Age | Commit message (Collapse) | Author |
|
|
|
* Rename table to vyos_nat
* Add static NAT smoketest
|
|
* Rename table to vyos_nat
* Refactor tests to use `verify_nftables` format
|
|
* Rename table to vyos_nat
* Refactor tests to use `verify_nftables` format
|
|
When a CLI node is set with a migrator and is not a valueLess node, we need to
specify the "value" using the value= operation in config.set().
This fixes the config load error: vyos.configsession.ConfigSessionError: Invalid
config file (syntax error): error at line 353
|
|
smoketest: T4118: Fix smoketest for NHRP
|
|
As we change syntax for IPSec 'esp <tag> compression disable'
to delete 'compression' if it not used, so delete it from nhtp
test
|
|
isis: T4693: Fix ISIS segment routing configurations, part deux
|
|
isis: T4693: Fix ISIS segment routing configurations
This change is to fix more bugs in which ISIS segment routing was broken due to a refactor. This change also introduces a few additions to the ISIS handler for checking per prefix validations for segment value and mutual exclusivity for two options.
|
|
T4699: Firewall: Add jump action in firewall ruleset
|
|
When any configured peer is set to `disable` while the Wireguard tunnel is up
and running it does not get actively revoked and removed. This poses a security
risk as connections keep beeing alive.
Whenever any parameter of a peer changes we actively remove the peer and fully
recreate it on the fly.
|
|
|
|
The initial Accel-PPP PPPoE implementation used:
set service pppoe-server interface <name> vlan-id <id>
set service pppoe-server interface <name> vlan-range <start-stop>
This is actually a duplicated CLI node.
|
|
vyos@vyos# show firewall
+name foo {
+ rule 1 {
+ action accept
+ packet-length 100
+ packet-length 105
+ packet-length 200-300
+ packet-length 220-250
+ }
+}
will report a nftables error upon load: Error: conflicting intervals specified
With nftables 1.0.3 there is an "auto-merge" option which corrects this:
https://lwn.net/Articles/896732/
|
|
ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer
|
|
|
|
Migration and Change boolean nodes "enable/disable" to
disable-xxxx, enable-xxxx and just xxx for VPN IPsec
configurations
- IKE changes:
- replace 'ipsec ike-group <tag> mobike disable'
=> 'ipsec ike-group <tag> disable-mobike'
- replace 'ipsec ike-group <tag> ikev2-reauth yes|no'
=> 'ipsec ike-group <tag> ikev2-reauth'
- ESP changes:
- replace 'ipsec esp-group <tag> compression enable'
=> 'ipsec esp-group <tag> compression'
- PEER changes:
- replace: 'peer <tag> id xxx'
=> 'peer <tag> local-id xxx'
- replace: 'peer <tag> force-encapsulation enable'
=> 'peer <tag> force-udp-encapsulation'
- add option: 'peer <tag> remote-address x.x.x.x'
Add 'peer <name> remote-address <name>' via migration script
|
|
policy-route: T4697: Add missing rule_id for verify_rule func
|
|
|
|
This will set the listen-host ocserv configuration option.
|
|
After T4669 added support for range validation to the OCaml validator there is
no need to keep the slow Python validator in place.
Raplace all occurances of <validator name="range" argument="--min=1 --max=65535"/>
with <validator name="numeric" argument="--range 1-65535"/>.
|
|
There is a missing 'rule_id' in verify_rule() function
We call it from the loop but don't provide argument 'rule_id'
It cause "NameError: name 'rule_id' is not defined"
Fix it
|
|
T3896(adjacent): Fix ocserv local user requirement, add groupconfig
|
|
Add new VyOS CLI command:
set protocols bgp parameters bestpath peer-type multipath-relax
This command specifies that BGP decision process should consider paths from all
peers for multipath computation. If this option is enabled, paths learned from
any of eBGP, iBGP, or confederation neighbors will be multipath if they are
otherwise considered equal cost. [1]
[1]: http://docs.frrouting.org/en/stable-8.3/bgp.html#clicmd-bgp-bestpath-peer-type-multipath-relax
|
|
In addition to verify the queue lengths when CLI option is set, we also need
to verify that all values are resetted back to "0" which is the Kernel default.
|
|
|
|
* 'T4689' of https://github.com/jack9603301/vyos-1x:
rfs: T4689: Support RFS(Receive Flow Steering)
|
|
|
|
|
|
Kernel 5.15.y and newer only support an upper boundary of 255.
vyos@vyos:~$ sudo sysctl -w net.netfilter.nf_conntrack_tcp_max_retrans=255
net.netfilter.nf_conntrack_tcp_max_retrans = 255
vyos@vyos:~$ sudo sysctl -w net.netfilter.nf_conntrack_tcp_max_retrans=256
sysctl: setting key "net.netfilter.nf_conntrack_tcp_max_retrans": Invalid argument
|
|
The old value of 1024 is no longer supported by the most recent Kernel
|
|
keymap: T4695: Add Spain 'es' and Japan 'jp106' keymaps
|
|
Add Spain (es) and Japan (jp106) keymaps
set system option keyboard-layout es|jp106
|
|
openvpn: T4679: Fix incorrect verify local and remote address
|
|
firewall: nat66: policy: T2199: Fix smoketests for nftables updated output
|
|
In the OpenVPN site-to-site config we can use IPv6 peers
without IPv4 configurations but "verify()" checks also local and
remote IPv4 addresses that in this case will be empty lists
For example:
set interfaces openvpn vtun2 local-address 2001:db8::1
set interfaces openvpn vtun2 remote-address 2001:db8::2
Check in the commit (v4loAddr == v4remAddr) <= both empty lists
commit
DEBUG: [] == [] or ['2001:db8::2'] == []
So we should also check v4loAddr, v4remAddr, v6loAddr, v6remAddr
are not empty
|
|
|
|
nhrp: T2199: Use separate table in nftables for NHRP rules
|
|
|
|
firewall: zone-policy: T2199: T4605: Refactor firewall, migrate zone-policy
|
|
isis: T4693: Fix ISIS segment routing configurations
|
|
This change is to fix a bug in which ISIS segment routing was broken due to a refactor.
This change also is going to introduce a smoketest to make sure this is caught in the future.
|
|
|
|
|
|
|
|
|
|
firewall node
* Refactor firewall and zone-policy rule creation and cleanup
* Migrate interface firewall values to `firewall interfaces <name> <direction> name/ipv6-name <name>`
* Remove `firewall-interface.py` conf script
|
|
This reverts commit 53355271a2864d844daca89a064c21e514e10adb.
|
|
|
|
|