summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-03-21Merge pull request #3157 from c-po/vti-T6085Daniil Baturin
vti: T6085: interface is always down and only enabled by IPSec daemon
2024-03-21Merge pull request #3153 from aapostoliuk/T6130-circinusChristian Breunig
policy: T6130: Revert commit 960cace
2024-03-21Merge pull request #3158 from c-po/bridge-T6125Daniil Baturin
bridge: T6125: support 802.1ad (ethertype 0x88a8) VLAN filtering
2024-03-21Merge pull request #3159 from sarthurdev/T6147Daniil Baturin
conntrack: T6147: Enable conntrack when firewall state-policy is defined
2024-03-20conntrack: T6147: Enable conntrack when firewall state-policy is definedsarthurdev
* Move global state-policy smoketest to it's own test, verify conntrack
2024-03-20bridge: T6125: support 802.1ad (ethertype 0x88a8) VLAN filteringChristian Breunig
Linux bridge uses EtherType 0x8100 by default. In some scenarios, an EtherType value of 0x88A8 is required. Reusing CLI command from VIF-S (QinQ) interfaces: set interfaces bridge br0 protocol 802.1ad
2024-03-20vti: T6085: interface is always down and only enabled by IPSec daemonChristian Breunig
When a VTI interface is just created, it is in ADMIN UP state by default, even if an IPSec peer is not connected. After the peer is disconnected the interface goes to DOWN state as expected. This breaks routing logic - for example, static routes through VTI interfaces will be active even if a peer is not connected. This changes to logic so ADMIN UP/DOWN state can only be changed by the vti-up-down helper script. Error was introduced during the Perl -> Python migration and move to the generic vyos.ifconfig abstraction during the 1.4 development cycle.
2024-03-20Merge pull request #3155 from sever-sever/T6143Daniil Baturin
T6143: Increase configuratble timeout range for service config-sync
2024-03-20T6143: Increase configuratble timeout range for service config-syncViacheslav Hletenko
The maximum timeout for the `service config-sync` is 300 seconds (Connection API timeout). It could not be enough for the real massive configurations. Increase the maximum value to 3600 ``` set service config-sync secondary address 192.0.2.1 set service config-sync secondary timeout 3600 ```
2024-03-19Merge pull request #3131 from HollyGurza/T1871Christian Breunig
qos: T1871: add MTU option when configure limiter traffic-policy
2024-03-19Merge pull request #3035 from jestabro/replace-backslashJohn Estabrook
T5996: selectively escape and restore single backslashes in config
2024-03-19policy: T6130: Revert commit 960caceaapostoliuk
This reverts commit 960cace189d7ace2bea0968646b1348b415e0363. All community rules syntax was changed. T5357 is invalid bug report. VyOS cannot use new configuration syntax in the previous versions.
2024-03-19Merge pull request #3150 from sever-sever/T6138Daniil Baturin
T6138: Fix op-mode show conntrack table with flowtable offloads
2024-03-19T6138: Fix op-mode show conntrack table with flowtable offloadsViacheslav Hletenko
The op-mode command `show conntrack table ipv4` fails if gets a conntrack entrie with `flowtable` offload. Those entries do not have key `timeout` ``` File "/usr/libexec/vyos/op_mode/conntrack.py", line 115, in get_formatted_output timeout = meta['timeout'] ~~~~^^^^^^^^^^^ ``` Use the timeout `n/a` for those offload conntrack entries
2024-03-18Merge pull request #3145 from l0crian1/fix-fw-rule-loggingChristian Breunig
T6127: Fixed show log firewall for rule with offload
2024-03-18Merge pull request #3146 from nicolas-fort/T6136Daniil Baturin
T6136: add error checks when using dynamic firewall groups
2024-03-18T5996: add smoketest to check translation of backslash characterJohn Estabrook
2024-03-18T6136: add error checks when using dynamic firewall groupsNicolas Fort
2024-03-18show log: T6127 - Fixed egrep regex for IPv6l0crian1
2024-03-18show log: T6127 - Fixed egrep regexl0crian1
2024-03-18show log: T6127 - Fixed egrep regexl0crian1
2024-03-18qos: T1871: add MTU option when configure limiter traffic-policykhramshinr
add mtu to default and specified class update smoke test
2024-03-18Merge pull request #3143 from c-po/force-commit-archiveViacheslav Hletenko
op-mode: T6133: add support to manually trigger commit-archive update
2024-03-17op-mode: T6133: add support to manually trigger commit-archive updateChristian Breunig
Automatic update of the remote commit-archive could fail under certian circumstances, add an op-mode command to manually trigger the update: cpo@LR1.wue3# run force commit-archive Archiving config... git+https://git.FOOO.de/cpo/vyos-config-backup [edit]
2024-03-17Merge pull request #3139 from c-po/as-path-T6129Christian Breunig
policy: T6129: add route-map option "as-path exclude all"
2024-03-17Merge pull request #3140 from c-po/config-mgmt-T6133Christian Breunig
T6133: append domain-name to commit-archive if defined
2024-03-17T6133: append domain-name to commit-archive if definedChristian Breunig
2024-03-17policy: T6129: add route-map option "as-path exclude all"Christian Breunig
Remove all AS numbers from the AS_PATH of the BGP path's NLRI. set policy route-map <name> rule <rule> set as-path exclude all
2024-03-16Merge pull request #3112 from Ingramz/add-rtsp-2Christian Breunig
conntrack: T4022: add RTSP conntrack helper
2024-03-16Merge pull request #3132 from sever-sever/T6121Christian Breunig
T6121: Extend service config-sync to new sections
2024-03-16Merge pull request #3137 from nicolas-fort/T6090-policyChristian Breunig
T6090: policy: fix migration script
2024-03-15T6090: fix policy route migration script. Ensure that tcp flags migration ↵Nicolas Fort
occurs also if only <policy route> is defined.
2024-03-15T6121: Extend service config-sync to new sectionsViacheslav Hletenko
Extend `service config-sync` with new sections: - LeafNodes: pki, policy, vpn, vrf (syncs the whole sections) - Nodes: interfaces, protocols, service (syncs subsections) In this cae the Node allows to uses the next level section i.e subsection For example any of the subsection of the node `interfaces`: - set service config-sync section interfaces pseudo-ethernet - set service config-sync section interfaces virtual-ethernet Example of the config: ``` set service config-sync mode 'load' set service config-sync secondary address '192.0.2.1' set service config-sync secondary key 'xxx' set service config-sync section firewall set service config-sync section interfaces pseudo-ethernet set service config-sync section interfaces virtual-ethernet set service config-sync section nat set service config-sync section nat66 set service config-sync section protocols static set service config-sync section pki set service config-sync section vrf ```
2024-03-14Merge pull request #3135 from c-po/xml-nat66Christian Breunig
xml: T2518: T160: improve NAT66/NPTv6 and NAT64 help string s
2024-03-14xml: T160: improve NAT64 help stringChristian Breunig
2024-03-14xml: T2518: improve NAT66/NPTv6 help stringChristian Breunig
2024-03-14Merge pull request #3133 from c-po/xmlChristian Breunig
xml: T3642: improve PKI CLI help string
2024-03-14xml: T3642: improve PKI CLI help stringChristian Breunig
2024-03-13Merge pull request #3125 from c-po/radvd-T6118Daniil Baturin
radvd: T6118: add nat64prefix support RFC8781
2024-03-13Merge pull request #3126 from zdc/T4548-circinusChristian Breunig
grub: T4548: Fixed GRUB configuration files order
2024-03-13grub: T4548: Fixed configuration files orderzsdc
To iterate files on ext* file systems GRUB reads their inodes one by one, ignoring names. This breaks our configuration logic that relies on proper loading order. This commit adds a helper `sort_inodes()` that needs to be used whenever GRUB configuration files are created. It recreates files, changing their inodes in a way where inodes order matches alphabetical order.
2024-03-12radvd: T6118: add nat64prefix support RFC8781Christian Breunig
Add support for pref64 option, as defined in RFC8781. The prefix valid lifetime must not be smaller than the "interface interval max" definition which defaults to 600. set service router-advert interface eth1 nat64prefix 64:ff9b::/96
2024-03-12conntrack: T4022: add RTSP conntrack helperIndrek Ardel
2024-03-12Merge pull request #3123 from sarthurdev/T5080_orderChristian Breunig
conntrack: T5080: Fix rule order for applied conntrack modules
2024-03-12Merge pull request #3120 from lucasec/t6114Christian Breunig
T6114: fix broken migration dhcpv6-server 4-to-5
2024-03-12conntrack: T5080: Fix rule order for applied conntrack modulessarthurdev
2024-03-10T6114: fix broken migration dhcpv6-server 4-to-5Lucas Christian
2024-03-10Merge pull request #3110 from jestabro/relax-description-constraintChristian Breunig
xml: T6098: relax description constraint to allow non-ascii characters
2024-03-10xml: T6098: relax description constraint to allow non-ascii charactersJohn Estabrook
A restriction to ascii in the constraint disallowed earlier support for unicode bytes.
2024-03-10Merge pull request #3117 from UnixxSH/patch-1Christian Breunig
dhcp-client: T6093: extend regex for client class-id's with DOT