Age | Commit message (Collapse) | Author |
|
|
|
|
|
table name
|
|
login: T4715: Auto logout user after inactivity
|
|
Ability to terminate interactive sessions (TTY/PTS) after a period
of inactivity.
set system login timeout '300'
|
|
|
|
This adds a new 'alias' property to the console-server device definition
to allow users to connect to a console using a human-readable name
rather than just the device name.
For a configuration like:
service {
console-server {
device ttyUSB0 {
speed 115200
alias my-server
}
}
}
Users can connect either by doing `connect console ttyUSB0`, or
`connect console my-server`.
Names:
* Must be unique
* Are limited to 128 characters
* Are optional - if not specified, only the `connect console ttyX`
form can be used
|
|
The initial implementation from commit ac4e07f9 ("rfs: T4689: Support RFS
(Receive Flow Steering)") always adjusted the global rps_sock_flow_entries
configuration. So if RFS was enabled for one NIC but not the other - it did not
work.
According to the documentation:
RFS is only available if the kconfig symbol CONFIG_RPS is enabled (on by
default for SMP). The functionality remains disabled until explicitly
configured. The number of entries in the global flow table is set through:
/proc/sys/net/core/rps_sock_flow_entries
The number of entries in the per-queue flow table are set through:
/sys/class/net/<dev>/queues/rx-<n>/rps_flow_cnt
Both of these need to be set before RFS is enabled for a receive queue. Values
for both are rounded up to the nearest power of two. The suggested flow count
depends on the expected number of active connections at any given time, which
may be significantly less than the number of open connections. We have found
that a value of 32768 for rps_sock_flow_entries works fairly well on a
moderately loaded server.
This commit sets rps_sock_flow_entries via sysctl on bootup leafing the RFS
configuration to the interface level.
|
|
ids: T4557: Migrate threshold and add new threshold types
|
|
Migrate "service ids ddos-protection threshold xxx" to
"service ids ddos-protection general threshold xxx"
Add new threshold types:
set service ids ddos-protection threshold tcp xxx
set service ids ddos-protection threshold udp xxx
set service ids ddos-protection threshold icmp xxx
|
|
|
|
nat: T4605: Fix op-mode NAT table name
|
|
|
|
update-check: T3476: Allow update-check for VyOS images
|
|
nat: nat66: T4605: T4706: Refactor NAT/NAT66 and use new table name
|
|
* Rename table to vyos_nat
* Add static NAT smoketest
|
|
* Rename table to vyos_nat
* Refactor tests to use `verify_nftables` format
|
|
* Rename table to vyos_nat
* Refactor tests to use `verify_nftables` format
|
|
In addition to the rewrite to make use of get_config_dict() the CLI is
slightly adjusted as specified in T4703.
* Rename vlan-id and vlan-range to simply vlan
* Rename network-mode to simply mode
* Re-use existing common Jinja2 template for Accel-PPP which are shared
with PPPoE and SSTP server.
* Retrieve default values via defaultValue XML node
|
|
The "authentication id" option for road-warriors did not get migrated to
the new local-id CLI node. This has been fixed.
|
|
When a CLI node is set with a migrator and is not a valueLess node, we need to
specify the "value" using the value= operation in config.set().
This fixes the config load error: vyos.configsession.ConfigSessionError: Invalid
config file (syntax error): error at line 353
|
|
isis: T4693: Fix ISIS segment routing configurations, part deux
|
|
isis: T4693: Fix ISIS segment routing configurations
This change is to fix more bugs in which ISIS segment routing was broken due to a refactor. This change also introduces a few additions to the ISIS handler for checking per prefix validations for segment value and mutual exclusivity for two options.
|
|
T4699: Firewall: Add jump action in firewall ruleset
|
|
When any configured peer is set to `disable` while the Wireguard tunnel is up
and running it does not get actively revoked and removed. This poses a security
risk as connections keep beeing alive.
Whenever any parameter of a peer changes we actively remove the peer and fully
recreate it on the fly.
|
|
The initial Accel-PPP PPPoE implementation used:
set service pppoe-server interface <name> vlan-id <id>
set service pppoe-server interface <name> vlan-range <start-stop>
This is actually a duplicated CLI node.
|
|
ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer
|
|
|
|
Migration and Change boolean nodes "enable/disable" to
disable-xxxx, enable-xxxx and just xxx for VPN IPsec
configurations
- IKE changes:
- replace 'ipsec ike-group <tag> mobike disable'
=> 'ipsec ike-group <tag> disable-mobike'
- replace 'ipsec ike-group <tag> ikev2-reauth yes|no'
=> 'ipsec ike-group <tag> ikev2-reauth'
- ESP changes:
- replace 'ipsec esp-group <tag> compression enable'
=> 'ipsec esp-group <tag> compression'
- PEER changes:
- replace: 'peer <tag> id xxx'
=> 'peer <tag> local-id xxx'
- replace: 'peer <tag> force-encapsulation enable'
=> 'peer <tag> force-udp-encapsulation'
- add option: 'peer <tag> remote-address x.x.x.x'
Add 'peer <name> remote-address <name>' via migration script
|
|
policy-route: T4697: Add missing rule_id for verify_rule func
|
|
|
|
This will set the listen-host ocserv configuration option.
|
|
After T4669 added support for range validation to the OCaml validator there is
no need to keep the slow Python validator in place.
Raplace all occurances of <validator name="range" argument="--min=1 --max=65535"/>
with <validator name="numeric" argument="--range 1-65535"/>.
|
|
There is a missing 'rule_id' in verify_rule() function
We call it from the loop but don't provide argument 'rule_id'
It cause "NameError: name 'rule_id' is not defined"
Fix it
|
|
T3896(adjacent): Fix ocserv local user requirement, add groupconfig
|
|
openvpn: T4679: Fix incorrect verify local and remote address
|
|
In the OpenVPN site-to-site config we can use IPv6 peers
without IPv4 configurations but "verify()" checks also local and
remote IPv4 addresses that in this case will be empty lists
For example:
set interfaces openvpn vtun2 local-address 2001:db8::1
set interfaces openvpn vtun2 remote-address 2001:db8::2
Check in the commit (v4loAddr == v4remAddr) <= both empty lists
commit
DEBUG: [] == [] or ['2001:db8::2'] == []
So we should also check v4loAddr, v4remAddr, v6loAddr, v6remAddr
are not empty
|
|
nhrp: T2199: Use separate table in nftables for NHRP rules
|
|
|
|
firewall: zone-policy: T2199: T4605: Refactor firewall, migrate zone-policy
|
|
|
|
|
|
|
|
firewall node
* Refactor firewall and zone-policy rule creation and cleanup
* Migrate interface firewall values to `firewall interfaces <name> <direction> name/ipv6-name <name>`
* Remove `firewall-interface.py` conf script
|
|
|
|
Set execution flag to route.py op-mode
|
|
|
|
|
|
|
|
Ability to autocheck available new images
Parse remote URL JSON image-version.json file and compare version
VyOS with a local current version, if find diff sent wall
message that the new image is available
Also, add op-mode command to check images "show system image"
With option "auto-check" check will be once per 12 hours
set system update-check auto-check
set system update-check url 'http://example.com/image-version.json'
If new version is available shows it per login (MOTD)
|