summaryrefslogtreecommitdiff
path: root/interface-definitions
AgeCommit message (Collapse)Author
2023-11-21T5419: firewall: backport firewall flowtable to Sagitta.Nicolas Fort
2023-11-21Merge pull request #2512 from zdc/T5577-sagittaChristian Breunig
PAM: T5577: Backported PAM settings from circinus
2023-11-20http: T5762: api: make API socket backend communication the one and only defaultChristian Breunig
Why: Smoketests fail as they can not establish IPv6 connection to uvicorn backend server. https://github.com/vyos/vyos-1x/pull/2481 added a bunch of new smoketests. While debugging those failing, it was uncovered, that uvicorn only listens on IPv4 connections vyos@vyos# netstat -tulnp | grep 8080 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN - As the CLI already has an option to move the API communication from an IP to a UNIX domain socket, the best idea is to make this the default way of communication, as we never directly talk to the API server but rather use the NGINX reverse proxy. (cherry picked from commit f5e43b1361fb59a9c260739bdb28729d5119507c)
2023-11-20TACACS: T5577: Added `mandatory` and `optional` modes for TACACS+zsdc
In CLI we can choose authentication logic: - `mandatory` - if TACACS+ answered with `REJECT`, authentication must be stopped and access denied immediately. - `optional` (default) - if TACACS+ answers with `REJECT`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if TACACS+ clearly answered that access should be denied (no user in TACACS+ database, wrong password, etc.). If TACACS+ is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-11-20RADIUS: T5577: Added `mandatory` and `optional` modes for RADIUSzsdc
In CLI we can choose authentication logic: - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be stopped and access denied immediately. - `optional` (default) - if RADIUS answers with `Access-Reject`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-11-19config-mgmt: T4957: remove TFTP user/pass from completion helperChristian Breunig
(cherry picked from commit e92667504e0c503b7c0d125d89d8795d6b6d5876)
2023-11-19config-mgmt: T4957: T2405: add proper valueHelp strings for remote URLChristian Breunig
vyos@vyos# set system config-management commit-archive location Possible completions: uri Uniform Resource Identifier Unfortunately URI is a bit "less" specific - add proper help strings: vyos@vyos# set system config-management commit-archive location Possible completions: http://<user>:<passwd>@<host>/<path> https://<user>:<passwd>@<host>/<path> ftp://<user>:<passwd>@<host>/<path> sftp://<user>:<passwd>@<host>/<path> scp://<user>:<passwd>@<host>/<path> tftp://<user>:<passwd>@<host>/<path> git+https://<user>:<passwd>@<host>/<path> (cherry picked from commit dcb277ba0aed4a02f48572d10d3ba242942b8639)
2023-11-19T2405: add Git support to commit-archiveYun Zheng Hu
(cherry picked from commit a89243cfbfc90854a8cddd53c0ffc987f75abcee)
2023-11-19Merge pull request #2498 from nicolas-fort/T4072-sagittaChristian Breunig
T4072: firewall: backport bridge firewall to sagitta
2023-11-16T4072: firewall: backport bridge firewall to sagittaNicolas Fort
2023-11-16xml: T5738: re-use "disable" building blockChristian Breunig
(cherry picked from commit 019723aaa4217403f1fcbcd636f573ea403f909c)
2023-11-15pim: T5733: incorporate feedback from peer reviewChristian Breunig
(cherry picked from commit 64b4cfc71d402222fd6b034336b3588b5986ba24)
2023-11-15pim6: T5733: add missing FRR PIM6 related featuresChristian Breunig
(cherry picked from commit 403d2ffd6e46cb082b1d16ddf515e1784bee968c) # Conflicts: # data/templates/frr/pim6d.frr.j2 # interface-definitions/protocols-pim6.xml.in # smoketest/scripts/cli/test_protocols_pim6.py # src/conf_mode/protocols_pim6.py
2023-11-15igmp: T5736: support per interface "disable" CLI nodeChristian Breunig
(cherry picked from commit 6ce2ecb10884a4b79a7643e22596a2d03d805a91)
2023-11-15pim: T5733: fix CLI level of global PIM commandsChristian Breunig
(cherry picked from commit dd13213ae94f071bc30cc17f5fabef02fbf95939)
2023-11-15igmp: T5736: migrate "protocols igmp" to "protocols pim"Christian Breunig
IGMP and PIM are two different but related things. FRR has both combined in pimd. As we use get_config_dict() and FRR reload it is better to have both centrally stored under the same CLI node (as FRR does, too) to just "fire and forget" the commit to the daemon. "set protocols igmp interface eth1" -> "set protocols pim interface eth1 igmp" (cherry picked from commit bc83fb097719f5c4c803808572f690fbc367b9e5)
2023-11-15pim: T5733: rename watermark-warn -> watermark-warningChristian Breunig
(cherry picked from commit 45ea9ed72ee11809f69619a40ae243df562de39f)
2023-11-15pim: T5733: split out XML definitions to be re-used by pim6Christian Breunig
(cherry picked from commit c5e2c25f8968c0f06a9e4e992decc46a4f690868)
2023-11-15pim: T5733: add missing FRR PIM related featuresChristian Breunig
Migrate CLI configuration retrival to common get_config_dict(). In addition add new functionality to VyOS that is PIM related and already available in FRR. (cherry picked from commit 9abc02edcc237760f1f8aa1b3f08d7f4d18f866c) # Conflicts: # python/vyos/frr.py # src/op_mode/restart_frr.py
2023-11-15Merge pull request #2484 from vyos/mergify/bp/sagitta/pr-2479Christian Breunig
xml: T5738: add source-address-ipv4-ipv6-multi building block (backport #2479)
2023-11-14xml: T5738: add source-address-ipv4-ipv6-multi building blockChristian Breunig
(cherry picked from commit dccca4307339d13e5c3ae78058194baf2fd04002)
2023-11-14T5729: T5590: T5616: backport to sagita fwall marks, fix on firewall logs ↵Nicolas Fort
parsing, and migration to valueless node for log and state matchers
2023-11-09T1797: Delete VPP from vyos-1x as it is implemented in addonViacheslav Hletenko
(cherry picked from commit 59c8d5febb2b1333643372f8956fa8f219d022cb)
2023-11-07Merge pull request #2458 from vyos/mergify/bp/sagitta/pr-2240Christian Breunig
T5559: Add static neighbor-proxy feature (backport #2240)
2023-11-07T5559: Add static neighbor-proxy featureViacheslav Hletenko
Ability to set ip neigbhor proxy set protocols static neighbor-proxy arp 192.0.2.1 interface 'eth0' set protocols static neighbor-proxy arp 192.0.2.2 interface 'eth0' set protocols static neighbor-proxy nd 2001:db8::1 interface 'eth1' (cherry picked from commit c56af995b6e3d867c2a67deeb4be79e498f0a7cf)
2023-11-07T5702: SNMP add interface-mib max-interfaces-number and prefixViacheslav Hletenko
- Allow to configure only required interface prefixes set service snmp mib interface 'eth' set service snmp mib interface 'bond' include_ifmib_iface_prefix eth bond Sets the interface name prefixes to include in the IF-MIB data collection. For servers with a large number of interfaces (ppp, dummy, bridge, etc) the IF-MIB processing will take a large chunk of CPU for ioctl calls. A set of space separated interface name prefixes will reduce the CPU load for IF-MIB processing. For example, configuring "include_ifmib_iface_prefix eth dummy lo" will include only interfaces with these prefixes and ignore all others for IF-MIB processing. - Allow to configure maximum interface number set service snmp mib interface-max '100' ifmib_max_num_ifaces NUM Sets the maximum number of interfaces included in IF-MIB data collection. For servers with a large number of interfaces (ppp, dummy, bridge, etc) the IF-MIB processing will take a large chunk of CPU for ioctl calls (on Linux). Setting a reasonable maximum for the CPU used will reduce the CPU load for IF-MIB processing. For example, configuring "ifmib_max_num_ifaces 500" will include only the first 500 interfaces based on ifindex and ignore all others for IF-MIB processing. (cherry picked from commit 30a05ee1d447c6f92627162a506225f833a80f8c)
2023-11-06bgp: T5698: add support for EVPN MultihomingChristian Breunig
(cherry picked from commit 1d67620e656766731ad6825fd8961140eb50d8a7)
2023-11-06bond: T5698: add support for EVPN MultihomingChristian Breunig
set interfaces bonding bond10 evpn es-df-pref '50' set interfaces bonding bond10 evpn es-id '10' set interfaces bonding bond10 evpn es-sys-mac '01:23:45:67:89:ab' set interfaces bonding bond10 member interface 'eth3' set interfaces bonding bond10 mode '802.3ad' (cherry picked from commit 937685608e61151275c4f60c6d00c0154f2ca06d)
2023-11-03Merge pull request #2429 from vyos/mergify/bp/sagitta/pr-2423Viacheslav Hletenko
T4726: Remove accel-ppp RADIUS vendor validators (backport #2423)
2023-11-02T5704: PPPoE L2TP SSTP IPoE add option max-concurrent-sessionsViacheslav Hletenko
Add `max-starting` option: [common] max-starting=N Specifies maximum concurrent session attempts which server may processed set service pppoe-server max-concurrent-sessions '30' Useful to prevent high CPU utilization and compat execution scripts per time. (cherry picked from commit 47645f9d0243ce48a473ab7f8cdbd22c19f69f28)
2023-11-02T4726: Remove accel-ppp RADIUS vendor validatorsViacheslav Hletenko
The vendor name could contain Uppercase or lowercase symbols and not rely on the dictionary name but on dictionary value / # cat /usr/share/freeradius/dictionary.cisco | grep -i vendor VENDOR Cisco 9 Another example VENDOR Alcatel-IPD 6527 This way if we use `vendor=cisco` instead of `vendor=Cisco` it will not work at all Delete vendor validators (cherry picked from commit bbc7cabc6be0d5f8629724e9b0025e425168e1a8)
2023-11-01T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher ↵Nicolas Fort
firewal, nat and nat66. (cherry picked from commit 51abbc0f1b2ccf4785cf7f29f1fe6f4af6007ee6)
2023-10-31vxlan: T5668: add CLI knob to enable ARP/ND suppressionChristian Breunig
In order to minimize the flooding of ARP and ND messages in the VXLAN network, EVPN includes provisions [1] that allow participating VTEPs to suppress such messages in case they know the MAC-IP binding and can reply on behalf of the remote host. In Linux, the above is implemented in the bridge driver using a per-port option called "neigh_suppress" that was added in kernel version 4.15. [1] https://www.rfc-editor.org/rfc/rfc7432#section-10 (cherry picked from commit ec9a95502daa88b9632af12524e7cefebf86bab6)
2023-10-30vxlan: T5699: migrate "external" CLI know to "parameters external"Christian Breunig
As we have a bunch of options under "paramteres" already and "external" is clearly one of them it should be migrated under that node as well. (cherry picked from commit cc7ba8824a5e9ec818f0bbe7fb85e1713a591527)
2023-10-30Merge pull request #2400 from vyos/mergify/bp/sagitta/pr-2355Viacheslav Hletenko
T5643: nat: add interface-groups to nat. Use same cli structure for i… (backport #2355)
2023-10-25vrf: netns: T3829: T31: priority needs to be after netnsChristian Breunig
A network namespace can have VRFs assigned, thus we need to get the priorities right. This lowers both priorities in general as a VRF or NETNS needs to be available very early as services can run on top of them. (cherry picked from commit 9dd5ff064a37b4e884f7bd9fb7630bf7829fa1ad)
2023-10-24T5643: nat: add interface-groups to nat. Use same cli structure for ↵Nicolas Fort
interface-name|interface-group as in firewall. (cherry picked from commit 2f2c3fa22478c7ba2e116486d655e07df878cdf4)
2023-10-23T5637: Firewall: add new rule at the end of base chains for default-actions. ↵Nicolas Fort
This enables logs capabilities for default-action in base chains.
2023-10-22Merge branch 'sagitta' into mergify/bp/sagitta/pr-2386Christian Breunig
2023-10-22bonding: T5254: Fixed changing ethernet when it is a bond memberaapostoliuk
If ethernet interface is a bond memeber: 1. Allow for changing only specific parameters which are specified in EthernetIf.get_bond_member_allowed_options function. 2. Added inheritable parameters from bond interface to ethernet interface which are scpecified in BondIf.get_inherit_bond_options. Users can change inheritable options under ethernet interface but in commit it will be copied from bond interface. 3. All other parameters are denied for changing. Added migration script. It deletes all denied parameters under ethernet interface if it is a bond member. (cherry picked from commit aa0282ceb379df1ab3cc93e4bd019134d37f0d89)
2023-10-22vxlan: T5671: change port to IANA assigned default portChristian Breunig
Currently VyOS VXLAN implementation uses the Linux assigned port 8472 that predates the IANA assignment. As Most other vendors use the IANA assigned port, follow this guideline and use the new default port 4789. Existing configuration not defining an explicit port number will be migrated to the old default port number of 8472, keeping existing configurations work! (cherry picked from commit 6db8d3ded19f652b99231be0d705d76b598ac72a) # Conflicts: # interface-definitions/include/version/interfaces-version.xml.i
2023-10-21Merge pull request #2389 from vyos/mergify/bp/sagitta/pr-2385Christian Breunig
T5667: BGP label-unicast enable ecmp (backport #2385)
2023-10-21T5667: BGP label-uniscat enable ecmpfett0
(cherry picked from commit e7cdf855ddce7dfe45af8b4b75eeee9de09f2451)
2023-10-20T5541: firewall: re-add zone-based firewall.Nicolas Fort
2023-10-19bridge: T5670: add missing constraint on "member interface" nodeChristian Breunig
One could specify a bridge member of VXLAN1 interface, but it is not possible to create a VXLAN interface with the name of VXLAN1 - prohibited by VXLAN interface name validator. Add missing interface-name validator code (cherry picked from commit 45dc149e4e3c0c294deac6fd541bb027d2280ea1)
2023-10-19cluster: T2897: add a migration script for converting cluster to VRRPDaniil Baturin
(cherry picked from commit 4c4c2b1f8a58398798f20c252bde80461320d330)
2023-10-11T5165: Implement policy local-route source and destination portViacheslav Hletenko
Add `policy local-route` source and destination port set policy local-route rule 23 destination port '222' set policy local-route rule 23 protocol 'tcp' set policy local-route rule 23 set table '123' set policy local-route rule 23 source port '8888' % ip rule show prio 23 23: from all ipproto tcp sport 8888 dport 222 lookup 123 (cherry picked from commit ff43733074675b94ce4ead83fe63870b6cf953c5)
2023-10-07pppoe: T5630: allow to specify MRU in addition to already configurable MTUChristian Breunig
Set the MRU (Maximum Receive Unit) value to n. PPPd will ask the peer to send packets of no more than n bytes. The value of n must be between 128 and 16384, the default was always 1492 to match PPPoE MTU. A value of 296 works well on very slow links (40 bytes for TCP/IP header + 256 bytes of data). Note that for the IPv6 protocol, the MRU must be at least 1280. CLI: set interfaces pppoe pppoe0 mru 1280 (cherry picked from commit e062a8c11856f213983f5b41f50d4f9dbc0dde0f)
2023-10-02T5165: Migrate policy local-route rule x destination to addressViacheslav Hletenko
Migrate policy local-route <destination|source> to node address replace 'policy local-route{v6} rule <tag> destination|source <x.x.x.x>' => 'policy local-route{v6} rule <tag> destination|source address <x.x.x.x>' (cherry picked from commit 9f7a5f79200782f7849cab72f55a39dedf45f214)
2023-09-28mdns: T5615: Allow controlling IP version to use for mDNS repeaterIndrajit Raychaudhuri
This commit adds a new configuration option to the mDNS repeater service to allow controlling which IP version to use for mDNS repeater. Additionally, publishing AAAA record over IPv4 and A record over IPv6 is disabled as suggested. See: - https://github.com/lathiat/avahi/issues/117#issuecomment-1651475104 - https://bugzilla.redhat.com/show_bug.cgi?id=669627#c2 (cherry picked from commit e66f7075ee12ae3107d29efaf683442c3535e8b9)