Age | Commit message (Collapse) | Author |
|
|
|
* 'firewall' of https://github.com/sarthurdev/vyos-1x:
zone_policy: T3873: Implement intra-zone-filtering
policy: T2199: Migrate policy route op-mode to XML/Python
policy: T2199: Migrate policy route to XML/Python
zone-policy: T2199: Migrate zone-policy op-mode to XML/Python
zone-policy: T2199: Migrate zone-policy to XML/Python
firewall: T2199: Migrate firewall op-mode to XML/Python
firewall: T2199: Migrate firewall to XML/Python
|
|
|
|
|
|
ipsec: T4126: Ability to set priorities for installed policy
|
|
Add priority for policy based IPSec VPN tunnels
If 2 tunnels have the same pair of local and remote traffic
selectors (prefixes) it allows to set more preforable install
policy from required peer
The lowest priority is more preforable
|
|
|
|
Commit 566f7f24 ("snmp: T4124: migrate to get_config_dict()") changed the
internal structure to support vyos-configd. When using SNMPv3 we need to
alter the running config by replacing the plaintext-password with an encrypted
one, this is not allowed with vyos-configd.
|
|
|
|
|
|
dhclient: T4121: Fixed resolv.conf generation at early boot stage
|
|
In case if a CLI configuration is not available, dhclient cannot add
nameservers to a `resolv.conf` file, because `vyos-hostsd` requires that
an interface be listed in the `set system name-server` option.
This commit introduces two changes:
* `vyos-hostsd` service will not be started before Cloud-Init fetch all
remote data. This is required because all meta-data should be available
for Cloud-Init before any of VyOS-related services start since it is
used for configuration generation.
* the `vyos-hostsd-client` in the `dhclient-script` will be used only if
the `vyos-hostsd` is running. In other words - if VyOS services already
started, dhclient changes `resolv.conf` using `vyos-hostsd`; in other
cases - does this directly.
These changes should protect us from problems with DHCP during system
boot if DHCP is required by third-party utils.
|
|
webproxy: T4116: Ability to listen on IPv6 addresses
|
|
|
|
IPv6 addresses on webproxy/SQUID where not added correctly.
They need to be added in brackets.
Modified squid.conf.tmpl to bracketize the address
|
|
|
|
|
|
|
|
ipsec: T4111: Fix for swanctl configuration IPV6 peers
|
|
Peer name must not contain dots and colons, otherwise
swanct can't generate correct configuration for swanctl.conf
This is used in connection names and child SA names
Add filter 'dot_colon_to_dash' which replace dots and colons
|
|
|
|
|
|
syslog: T4039: Add protocol23format logging for UDP
|
|
Add protocol23format for rsyslog protocol UDP
Add ability to use IPv6 addresses (bracketize_ipv6) for
protocol TCP and UDP, when protocol is configured explicity
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* t4097-flow-accounting:
flow-accounting: T4106: support specification of capture packet length
flow-accounting: T4105: drop "sflow agent-address auto"
flow-accounting: T4099: rename "netflow source-ip" to source-address
flow-accounting: T4097: move to get_config_dict()
|
|
|
|
The implementation of the "auto" option to specify the sflow/netflow
agent-address is very error prone. The current implementation will determine
the IP address used for the "auto" value as follow:
Get BGP router-id
1) If not found use OSPF router-id
2) If not found use OSPFv3 router-id
3) If not found use "the first IP address found on the system
Well, what is the "first IP address found"? Also this changes if DHCP is in use.
Also another disadvantage is when the BGP/OSPF/OSPFv3 router-id is changed,
the agent-address is not updated upon the next reboot of the system.
This task is about removing the "auto" keyword from the CLI at all and make it
either entirely configurable by the user and hardcode the value in CLI, or not
use this at all.
If "auto" is specified we will query the system in the above order and set the
proper router-id in the CLI. If none can be found the CLI node is removed.
|
|
sFlow uses the source-address CLI node and netflow uses source-ip this is just
confusing and should be synced to the common source-address CLI node.
|
|
|
|
keepalived: T4081: Fix health-checking when syn-group is used
|
|
|
|
|
|
|
|
|
|
conntrack-sync: T3854: Add missed statistics for op-mode
|
|
After rewriting conntrack-sync to XML/python part of op-mode
parameters was missed
Add "status" and "statistics" for conntrack-sync
|
|
interface: T4056: Fix unexpected delete tc qdisc
|
|
Traffic-policy rules are generated by old Perl code
This commit prevents to unexpected override this code by python.
|
|
If health-check scripts are used in vrrp group and vrrp group
is membmer of sync-group, then health-check scripts should be
part of the section "vrrp_sync_group". In other case the
health-scripts won't work anymore.
|
|
nat: T3435: Fix for op-mode concatenate str
|