summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-04-22Merge pull request #3337 from Embezzle/T6237Christian Breunig
T6237: IPSec remote access VPN: ability to set EAP ID of clients
2024-04-21T6237: IPSec remote access VPN: ability to set EAP ID of clientsAlex W
2024-04-21smoketest: support dynamic enable of smoketest debuggingChristian Breunig
$ touch /tmp/vyos.smoketest.debug will enable dynamic debugging of the smoketests - showing the appropriate CLI commands on stdout
2024-04-21Merge pull request #3338 from nvollmar/haproxy-http-checkChristian Breunig
T6246: improve haproxy http check configuration
2024-04-21T6246: improve haproxy http check configurationNicolas Vollmar
2024-04-20gre: T6252: allow tunnel MTU to exceed 8024 bytesfett0
2024-04-19Merge pull request #3325 from nvollmar/haproxy-http-checkDaniil Baturin
T6246: basic haproxy http-check configuration
2024-04-18Merge pull request #3330 from jestabro/show-openvpn-failDaniil Baturin
openvpn: T6245: return 'n/a' if client info not available
2024-04-18openvpn: T6245: return 'n/a' if client info not availableJohn Estabrook
2024-04-18Merge pull request #3326 from sever-sever/T6221Daniil Baturin
T6221: Return default ip rule values after deleting VRF
2024-04-18Merge pull request #3327 from sarthurdev/T6241John Estabrook
pki: T6241: do not call dependency before its initialization
2024-04-18pki: T6241: do not call dependency before its initializationJohn Estabrook
2024-04-18T6221: Return default ip rule values after deleting VRFViacheslav Hletenko
Fix for restoring default ip rule values after deleting VRF Defult values: ``` $ ip rule 0: from all lookup local 32766: from all lookup main 32767: from all lookup default ``` After adding and deleting a VRF we get unexpected values: ``` $ ip rule 1000: from all lookup [l3mdev-table] 2000: from all lookup [l3mdev-table] unreachable 32765: from all lookup local 32766: from all lookup main 32767: from all lookup default ```
2024-04-17T6246: adds basic haproxy http-check configurationNicolas Vollmar
2024-04-17Merge pull request #3320 from nicolas-fort/T6191Christian Breunig
T6191: do not append action policy route|route6 when its not specified
2024-04-16Merge pull request #3321 from jestabro/confirm-passJohn Estabrook
image-tools: T6154: installer prompts to confirm password
2024-04-16image-tools: T6154: installer prompts to confirm a non-default passwdJohn Estabrook
2024-04-16T6191: do not append action to firewall and policy route|route6 when its not ↵Nicolas Fort
specified, in order to ensure same behavior as in Equuleus
2024-04-16Merge pull request #3313 from sever-sever/T5722Daniil Baturin
T5722: Failover route add option onlink
2024-04-16Merge pull request #3315 from Embezzle/T6242Daniil Baturin
T6242: load-balancing reverse-proxy: Ability for ssl backends to not verify server certificates
2024-04-15T6242: load-balancing reverse-proxy: Ability for ssl backends to not verify ↵Alex W
server certificates
2024-04-15Merge pull request #3311 from sarthurdev/T6241John Estabrook
pki: T6241: Fix dependency updates on PKI changes
2024-04-15T5722: Failover route add option onlinkViacheslav Hletenko
onlink pretend that the nexthop is directly attached to this link, even if it does not match any interface prefix. Useful when gateway not in the same interface network set interfaces ethernet eth0 vif 10 address '10.20.30.1/32' set protocols static route 10.20.30.0/32 interface eth0.10 set protocols failover route 192.0.2.11/32 next-hop 10.20.30.0 onlink ``` vyos@r4# sudo ip route add 192.0.2.111/32 via 10.20.30.0 dev eth0.10 metric 1 proto failover Error: Nexthop has invalid gateway. [edit] vyos@r4# [edit] vyos@r4# sudo ip route add 192.0.2.111/32 via 10.20.30.0 dev eth0.10 onlink metric 1 proto failover [edit] vyos@r4# ```
2024-04-15Merge pull request #3309 from nicolas-fort/T5535Daniil Baturin
T5535: firewall: migrate command <set system ip disable-directed-broadcast> to firewall global-optinos
2024-04-15pki: T6241: Fix dependency updates on PKI changessarthurdev
2024-04-15Merge pull request #3308 from sever-sever/T5734Daniil Baturin
T5734: OpenVPN check PKI DH name exists if DH configured
2024-04-15T5535: firewall: migrate command <set system ip disable-directed-broadcast> ↵Nicolas Fort
to firewall global-optinos
2024-04-15T5734: OpenVPN check PKI DH name exists if DH configuredViacheslav Hletenko
Check if DH is configured for OpenVPN but does not exist in the PKI section ``` set pki dh dh-correct parameters 'xxxx' set interfaces openvpn vtun10 tls dh-params 'dh-fake' File "/usr/libexec/vyos/conf_mode/interfaces_openvpn.py", line 208, in verify_pki pki_dh = pki['dh'][tls['dh_params']] ~~~~~~~~~^^^^^^^^^^^^^^^^^^ KeyError: 'dh-fake' ```
2024-04-13Merge pull request #3297 from HollyGurza/T6035Daniil Baturin
qos: T6035: QoS policy shaper queue-type random-detect requires limit avpkt
2024-04-12Merge pull request #3291 from aapostoliuk/T6100-circinusChristian Breunig
T6100: Added NAT migration from IP/Netmask to Network/Netmask
2024-04-12Merge pull request #3302 from lucasec/t5872-fixChristian Breunig
T5872: fix ipsec dhclient hook uses "exit" instead of "return"
2024-04-12T5872: fix ipsec dhclient hook uses "exit" instead of "return"Lucas Christian
2024-04-12Merge pull request #3300 from sever-sever/T6235Christian Breunig
T6235: Git update actions-label-merge-conflict version
2024-04-12T6235: Git update actions-label-merge-conflict versionViacheslav Hletenko
Update `actions-label-merge-conflict` due to `Node.js 16 actions are deprecated.`
2024-04-12qos: T6035: QoS policy shaper queue-type random-detect requires limit avpktkhramshinr
Added params for configuration red on the shaper policy
2024-04-12pppoe-server: T6141: T5364: PPPoE-server add pado-delay without sessions ↵Nataliia Solomko
fails (#3296)
2024-04-12T6100: Added NAT migration from IP/Netmask to Network/Netmaskaapostoliuk
Added NAT migration from IP/Netmask to Network/Netmask. In 1.3 allowed using IP/Netmask in Nat rules. In 1.4 and 1.5 it is prohibited. Allowed Network/Netmask.
2024-04-12Merge pull request #2708 from lucasec/t5871Christian Breunig
T5871: ipsec remote access VPN: specify "cacerts" for client auth
2024-04-11T5871: ipsec remote access VPN: specify "cacerts" for client auth.Lucas Christian
2024-04-11Merge pull request #3292 from sever-sever/T6222Daniil Baturin
T6222: VRRP show prefix for long rfc3768-compatibility interfaces allow prefix vrrp
2024-04-11Merge pull request #3290 from nicolas-fort/T6216Daniil Baturin
firewall: T6216: replace plus symbols (allowed by IPset but not NFT) in group names with underscores
2024-04-11Merge pull request #3274 from sever-sever/T5169Daniil Baturin
T5169: Add PoC for generating CGNAT rules rfc6888
2024-04-11Merge pull request #3281 from nicolas-fort/T6213Christian Breunig
T6214: T6213: change constraint <alpha-numeric-hyphen-underscore-dot.xml.i>
2024-04-11T6216: firewall: add patch while migrating from 1.3 to 1.4 in order to avoid ↵Nicolas Fort
errors when using character <+> in 1.3 in firewall groups and custom firewall chains.
2024-04-11T6222: VRRP show prefix for long rfc3768-compatibility interfacesViacheslav Hletenko
If we use rfc3768-compatibility with long interface names like eth1.100.200 it converts the VRRP interface name name to `<interface>v<VRID><IP version>` For example `eth2.100.200v10v4` The limit for interface name is 15 symbols and it causes that interface name is ignoring by keepalived VMAC interface name 'eth2.100.200v10v4' too long or invalid characters - ignoring And it uses the default prefix `vrrp` for such cases. It works fine, but such interfaces are not displayed in the op-mode Allow prefix `vrrp` for the op-mode for `show interfaces`
2024-04-09Merge pull request #3286 from jvoss/eui64_podman_vrfChristian Breunig
container: T6218: fix host IPv6 link-local address for VRF networks
2024-04-09container: T6218: fix host IPv6 link-local address for VRF networksJonathan Voss
2024-04-09T6214: T6213: change constraint <alpha-numeric-hyphen-underscore-dot.xml.i> ↵Nicolas Fort
in order to not allow string starting with dot character; use such constraint in firewall group definitions.
2024-04-09container: T6210: add capability sys-nicetheflakes
2024-04-09T5169: Add PoC for generating CGNAT rules rfc6888Viacheslav Hletenko
Add PoC for generating CGNAT rules https://datatracker.ietf.org/doc/html/rfc6888 Not all requirements are implemented, but some of them. Implemented: REQ-2 ``` A CGN MUST have a default "IP address pooling" behavior of "Paired" CGN must use the same external IP address mapping for all sessions associated with the same internal IP address, be they TCP, UDP, ICMP, something else, or a mix of different protocols. ``` REQ-3 ``` The CGN function SHOULD NOT have any limitations on the size or the contiguity of the external address pool ``` REQ-4 ``` A CGN MUST support limiting the number of external ports (or, equivalently, "identifiers" for ICMP) that are assigned per subscriber ``` CLI: ``` set nat cgnat pool external ext1 external-port-range '1024-65535' set nat cgnat pool external ext1 per-user-limit port '1000' set nat cgnat pool external ext1 range 192.0.2.222/32 set nat cgnat pool internal int1 range '100.64.0.0/28' set nat cgnat rule 10 source pool 'int1' set nat cgnat rule 10 translation pool 'ext1' ```