| Age | Commit message (Collapse) | Author |
|---|
|
T4839: firewall: Add dynamic address group in firewall configuration (backport #2756)
|
|
dns: T5959: Streamline dns forwarding service (backport #2854)
|
|
appropiate commands to populate such groups using source and destination address of the packet.
(cherry picked from commit 6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122)
|
|
T5865: Moved ipv6 pools to named ipv6 pools in accel-ppp (backport #2832)
|
|
Streamline configuration and operation of dns forwarding service in
following ways:
- Remove `dns_forwarding_reset.py` as its functionality is now covered
by `dns.py`
- Adjust function names in `dns.py` to disambiguate between DNS
forwarding and dynamic DNS
- Remove `dns_forwarding_restart.sh` as its functionality is inlined in
`dns-forwarding.xml`
- Templatize systemd override for `pdns-recursor.service` and move the
generated override files in /run. This ensures that the override files
are always generated afresh after boot
- Simplify the systemd override file by removing the redundant overrides
- Relocate configuration path for pdns-recursor to `/run/pdns-recursor`
and utilize the `RuntimeDirectory` default that pdns-recursor expects
- We do not need to use custom `--socket-dir` path anymore, the default
path (viz., `/run/pdns-recursor` is fine)
(cherry picked from commit 1c1fb5fb4bd7c0d205b28caf90357ad56423464f)
|
|
(cherry picked from commit 119efb6d8d353482d598287f49e22aa68a22e960)
|
|
bgp: T5930: Denied using rt vpn 'export/import' with 'both' together (backport #2914)
|
|
T5941: Migration policy delete orphaned interface policy (backport #2890)
|
|
We can get an orphaned interface traffic-policy when the traffic-policy
name is removed from the interface, but the node `trffic-policy`
is still attached to the interface
For exmaple we have orphaned node traffic-policy on an interface:
```
set interfaces bonding bond0 vif 995 traffic-policy
```
This causes of incorrect migration and we do not see VLANs on
the bonding interface after update.
Delete traffic-policy from all interfaces if traffic-policy does not exist
(cherry picked from commit ca43e517408168ad1f12a3e5bc6f2d97f510faee)
|
|
We can get orphaned interface policy when the policy name was
removed from the interface but the node `policy` still attached
to the interface
For exmaple we have orphaned node policy on interface:
```
set interfaces bonding bond0 vif 995 policy
```
This causes of incorrect migration and we do not see VLANs on
the bonding interface after update.
Delete policy from all interfaces if policy does not exist
(cherry picked from commit 53670e1fb201cf1d27b01b4bc796ff097f82552d)
|
|
Moved ipv6 pools to named ipv6 pools in accel-ppp services
(cherry picked from commit d187803c31175e471397dd4f77040ab56d2e1073)
|
|
Denied using command 'route-target vpn export/import'
with 'both' together in bgp configuration.
(cherry picked from commit 32a13411f47beffcbe4b49a869c99cb42374d729)
|
|
system-option: T5979: Add configurable kernel boot options (backport #2886)
|
|
A code path was missing to check if only priority is available in the result of
"ip --json -4 rule show", in the case of l3mdev it's a dedicated key!
(cherry picked from commit a009143a62caca207fdffffcf0b490c747a87025)
|
|
There is no need to add and remove this table during runtime - it can lurk
in the standard firewall init code.
(cherry picked from commit 89f0d347bfe5e468355817a617dc71823a58c284)
|
|
This prevents the following error when configuring the first VRF:
sysctl: cannot stat /proc/sys/net/vrf/strict_mode: No such file or directory
(cherry picked from commit a821b8c603999665ce8a77acb0e44a743811992a)
|
|
(cherry picked from commit f057075409b024a18ea8a39b5e128fcde988c00e)
|
|
Add missing name validation in add_image, and fix typo in error msg
string.
(cherry picked from commit 0a66ba35d12f0451a88ed7cc3e3ae2ae90e38d6e)
|
|
In some cases we can get error:
```
Traceback (most recent call last):
File "/usr/libexec/vyos/op_mode/show_openvpn.py", line 173, in <module>
data = get_status(args.mode, intf)
File "/usr/libexec/vyos/op_mode/show_openvpn.py", line 130, in get_status
client["tunnel"] = get_vpn_tunnel_address(client['remote'], interface)
File "/usr/libexec/vyos/op_mode/show_openvpn.py", line 66, in get_vpn_tunnel_address
tunnel_ip = lst[0].split(',')[0]
IndexError: list index out of range
```
(cherry picked from commit 58683a2444877bb989929625ad40a7d76259075d)
|
|
(cherry picked from commit 256346a66cc3bb20e93c68245ebca2f68f42e7b5)
|
|
* set protocols bfd peer <x.x.x.x> minimum-ttl <1-254>
* set protocols bfd profile <name> minimum-ttl <1-254>
(cherry picked from commit 1f07dcbddfcfdbb9079936ec479c5633934dd547)
|
|
dhcp: T5787: Allow disabled duplicates on static-mapping (backport)
|
|
|
|
|
|
|
|
|
|
|
|
cpo@LR1.wue3:~$ show ip multicast group interface eth0.201
Interface Family Address
----------- -------- ---------
eth0.201 inet 224.0.0.6
eth0.201 inet 224.0.0.5
eth0.201 inet 224.0.0.1
cpo@LR1.wue3:~$ show ipv6 multicast group interface eth0
Interface Family Address
----------- -------- -----------------
eth0 inet6 ff02::1:ff00:0
eth0 inet6 ff02::1:ffbf:c56d
eth0 inet6 ff05::2
eth0 inet6 ff01::2
eth0 inet6 ff02::2
eth0 inet6 ff02::1
eth0 inet6 ff01::1
(cherry picked from commit 3eea8dbed1bd201373eb8a452239d9565d468b33)
|
|
QoS policy shaper-hfsc was not implemented after rewriting the
traffic-policy to qos policy. We had CLI but it does not use the
correct class. Add a basic implementation of policy shaper-hfsc.
Write the class `TrafficShaperHFS`
(cherry picked from commit f6b6ee636e34f98d336ee53599666afd1f395d78)
|
|
Add support to run hsflowd in a dedicated (e.g. management) VRF.
Command will be "set system sflow vrf <name>" like with any other service
(cherry picked from commit 64473fa6f320375fb3d3de4de9e729f456ee5ae2)
|
|
firewall: T5729: T5681: T5217: backport subsystem from current branch
|
|
This is a combined backport for all accumulated changes done to the firewall
subsystem on the current branch.
|
|
* set service ntp leap-second [ignore|smear|system|timezone]
Where timezone is the new and old default resulting in adding "leapsectz right/UTC"
to chrony.conf. The most prominent new option is "smear" which will add
leapsecmode slew
maxslewrate 1000
smoothtime 400 0.001 leaponly
to chrony.
See https://chrony-project.org/doc/4.3/chrony.conf.html leapsecmode for
additional information
(cherry picked from commit 7ae064bab0010dff8827a0ed5e1239d2778dc7c1)
|
|
The following CLI nodes are deprecated and will be remove in VyOS 1.5 while
moving to KEA as DHCP server.
* set service dhcp-server global-parameters
* set service dhcp-server shared-network-name <name> shared-network-parameters
* set service dhcp-server shared-network-name <name> subnet <x.x.x.x/y> subnet-parameters
Please open feature requests if any DHCP option is missing and should be added
as a proper CLI node to make your life easier.
|
|
dhcp: T5952: validate duplicate MAC and IP address in static-mappings incl. smoketests
|
|
Backport of the conntrack system from current branch.
(cherry picked from commit fd0bcaf12)
(cherry picked from commit 5acf5aced)
(cherry picked from commit 42ff4d8a7)
(cherry picked from commit 24a1a7059)
|
|
smoketests
(cherry picked from commit 62a8ef29d6238d5b777c3e946c132aca16a813c3)
(cherry picked from commit eb4cac98cb3790eb888d4ea7626781b9afbea8f4)
|
|
Changed the value from 'hold' to 'trap' in the 'close-action'
option in the IKE group.
Changed the value from 'restart' to 'start' in the 'close-action'
option in the IKE group.
(cherry picked from commit 8870fabf1b4358618fca7db459515106653214b5)
|
|
Add util function to set serial console speed in accordance with revised
GRUB file structure; in keeping with the intentions of the config_mode
script, adjust the GRUB var 'console_speed' to only modify ttyS0.
(cherry picked from commit 5ceaff2ef970cb9c567ac317bafbffca5b073f4a)
|
|
Renamed DPD action value from 'hold' to 'trap'
(cherry picked from commit 9f4aee5778eefa0a17d4795430d50e4a046e88b0)
|
|
The current migration drop interface name for NAT where not should
```
nat {
source {
rule 100 {
outbound-interface {
name "eth0"
...
}
}
}
```
After migration we lost interface:
/home/vyos# /opt/vyatta/etc/config-migrate/migrate/nat/5-to-6 tmp.conf
/home/vyos#
/home/vyos# cat tmp.conf | grep "nat {" -A 10
nat {
source {
rule 100 {
outbound-interface {
interface-name ""
...
}
}
}
```
This commit fixes it.
(cherry picked from commit 813237d9766f636394b9ab385bb825fbf83202b3)
|
|
Migrate "bgp <ASN> neighbor <NEIGH> address-family ipv6-unicast peer-group"
to "bgp neighbor <NEIGH> peer-group"
(cherry picked from commit 9febed1344e93815dc3a94047daa69967c3af160)
|
|
(cherry picked from commit 495c3c3cc646c378746dc458f30da72c85f16dba)
|
|
T4856: Fix IPsec DHCP-client exit hook (backport #2823)
|
|
We should create dhclient base_path dir `/run/dhclient` during the
first boot.
It fixes cloud-init boot issues
```
/etc/dhcp/dhclient-exit-hooks.d/03-vyos-dhclient-hook: line 33: /run/dhclient/dhclient_eth0.lease: No such file or directory
```
(cherry picked from commit e613983721c48c13c2e6e73e7c4dbdbaa8e9eacf)
|
|
The script acually does not have the variable `secrets_lines` and
secret lines itself does not have the marker `# dhcp:{interface}`
in `to_find`
Needs to rewrite this script in the future if it is required
This commit fixes DHCP-client exit hook:
```
dhclient[6800]: NameError: name 'secrets_lines' is not defined
root[6801]: /etc/dhcp/dhclient-exit-hooks.d/99-ipsec-dhclient-hook returned non-zero exit status 1
```
(cherry picked from commit a9cf7246d4450c8b3e1b749b36c3393b0963404b)
|
|
(cherry picked from commit 01b7ae796e870be90d4e448100c5e7551d9767ec)
|
|
Fix the arg for the `reboot in x` command
The current arg is `--reboot_in [Minutes ...]`
The expected arg is `--reboot-in [Minutes ...]`
(cherry picked from commit 3b27d5bc97372c01cb02d4dd0cd3b0b6fa1c3d94)
|
|
set protocols bgp address-family ipv4-unicast sid vpn export <auto|1-1048575>
set protocols bgp address-family ipv6-unicast sid vpn export <auto|1-1048575>
(cherry picked from commit d7e248ba514108461ca9d5875c0be077c80ceca7)
|
|
When a router does not have wireless interfaces the proper
unconfigured message must be exist
(cherry picked from commit c97955b963ecc3da9638717485fe4d2c8599565c)
|
