.)
operating on non-default port.
This would also allow using DNS Over TLS in PowerDNS Recursor 4.6 onwards
(pdns doesn't support certificate check for validity yet) by enabling
'dot-to-port-853'. This is set by default if compiled in with DoT support.
See: https://doc.powerdns.com/recursor/settings.html#dot-to-port-853
This also partially implements T921, T2195 (DoT without certificate check).
Implementation details:
- In 'dns/forwarding' configuration, 'name-server' now allows optional
'port' (defaults to 53).
- Instead of modifying 'name-server-ipv4-ipv6.xml.i' to add optional
'port', a new file 'name-server-ipv4-ipv6-port.xml.i' has been used
to avoid impacting other places where it is reused because not all of
them honor ports (mostly VPN related).
- The `host:port` entries to be used by PowerDNS recursor config are
normalized eagerly at the point of loading VyOS `Config` instead of
doing them lazily while rendering the Jinja2 template to keep the
implementation less intrusive. The alternative would entail making
quite a bit of change in how 'vyos-hostsd' processes 'static'
'name_servers' entries or persists their runtime states.
|
|
This is basic configuration to enable NTS support in chrony.
|
|
regex
|
|
T5099: IPoE-server add option next-pool for named ip pools
|
|
In cases with multiple named IP pools, it is required the option 'next'
to be sure that if IP addresses ended in one pool, then they would
begin to be allocated from the next named pool.
For accel-ppp it requires specific order as pool must be defined
before we can use it with the 'next-option'
set service ipoe-server client-ip-pool name first-pool subnet '192.0.2.0/25'
set service ipoe-server client-ip-pool name first-pool next-pool 'second-pool'
set service ipoe-server client-ip-pool name second-pool subnet '203.0.113.0/25'
[ip-pool]
203.0.113.0/25,name=second-pool
192.0.2.0/25,name=first-pool,next=second-pool
|
|
T5050: Firewall: Add log options
|
|
|
|
|
|
hsflowd will export the headers of dropped packets (along with the
name of the function in the Linux kernel where that skb was dropped)
as part of the standard sFlow feed.
This measurement complements the sFlow packet sampling and
counter-telemetry well because it provides visibility into the
traffic that is not flowing.
Very helpful for troubleshooting.
The limit (a rate limit max of N drops per second sent out in the
sFlow datagrams) is the parameter you would set in the CLI.
set system sflow drop-monitor-limit 50
|
|
T5086: Add sFlow feature based on hsflowd
|
|
Add sFlow feature based on hsflowd
According to user reviews, it works more stable and more productive
than pmacct
I haven't deleted 'pmacct' 'system flow-accounting sflow' yet
It could be migrated or deprecated later
set system sflow agent-address '192.0.2.14'
set system sflow interface 'eth0'
set system sflow interface 'eth1'
set system sflow polling '30'
set system sflow sampling-rate '100'
set system sflow server 192.0.2.1 port '6343'
set system sflow server 192.0.2.11 port '6343'
|
|
T5055: NAT: extend packet-type to NAT
|
|
in firewall, to NAT
|
|
|
|
|
|
|
|
T5055: Firewall: add packet-type matcher in firewall and route policy
|
|
Container registry CLI node changed from leafNode to tagNode with the same
defaults. In addition we can now configure an authentication option per
registry.
|
|
|
|
|
|
Since glibc 2.7, the SHA-256 and SHA-512 implementations support
a user-supplied number of hashing rounds, defaulting to 5000. If
the "$id$" characters in the salt are followed by "rounds=xxx$",
where xxx is an integer, then the result has the form
$id$rounds=yyy$salt$encrypted
where yyy is the number of hashing rounds actually used. The
number of rounds actually used is 1000 if xxx is less than 1000,
999999999 if xxx is greater than 999999999, and is equal to xxx
otherwise.
|
|
policy: T5035: Add more actions to policy route rule
|
|
|
|
T5037: Firewall: Add queue action and options to firewall
|
|
Ability setting container hostname
This host name is used as /etc/hostname
set container name <tag> host-name 'mybox'
|
|
|
|
|
|
T4977: Add Babel routing protocol support
|
|
container: T4014: Add `command`, `arg` and `entrypoint` configuration options for containers
|
|
|
|
Tunnel interface multicast settings can be "enabled or disabled". As we prefer
valueless nodes, and the linux kernel default is "disabled" we should add a
set interfaces tunnel tunXX enable-multicast
command
|
|
|
|
Fix timezones completion help and validotor
Use 'timedatectl' insted of find zoneinfo
|
|
|
|
|
|
macsec: T5008: Changed length of CKN to (2..64 hex-digits)
|
|
Disabling authentication is useful in emergency situations
(e.g. RADIUS server is down) or testing purposes.
Clients can connect with any login and username.
set service pppoe-server authentication mode 'noauth'
|
|
Based on wpa_supplicant documentation.
mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit)
hex-string (2..64 hex-digits)
Changed allowable length of CKN from strong 64 hex-digits
to the range (2..64 hex-digits)
|