Age | Commit message (Collapse) | Author |
|
T4812: Add op-mode Show vpn ipsec connections
|
|
Add op-mode CLI "show vpn ipsec connections"
Add the ability to show all configured connections/tunnels and
their states.
|
|
backport: T4815: Fix various name server config issues
|
|
This is a backport of https://github.com/vyos/vyos-1x/pull/1656.
Note I also changed `ip-down.script.tmpl` to not wait for `systemctl
stop dhcp6c@$iface.service`, because that command is slow and pppd will
kill the ip-down script if it times out.
I didn't see `ip-down.script.tmpl` or its equivalent in the 1.4 branch.
Not sure if there is another mechanism to handle that functionality or
it is missed.
|
|
backport: dns: T4799: fixed powerdns not being reloaded by vyos-hostsd
|
|
PowerDNS version 4.7 and above has changed the main process name from
'pdns-r/worker' to 'pdns_recursor'. This commit updates the process
name check to use the new name.
(cherry picked from commit ff09d4f47e5f54fad8258cd27fb0adfaa4c552b3)
|
|
strip-private: T4177: Fix for hiding private data token/url/bucket
|
|
Add URL, token and bucket hidind data when is used function
"strip-private"
(cherry picked from commit f12d8b5a575f4b454426fe11f65b5add966ca53c)
|
|
keepalived: T4526: keepalived-fifo.py unable to load config
|
|
snmp: T4785: allow !, @, * and # in SNMP community name (equuleus)
|
|
keepalived-fifo.py cannot load the VyOS config because the
script is started before the commit is completely finished.
This change makes sure the script waits for the commit
to be completed. It retries every 0.5 seconds. If the commit
is still not completed it will continue as did the original
implementation.
|
|
(cherry picked from commit 3f91033927d80748b70e1ef58b2941643d1aca33)
|
|
(cherry picked from commit dda62226353ebc198b4dbbd319412bb5d1d1ece2)
|
|
ddclient: T4743: Add option for IPv6 Dynamic DNS
|
|
monitoring: T4312: Ability to set IP address in the URL
|
|
Use common "url.xml" which allow URL as domain name or IP entrie
|
|
conntrack-sync: T4730: Fix listen-address jinja2 template
|
|
monitoring: T4680: Bracketize prometheus listen-address
|
|
Fix correct format for prometheus listen-address when we use
IPv6 address, we must use square 'brackets'
http://[2001:db8::11e]:9273
|
|
Listen address has option 'multi'
As result we have an incorrect template value for listen-address
- conntrack-sync listen-address '192.0.2.11' in template
It looks like "IPv4_address ['192.0.2.11']" in the conntrackd.conf
but the correct string expected without brackets
Fix it
|
|
Allow to set IPv6 address for Dynamic DNS
set service dns dynamic interface eth2 ipv6-enable
|
|
wireguard: T4702: actively revoke peer if it gets disabled
|
|
smoketest: T4652: upgrade PowerDNS recursor to 4.7 series
|
|
ethernet: T3171: enable RPS (Receive Packet Steering) for all RX queues
|
|
The initial implementation in commit 9fb9e5cade ("ethernet: T3171: add CLI
option to enable RPS (Receive Packet Steering)" only changed the CPU affinity
for RX queue 0.
This commit takes all RX queues into account.
(cherry picked from commit 13645bc2cfd31f1525078469f23e89491987e0ea)
|
|
When any configured peer is set to `disable` while the Wireguard tunnel is up
and running it does not get actively revoked and removed. This poses a security
risk as connections keep beeing alive.
Whenever any parameter of a peer changes we actively remove the peer and fully
recreate it on the fly.
(cherry picked from commit a4feb96af9ac45aff41ded1744cf302b5c5a9e7e)
|
|
T4630: disallow same source-interface for macsec and pseudo-ethernet
|
|
openvpn: T4679: Fix incorrect verify local and remote address 1.3
|
|
In the OpenVPN site-to-site config we can use IPv6 peers
without IPv4 configurations but "verify()" checks also local and
remote IPv4 addresses that in this case will be empty lists
For example:
set interfaces openvpn vtun2 local-address 2001:db8::1
set interfaces openvpn vtun2 remote-address 2001:db8::2
Check in the commit (v4loAddr == v4remAddr) <= both empty lists
commit
DEBUG: [] == [] or ['2001:db8::2'] == []
So we should also check v4loAddr, v4remAddr, v6loAddr, v6remAddr
are not empty
|
|
(cherry picked from commit f3420a967ad5597c57093b5279a844dca4c516c0)
|
|
A macsec interface requires a dedicated source interface, it can not be
shared with another macsec or a pseudo-ethernet interface.
set interfaces macsec macsec10 address '192.168.2.1/30'
set interfaces macsec macsec10 security cipher 'gcm-aes-256'
set interfaces macsec macsec10 security encrypt
set interfaces macsec macsec10 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4232e44b7fda6f8e2d88a07bf78a7aff4'
set interfaces macsec macsec10 security mka ckn '09924585a6f3010208cf5222ef24c821405b0e34f4b4f63b1f0ced474b9bb6e6'
set interfaces macsec macsec10 source-interface 'eth1'
commit
set interfaces pseudo-ethernet peth0 source-interface eth1
commit
Reuslts in
FileNotFoundError: [Errno 2] failed to run command: ip link add peth0 link eth1 type macvlan mode private
returned:
exit code: 2
noteworthy:
cmd 'ip link add peth0 link eth1 type macvlan mode private'
returned (out):
returned (err):
RTNETLINK answers: Device or resource busy
[[interfaces pseudo-ethernet peth0]] failed
Commit failed
(cherry picked from commit eb4a7ee3afc0765671ce0fa379ab5e3518e9e49e)
|
|
backport: bonding: T4668: Fix bond members not adding/interface state incorrect
|
|
pppoe: T4648: fix incorrect installation of IPv6 default route even when default-route is set to none
|
|
Fixes several bugs around bonding member interface states not matching
the committed configuration, including:
- Disabled removed interfaces coming back up
- Newly added disabled interfaces not staying down
- Newly added interfaces not showing up in the bond
|
|
Refactor interfaces-bonding.py to simplify existing code and to remove
potentially bugprone sections in preparation for member add/remove
fixes for T4668.
|
|
ethernet: T4653: bugfix copy-paste when processing NIC offloading
|
|
Commit 31169fa8a763e ("vyos.ifconfig: T3619: only set offloading options if
supported by NIC") added the new implementation which handles NIC offloading.
Unfortunately every single implementation was copied from "gro" which resulted
in a change to gro for each offloading option - thus options like lro, sg, tso
had no effect at all.
It all comes down to copy/paste errors ... one way or another.
(cherry picked from commit b01f27b3bb3f4cbc6096011856d83009d0440313)
|
|
rpki: T4654: Fix RPKI cache description (1.3)
|
|
Fix wrong descriptions for the RPKI server
It was mentioned about the NTP server
|
|
Adds a sysctl parameter to ignore the default router obtained from
router advertisements when pppoe default-route is set to 'none'.
|
|
proxy: T4642: bugfix regex, add hyphen to allow list
|
|
(cherry picked from commit 73be77ec42d06a369974bfb1255839164f73c276)
|
|
(cherry picked from commit bfa13e367d0b77105ba350a34da8212859f07f59)
|
|
ethernet: T4538: fix wrong systemd unit used for EAPoL (equuleus)
|
|
bridge: T4632: vlan aware bridge lacks CPU forwarding
|
|
The VLAN aware bridge was forwarding traffic between member ports, but traffic
destined torwards the CPU was dropped. This resulted in a gateway not reachable
or DHCP leases that could not be handed out.
Tested via:
VyOS
set interfaces bridge br0 enable-vlan
set interfaces bridge br0 member interface eth1 allowed-vlan '10'
set interfaces bridge br0 member interface eth1 allowed-vlan '20'
set interfaces bridge br0 member interface eth1 allowed-vlan '30'
set interfaces bridge br0 member interface eth1 allowed-vlan '40'
set interfaces bridge br0 member interface eth1 native-vlan '40'
set interfaces bridge br0 member interface eth2 allowed-vlan '30'
set interfaces bridge br0 member interface eth2 allowed-vlan '20'
set interfaces bridge br0 member interface eth2 allowed-vlan '10'
set interfaces bridge br0 member interface eth2 allowed-vlan '40'
set interfaces bridge br0 vif 10 address '10.0.10.1/24'
set interfaces bridge br0 vif 20 address '10.0.20.1/24'
set interfaces bridge br0 vif 30 address '10.0.30.1/24'
set interfaces bridge br0 vif 40 address '10.0.40.1/24'
Arista vEOS
vlan 10,20,30,40
interface Ethernet1
switchport trunk allowed vlan 10,20,30,40
interface Vlan10
ip address 10.0.10.2/24
interface Vlan20
ip address 10.0.20.2/24
interface Vlan30
ip address 10.0.30.2/24
interface Vlan40
ip address 10.0.40.2/24
interface Ethernet1
switchport trunk allowed vlan 10,20,30,40
switchport mode trunk
spanning-tree portfast
Cisco vIOS
interface GigabitEthernet0/0
ip address 10.0.40.3 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 10.0.10.3 255.255.255.0
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 10.0.20.3 255.255.255.0
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 10.0.30.3 255.255.255.0
!
(cherry picked from commit f60d0e1ce029925b843f635b36154c90049b9577)
|
|
T4629: Raised ConfigErrors contain dict instead of only the dict key (equuleus)
|
|
interface dict on error
(cherry picked from commit 475fbb785dca76868715827833dc44115635c4a6)
|
|
When MACsec was bound to an ethernet interface and the underlaying
source-interface got changed (even description only) this terminated the
MACsec session running on top of it.
The root cause is when EAPoL was implemented in commit d59354e52a8a7f we
re-used the same systemd unit which is responsible for MACsec. That indeed lead
to the fact that wpa_supplicant was always stopped when anything happened on
the underlaying source-interface that was not related to EAPoL.
(cherry picked from commit f92a23ef9ab8be59681e5b7ba627e399d89bce53)
|
|
ocserv: openconnect: T4614: add support for split-dns (equuleus)
|