| Age | Commit message (Collapse) | Author |
|
When setting 'vpn ipsec logging log-level 0', DPD informational
messages (log level 1) were still appearing in the system journal.
The root cause is that charon-systemd reads both `charon-systemd.conf`
and `charon-logging.conf` and applies the higher of the two log levels
to the journal. The VyOS only managed `charon-systemd.conf`, leaving
`charon-logging.conf` at its default level of 1, which silently overrode
the user-configured level.
Fix this by rendering `charon-logging.conf` on every commit with
syslog backend set to -1 (silent), making `charon-systemd.conf`
the sole authoritative source for journal log verbosity.
This also eliminates duplicate log entries in the journal that occurred
when both backends were active and writing to the same destination.
|
|
ipsec: T7555: Implement `ikev2-reauth` for site-to-site peers
|
|
wan: T8480: add suppress_prefixlength ip rules for internal routing
|
|
T8910: ipoe-server: expose accel-ppp idle-timeout option
|
|
openconnect: T7654: OpenConnect Script Execution
|
|
Add a CLI knob to terminate idle IPoE sessions after a configurable
timeout:
set service ipoe-server idle-timeout <0-86400>
Today there is no way to age out stale IPoE sessions: clients that go
silent (powered off, link down) leave a session record on the router
indefinitely. accel-ppp natively supports idle-timeout in its [ipoe]
section but VyOS did not expose it.
The option is added as a shared accel-ppp include so it can be reused
by other accel-ppp services in follow-up PRs.
|
|
dhcpv6: T8862: Allow multiple addresses and prefixes for reservations
|
|
|
|
|
|
|
|
IKEv2 reauthentication was configurable via CLI but never translated
into `swanctl.conf`. Add `reauth_time` to the peer connection template,
driven by the `ikev2-reauth` flag on the ike-group and the per-peer
override (yes/no/inherit).
|
|
virtual-server (#5205)
|
|
Add support for allowing DHCPv6 to assign reservations for multiple
addresses and prefixes to a single client simultaneously.
|
|
* dhcpv6: T8849: Add time-zone support for Kea DHCPv6
Add DHCPv6 option support for time zone (RFC4833 options
41 and 42). This includes both the POSIX-style TZ string
(`new-posix-timezone`) and the IANA time zone name
(`new-tzdb-timezone`).
* dhcpv6: T8849: Refactor per code-review suggestion
* dhcpv6: T8849: Reformat for compliance
|
|
|
|
|
|
|
|
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
|
|
This duplication did not cause any harm, but was found in the general
clean up related to element 'properties' collisions.
|
|
The include is unnecessary, as the element is fully defined in the
subsequent lines. As node.def files are only populated on the first
instance, this leads to loss of the proper value help entries hence
completions.
Without these changes, for example:
vyos@vyos# set system conntrack ignore ipv4 rule 137 protocol
will not list 'all', 'tcp_udp', etc. as intended.
|
|
FRR (#4994)
* sr-te: T6750: Adding Segment Routing Traffic Engineering portion of FRR
---------
Co-authored-by: Cheeze_It <none@none.com>
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
T8587: fix XML data type from u32 to u64 where range exceeds uint32 max
|
|
bgp: T8589: Add ead, es and [1-5] to route-map match evpn route-type
|
|
T8293: Add ability to set timeout for high-availability health-check
|
|
Setting a timeout allows VRRP health-check scripts to run longer than the set interval.
Without timeout, keepalived considers the script as failed after interval seconds.
With timeout set higher than interval, the script has more time to complete
before being marked as failed and transitioning VRRP to FAULT state.
|
|
|
|
The following nodes specified u32 but their range values exceed the
uint32 maximum (4,294,967,295):
- service lldp interface location coordinate-based elin:
u32:0-9999999999 -> u64:0-9999999999
- vpn ipsec esp-group life-bytes:
u32:1024-26843545600000 -> u64:1024-26843545600000
- vpn ipsec esp-group life-packets:
u32:1000-26843545600000 -> u64:1000-26843545600000
|
|
BGP link-state doesn't support next-hop-self, so remove it.
|
|
|
|
|
|
serial: T8375: use boot activation script to define a serial console on the CLI
|
|
T8448: add an option to enable SNMP traps in VRRP
|
|
Allow to configure Keepalived VRRP traps
- set high-availability vrrp snmp trap
|
|
remote: T4732: add VRF option for commit-archive
|
|
Previously, VyOS hardcoded the kernel boot log console to either ttyS0 or
tty0, with no post-install CLI method to change it (manual GRUB edits
were required).
This commit adds a new CLI node:
system console device <name> kernel
When set, the selected serial console is used as the kernel boot console.
When removed, the kernel boot console falls back to tty0.
|
|
|
|
|
|
Add new CLI option to make transfers to the commit-archive working using a
dedicated (e.g. management) VRF.
set system config-management commit-archive vrf MGMT
All transfers using vyos.remote module will now run through the VRF defined on
the CLI.
|
|
bgp: T7338: Add support for "parameters as-notation <asdot|asdot+>"
|
|
T8222: Set the default VXLAN interface TTL to 64
|
|
We explicitly omit the "plain" option, as it is the implicit default in FRR
We also do not want to add "plain" as VyOS default value and emit it by default
as this makes the config a bit ugly (frr puts it in the router line so you get
"router bgp <AS> as-notation plain").
Additionally, setting plain as default value and emitting it by default would
break pretty much all BGP tests, as they commonly do
self.getFRRconfig(f'router bgp {ASN}', stop_section='^exit')
and getFRRConfig does a "^<content>$" match, which breaks when you add the
"as-notation plain"
|
|
Fix typos and mistakes
No functional changes
|
|
Default TTL of 16 is insufficient in many deployments, especially
in multi-hop or routed underlay networks. Increase it to 64
to provide better compatibility and avoid packet drop in real-world
topologies.
|
|
We can create pseudo-ethernet (peth, macvlan) interfaces from bond or bridge
interfaces as the unddelraying parent, so the completion helper should honor it.
|
|
Fix typos and mistakes in the commands and comments
No functional changes
|
|
vpp: T8355: Set MTU for vpp interfaces
|
|
|
|
|
|
vpp: T8315: Add support for configuring unsupported NICs and update compatible list
|