Age | Commit message (Collapse) | Author |
|
To prevent any possible races in the future the host-name and domain-name nodes
should be set with explicit priorities!
(cherry picked from commit 96d0e23a32a0e1b990ce022546ed7225956a0494)
|
|
(cherry picked from commit 03fd368ed263ca28c9b1b5e29f486217784d15ef)
|
|
(cherry picked from commit 74910564f82e2837cd7eb35ea21f07601e5f8f0d)
|
|
(cherry picked from commit 81dea053e7178b8fea836a85aacde2a38ffb9e09)
|
|
address
In addition for testing that the supplied IPv6 address ends with ::, we also
verify that it's a proper IPv6 address, just in case.
|
|
address
ISC DHCP server expects a string: "prefix6 2001:db8:290:: 2001:db8:29f:: /64;"
where the IPv6 prefix/range must be :: terminaated with a delegated prefix
length at the end.
This commit changes the validator that the IPv6 address defined on the CLI must
always end with ::. In addition a verify() step is added to check that the
stop address is greater than start address.
|
|
Co-authored-by: Gregor Michels <hirnpfirsich@brainpeach.de>
(cherry picked from commit 609563d6acfeafbed46b1ac5e6bd497ce097e3bc)
Co-authored-by: Gregor Michels <gregor.michels@web.de>
|
|
(cherry picked from commit e1450096b4c667a4c33a3fcd8f67ebf6a39d441d)
|
|
>=5.0
random - In kernel 5.0 and newer this is the same as fully-random. In earlier
kernels the port mapping will be randomized using a seeded MD5 hash mix using
source and destination address and destination port.
https://git.netfilter.org/nftables/commit/?id=fbe27464dee4588d906492749251454
(cherry picked from commit 7fe568ca1672f1dfbd2b56ee3ef7a6ab48b03070)
|
|
Fixed broken logging for "show log nat"
Added the following commands:
show log nat source
show log nat source rule <ruleNum>
show log nat destination nat
show log nat destination nat rule <ruleNum>
show log nat static
show log nat static rule <ruleNum>
(cherry picked from commit 5cb9b84bd9ce909460d8da7f039d9371143ede6c)
|
|
(cherry picked from commit f5051de4fc034bd95677ef142423e59eae47cd2f)
|
|
(cherry picked from commit 75d553932504c55e710265776e4865a238223e1f)
|
|
When all the underlay links go down the PE no longer has access to the VxLAN
+overlay.
To prevent blackholing of traffic the server/ES links are protodowned on the PE.
A link can be setup for uplink tracking via the following configuration:
set interfaces ethernet eth0 evpn uplink
(cherry picked from commit 5565f27d15c5e7378e94aae8db8a894a12e25d7b)
|
|
(cherry picked from commit 234f35d8bae71b5d33ad97cdabc236ec6b13c3a2)
|
|
(cherry picked from commit 92b468b9a0d5eee8484601568227f7c56e71b119)
|
|
(cherry picked from commit 7dab763df070dd5138d6428450496f54b1f33d44)
|
|
(cherry picked from commit b5f22f70006eed6c7e62700128d5034b1b95db31)
|
|
Add the ability to configure the API port if the API on the secondary
server works on a non-default port.
The primary node will connect to configured port for config-sync
```
set service config-sync secondary address '192.0.2.11'
set service config-sync secondary port '8443'
```
(cherry picked from commit a7c3f202ffea7859463f204cccf526f7517321f6)
|
|
(cherry picked from commit b6c5e66cc44fdec21e6731d98a1065e2adf87b3b)
|
|
The netns support currently available on the VyOS CLI is only a
proof-of-technology, we have no real support for any service behind it.
In order to not confuse anyone on the LTS branch we decided to remove the
netns option for interfaces until there is a proper usecase and implementation
available.
|
|
bgp: T6189: L3VPN connectivity is broken after re-enabling VRF (backport #3392)
|
|
When adding and removing VRF instances on the fly it was noticed that the vni
statement under the VRF instance in FRR vanishes. This was caused by a race
condition which was previously designed to fix another bug.
The wierd design of a Python helper below the VRF tree to only generate the
VNI configuration nodes is now gone and all is rendered in the proper place.
(cherry picked from commit e7bb65894f86372dc0f6e8fd39b1628e0a224c68)
|
|
(cherry picked from commit 107ee099e82397b31fca8cf1ac3860cbf76f0596)
|
|
openconnect: T4982: Support defining minimum TLS version in openconnect VPN (backport #3371)
|
|
This srv recors looks valid:
```
set service dns forwarding authoritative-domain _tcp.db.mongors1.example.com records srv _mongodb entry 0 hostname 'mongors1.example.com'
```
But FQDN validator cannot validate it correctly, use regex to fix
(cherry picked from commit 3c37b6a44dca552da950b5288a30c7e074d58704)
|
|
Allowed the use of "-" and "_" in PPPoE access-concentrator name
(cherry picked from commit de38b01710958b7f7dababcff9557e4be98c8450)
|
|
(cherry picked from commit 9ff74d4370f0a5f66c303074796dab8b1ca5c4a5)
|
|
Add abiilty to change `base_reachable_time_ms` option
/proc/sys/net/ipv6/neigh/{ifname}/base_reachable_time_ms
(cherry picked from commit 0bf4b570fe2d239b9fbabd3ae801ad3f04a06bde)
|
|
config
(cherry picked from commit 984c386d11ead8371b7ac381e6c0921473e557ed)
|
|
(cherry picked from commit 8d0aa7bfb83aecb989ab01b6d1975cf23f1c7dcb)
|
|
(cherry picked from commit 78ea623df20b44309cc6ac9848ed18e97fc4ed03)
|
|
T6246: basic haproxy http-check configuration (backport #3325)
|
|
(cherry picked from commit 050f24770aec7a74c1a07ba64cf2cb83afb72f1a)
|
|
(cherry picked from commit 4cde677e9e128bc9b62fad720b1b6f6cac506954)
|
|
(cherry picked from commit 785616393557c4e3f616287de81b61a68ba177ac)
|
|
T6242: load-balancing reverse-proxy: Ability for ssl backends to not verify server certificates (backport #3315)
|
|
onlink pretend that the nexthop is directly attached to this link,
even if it does not match any interface prefix.
Useful when gateway not in the same interface network
set interfaces ethernet eth0 vif 10 address '10.20.30.1/32'
set protocols static route 10.20.30.0/32 interface eth0.10
set protocols failover route 192.0.2.11/32 next-hop 10.20.30.0 onlink
```
vyos@r4# sudo ip route add 192.0.2.111/32 via 10.20.30.0 dev eth0.10 metric 1 proto failover
Error: Nexthop has invalid gateway.
[edit]
vyos@r4#
[edit]
vyos@r4# sudo ip route add 192.0.2.111/32 via 10.20.30.0 dev eth0.10 onlink metric 1 proto failover
[edit]
vyos@r4#
```
(cherry picked from commit bb832acb97881d747a57da2728eab3ad138b8129)
|
|
server certificates
(cherry picked from commit aafe22d08bb38a579dd5075fd27a1b88beeca791)
|
|
to firewall global-optinos
(cherry picked from commit 76dcecafca977b640dd16d8e68c4a050ca1af4fb)
|
|
Added params for configuration red on the shaper policy
(cherry picked from commit 31cd75aec6d035b36537046ae0d034c03009a3fc)
|
|
in order to not allow string starting with dot character; use such constraint in firewall group definitions.
(cherry picked from commit c455a1f71674300b8a74863ddfe6e551fe8fd252)
|
|
(cherry picked from commit b8f3c61ca514cacdfc2495f16869c1b1e07d2bbc)
|
|
In order to lower the Ethernet default MTU we need to drop the common
defaultValue from the XML mtu-68-16000.xml.i building block. Per interface
default MTU is later overloaded by XML.
(cherry picked from commit e86761fa1307596c721c3ddf3a61d263e8f5177b)
|
|
Containers have the ability to add Linux system capabilities to them, this is
done using the "set container name <name> cap-add" command.
The CLI node sounds off and rather should be "set container name <name>
capability" instead as we use and pass a capability to a container and not
add/invent new ones.
(cherry picked from commit b30faa43c28b592febd83a7fd3a58247de6b27bc)
|
|
(cherry picked from commit 2eb7f96ca2038bf37dc1d274821ca6f619489b58)
|
|
<high-availability>. Also, add <mode> parameter in order to configure active-active or active-passive behavior for HA.
|
|
Currently VyOS only supports binding a service to one individual VRF. It might
become handy to have the services (initially it will be VRF, NTP and SNMP) be
bound to multiple VRFs.
Changed VRF from leafNode to multi leafNode with defaultValue: default - which
is the name of the default VRF.
(cherry picked from commit e5af1f0905991103b12302892e6f0070bbb7b770)
|
|
(cherry picked from commit 32d6a693de99021d2cd44fb4235e929caf7b4a6d)
|
|
(cherry picked from commit 24d0400b9c55cadef1eb99b3e84a363dd6ad5033)
|
|
(cherry picked from commit 84b6f6bcf59d526c35928c974e3f2d03c4d5ec06)
|