Age | Commit message (Collapse) | Author |
|
Commit 30eb308149 ("T5713: Strip string after "secret" in IPSEC config") had
good intention but this will happen:
use-secret foo CLI node will become " secret xxxxxx" so the output of
strip-private invalidates the configuration.
This has been changed to an exact match of "secret" only
|
|
Make "strip-private" strip the string after "secret"
|
|
wireguard: T5707: remove previously deconfigured peer
|
|
Changing the public key of a peer (updating the key material) left the old
WireGuard peer in place, as the key removal command used the new key.
WireGuard only supports peer removal based on the configured public-key, by
deleting the entire interface this is the shortcut instead of parsing out all
peers and removing them one by one.
Peer reconfiguration will always come with a short downtime while the WireGuard
interface is recreated.
|
|
T5698 EVPN ESI Multihoming
|
|
The vendor name could contain Uppercase or lowercase symbols and
not rely on the dictionary name but on dictionary value
/ # cat /usr/share/freeradius/dictionary.cisco | grep -i vendor
VENDOR Cisco 9
Another example
VENDOR Alcatel-IPD 6527
This way if we use `vendor=cisco` instead of `vendor=Cisco` it
will not work at all
Delete vendor validators
|
|
T1797: Delete VPP from vyos-1x as it is implemented in addon
|
|
vxlan: T5668: add CLI knob to enable ARP/ND suppression
|
|
vxlan: T5699: migrate "external" CLI know to "parameters external"
|
|
As we have a bunch of options under "paramteres" already and "external" is
clearly one of them it should be migrated under that node as well.
|
|
In order to minimize the flooding of ARP and ND messages in the VXLAN network,
EVPN includes provisions [1] that allow participating VTEPs to suppress such
messages in case they know the MAC-IP binding and can reply on behalf of the
remote host. In Linux, the above is implemented in the bridge driver using a
per-port option called "neigh_suppress" that was added in kernel version 4.15.
[1] https://www.rfc-editor.org/rfc/rfc7432#section-10
|
|
set interfaces bonding bond10 evpn es-df-pref '50'
set interfaces bonding bond10 evpn es-id '10'
set interfaces bonding bond10 evpn es-sys-mac '01:23:45:67:89:ab'
set interfaces bonding bond10 member interface 'eth3'
set interfaces bonding bond10 mode '802.3ad'
|
|
T5513: firewall: update op-mode command show firewall.
|
|
Try to have as few calls to sudo in the op-mode scripts as possible. The XML
definitions can deal with it.
|
|
T5661: Add show show ssh dynamic-protection attacker and show log ssh…
|
|
default actions and extend references for firewall groups
|
|
T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher
|
|
(valid for interfaces and groups) in firewal, nat and nat66.
|
|
The current named for certificates are hardcoded in generated config to:
- ca.pem
- cert.pem.key
- cert.pem
It cause a generated config certificates and certificates itself
are different (test-cert-1.pem and ca.pem)
bind :::8080 v4v6 ssl crt /run/haproxy/test-cert-1.pem
/run/haproxy/ca.pem
It is a bug of initial impelemtation. Fix required correct names
from PKI certificates
|
|
T5643: nat: add interface-groups to nat. Use same cli structure for i…
|
|
|
|
vxlan: T5671: change port to IANA assigned default port
|
|
|
|
dynamic-protection
|
|
Currently VyOS VXLAN implementation uses the Linux assigned port 8472 that
predates the IANA assignment. As Most other vendors use the IANA assigned port,
follow this guideline and use the new default port 4789.
Existing configuration not defining an explicit port number will be migrated
to the old default port number of 8472, keeping existing configurations work!
|
|
|
|
T5541: firewall zone: re add firewall zone-base firewall
|
|
cluster: T2897: add a migration script for converting cluster to VRRP
|
|
|
|
T4913: migrate wireless scripts to new op-mode style
|
|
This fixes sending packets to uacctd using a socket.
|
|
|
|
|
|
remains the same, so no migration is needed regarding this feature
|
|
|
|
op-mode: T5642: 'generate tech-support archive' moved to vyos-1x
|
|
'generate tech-support archive' moved to vyos-1x.
Output of 'show tech-support report' command is added to archive.
The default location of the archive is moved to '/tmp'.
The script is rewritten to Python.
|
|
pmacct: T5232: Fixed pmacct service control via systemctl
|
|
|
|
pmacct daemons have one very important specific - they handle control signals in
the same loop as packets. And packets waiting is blocking operation.
Because of this, when systemctl sends SIGTERM to uacctd, this signal has no
effect until uacct receives at least one packet via nflog. In some cases, this
leads to a 90-second timeout, sending SIGKILL, and improperly finished tasks.
As a result, a working folder is not cleaned properly.
This commit contains several changes to fix service issues:
- add a new nftables table for pmacct with a single rule to get the ability to
send a packet to nflog and unlock uacctd
- remove PID file options from the uacctd and a systemd service file. Systemd
can detect proper PID, and PIDfile is created by uacctd too late, which leads
to extra errors in systemd logs
- KillMode changed to mixed. Without this, SIGTERM is sent to all plugins and
the core process exits with status 1 because it loses connection to plugins too
early. As a result, we have errors in logs, and the systemd service is in a
failed state.
- added logging to uacctd
- systemctl service modified to send packets to specific address during a service
stop which unlocks uacctd and allows systemctl to finish its work properly
|
|
|
|
bonding: T5254: Fixed changing ethernet when it is a bond member
|
|
openvpn: T5634: Remove support for insecure DES and Blowfish ciphers
|
|
|
|
interface-name|interface-group as in firewall.
|
|
T5165: Implement policy local-route source and destination port
|
|
http-api: T2612: correct the response message and add reload for api self-configuration
|
|
|
|
|
|
|