summaryrefslogtreecommitdiff
path: root/interface-definitions
AgeCommit message (Collapse)Author
2023-04-13T5150: migrate CLI configs to new Kernel/Zebra route-map supportChristian Breunig
2023-04-13T5150: initial VRF support for Kernel/Zebra route-map filteringChristian Breunig
2023-04-13T5150: do not apply zebra route-map from routing-daemon config levelChristian Breunig
2023-04-13T5150: initial implementation of new Kernel/Zebra route-map supportChristian Breunig
It is possible to install a route-map which filters the routes between routing daemons and the OS kernel (zebra) As of now this can be done by e.g. * set protocols ospf route-map foo * set protocols ospfv3 route-map foo * set protocols bgp route-map foo Which in turn will install the following lines into FRR * ip protocol ospf route-map foo * ipv6 protocol ospf6 route-map foo * ip protocol bgp route-map foo The current state of the VyOS CLI is incomplete as there is no way to: * Install a filter for BGP IPv6 routes * Install a filter for static routes * Install a filter for connected routes Thus the CLI should be redesigned to close match what FRR does for both the default and any other VRF * set system ip protocol ospf route-map foo * set system ipv6 protocol ospfv3 route-map foo * set system ip protocol bgp route-map foo * set system ipv6 protocol bgp route-map foo The configuration can be migrated accordingly. This commit does not come with the migrator, it will be comitted later.
2023-04-13Merge pull request #1935 from indrajitr/pdns-round3Christian Breunig
dns: T5143: Apply constraint for domain name in DNS forwarding
2023-04-12xml: T5081: generate common holddown XML building block for IS-IS and OSPFChristian Breunig
2023-04-12Merge pull request #1904 from Cheeze-It/currentChristian Breunig
T5081: ISIS and OSPF syncronization with IGP-LDP sync
2023-04-11T4727: Change and fix RADIUS rate-limit option for pptpViacheslav Hletenko
Initially the option 'rate-limit' was implemented with the wrong place in the CLI: set vpn pptp remote-access authentication rate-limit <xxx> Expected under 'radius' section: set vpn pptp remote-access authentication radius rate-limit <xxx> Configuration for 'rate-limit' (Jinja2 template) never worked for pptp, fix it.
2023-04-07T1237: Failover route add checks for multiple targetsViacheslav Hletenko
There is only one target for checking ICMP/ARP Extend it for checking multiple targets set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '203.0.113.1' set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '203.0.113.11' The route will be installed only if all targets are 'alive'
2023-04-04T5081: ISIS and OSPF syncronization with IGP-LDP syncCheeze_It
2023-04-04T5145: Add maximum number of all logins on systemViacheslav Hletenko
maxsyslogins maximum number of all logins on system; user is not allowed to log-in if total number of all user logins is greater than specified number (this limit does not apply to user with uid=0) set system login max-login-session 2
2023-04-04dns: T5143: Apply constraint for domain name in DNS forwardingIndrajit Raychaudhuri
This will prevent arbitrary strings from being entered as domain names. Additionally, reuse the fqdn validator instead of a custom regex.
2023-04-03T5139: IPSec add IKE lifetime 0 for no rekeyingViacheslav Hletenko
IKE lifetime should starting from 0 for disabling rekeying
2023-04-02container: T5134: support binding container network to specific VRFChristian Breunig
Container networks now can be bound to a specific VRF instance. set vrf name <foo> table <xxx> set container network <name> vrf <foo>
2023-04-02xml: re-use generic-description.xml.i building block whenever possibleChristian Breunig
Remove redundant XML CLI node definitions for the common description node by referencing the common building block.
2023-04-01container: T5082: switch to netavark network stackChristian Breunig
We now support assigning discrete IPv6 addresses to a container.
2023-04-01xml: include building block file name should end with .i and not .inChristian Breunig
2023-04-01xml: T5128: streamline help string for interface CLI node building blocksChristian Breunig
2023-04-01xml: allow-client: T5126: re-use new building block also for NTP serviceChristian Breunig
2023-03-31http-api: T5126: allow restricting client IP addressJohn Estabrook
2023-03-31T5128: Add contraint for firewall interface. Also update smoketest to ↵Nicolas Fort
include at least one wildcarded interface
2023-03-31T5128: Policy Route: allow wildcard on interfaceNicolas Fort
2023-03-29T5115: bump version dns-forwarding 3 -> 4Christian Breunig
2023-03-28dns: T5115: Support custom port for name servers for forwarding zones.Indrajit Raychaudhuri
This would allow using custom ports in name server operating on non- default port for forwarding zones. This is a follow-up to T5113 for sake of completeness and having consistent treatment of all name servers configured in PowerDNS recursor. Additionally, migrate `service dns forwarding domain example.com server` to `service dns forwarding domain foo3.com name-server` for consistency and reusability.
2023-03-27bgp: T5114: support configuring TCP keepalive messagesChristian Breunig
2023-03-27bgp: T5114: add "neighbor path-attribute discard"Christian Breunig
2023-03-27bgp: T5114: add peer-group "port" CLI commandChristian Breunig
2023-03-27dns: T5113: Support custom port for name-server forwardersIndrajit Raychaudhuri
Support custom port for name-server forwarders that would allow using custom ports in name server forwarders to enable forwarding to alternative name servers (unbound, stubby, dnscrypt-proxy etc.) operating on non-default port. This would also allow using DNS Over TLS in PowerDNS Recursor 4.6 onwards (pdns doesn't support certificate check for validity yet) by enabling 'dot-to-port-853'. This is set by default if compiled in with DoT support. See: https://doc.powerdns.com/recursor/settings.html#dot-to-port-853 This also partially implements T921, T2195 (DoT without certificate check). Implementation details: - In 'dns/forwarding' configuration, 'name-server' now allows optional 'port' (defaults to 53). - Instead of modifying 'name-server-ipv4-ipv6.xml.i' to add optional 'port', a new file 'name-server-ipv4-ipv6-port.xml.i' has been used to avoid impacting other places where it is reused because not all of them honor ports (mostly VPN related). - The `host:port` entries to be used by PowerDNS recursor config are normalized eagerly at the point of loading VyOS `Config` instead of doing them lazily while rendering the Jinja2 template to keep the implementation less intrusive. The alternative would entail making quite a bit of change in how 'vyos-hostsd' processes 'static' 'name_servers' entries or persists their runtime states.
2023-03-25ntp: T5112: Enable support for NTS (Network Time Security) in chronyIndrajit Raychaudhuri
This is basic configuration to enable NTS support in chrony.
2023-03-24xml: T5109: use common include file for alpha-numeric, hyphen and underscore ↵Christian Breunig
regex
2023-03-23Merge pull request #1901 from sever-sever/T5099Christian Breunig
T5099: IPoE-server add option next-pool for named ip pools
2023-03-21T5099: IPoE-server add option next-pool for named ip poolsViacheslav Hletenko
In cases with multiple named IP pools, it is required the option 'next' to be sure that if IP addresses ended in one pool, then they would begin to be allocated from the next named pool. For accel-ppp it requires specific order as pool must be defined before we can use it with the 'next-option' set service ipoe-server client-ip-pool name first-pool subnet '192.0.2.0/25' set service ipoe-server client-ip-pool name first-pool next-pool 'second-pool' set service ipoe-server client-ip-pool name second-pool subnet '203.0.113.0/25' [ip-pool] 203.0.113.0/25,name=second-pool 192.0.2.0/25,name=first-pool,next=second-pool
2023-03-21Merge pull request #1889 from nicolas-fort/T5050-logViacheslav Hletenko
T5050: Firewall: Add log options
2023-03-21T5050: Firewall: Add log optionsNicolas Fort
2023-03-21pppoe: T5098: allow user to set pppd holdoff optionZhiyuan Wan
2023-03-17T5086: Add sFlow drop-monitor-limit optionViacheslav Hletenko
hsflowd will export the headers of dropped packets (along with the name of the function in the Linux kernel where that skb was dropped) as part of the standard sFlow feed. This measurement complements the sFlow packet sampling and counter-telemetry well because it provides visibility into the traffic that is not flowing. Very helpful for troubleshooting. The limit (a rate limit max of N drops per second sent out in the sFlow datagrams) is the parameter you would set in the CLI. set system sflow drop-monitor-limit 50
2023-03-16Merge pull request #1891 from sever-sever/T5086Christian Breunig
T5086: Add sFlow feature based on hsflowd
2023-03-16T5086: Add sFlow feature based on hsflowdViacheslav Hletenko
Add sFlow feature based on hsflowd According to user reviews, it works more stable and more productive than pmacct I haven't deleted 'pmacct' 'system flow-accounting sflow' yet It could be migrated or deprecated later set system sflow agent-address '192.0.2.14' set system sflow interface 'eth0' set system sflow interface 'eth1' set system sflow polling '30' set system sflow sampling-rate '100' set system sflow server 192.0.2.1 port '6343' set system sflow server 192.0.2.11 port '6343'
2023-03-14Merge pull request #1890 from nicolas-fort/T5055Viacheslav Hletenko
T5055: NAT: extend packet-type to NAT
2023-03-14T5055: NAT: extend packet-type match option which was previously introduced ↵Nicolas Fort
in firewall, to NAT
2023-03-10openvpn: xml: T1843: re-use generic username and password building blockChristian Breunig
2023-03-10rpki: xml: T3255: re-use generic username building blockChristian Breunig
2023-03-10system: proxy: xml: T1843: re-use generic username and password building blockChristian Breunig
2023-03-10Merge pull request #1871 from nicolas-fort/T5055Christian Breunig
T5055: Firewall: add packet-type matcher in firewall and route policy
2023-03-10container: T4959: add registry authentication optionChristian Breunig
Container registry CLI node changed from leafNode to tagNode with the same defaults. In addition we can now configure an authentication option per registry.
2023-03-09xml: T4952: improve interface completion helper CLI experienceChristian Breunig
2023-03-06T5055: Firewall: add packet-type matcher in firewall and route policyNicolas Fort
2023-03-02login: T5039: Support hashing rounds in `encrypted-password` valuessarthurdev
Since glibc 2.7, the SHA-256 and SHA-512 implementations support a user-supplied number of hashing rounds, defaulting to 5000. If the "$id$" characters in the salt are followed by "rounds=xxx$", where xxx is an integer, then the result has the form $id$rounds=yyy$salt$encrypted where yyy is the number of hashing rounds actually used. The number of rounds actually used is 1000 if xxx is less than 1000, 999999999 if xxx is greater than 999999999, and is equal to xxx otherwise.
2023-03-01Merge pull request #1854 from Yuanandcircle/currentChristian Breunig
policy: T5035: Add more actions to policy route rule
2023-02-28T4967: xml: provide re-usable constraint for CLI host-name definitionsChristian Breunig