Age | Commit message (Collapse) | Author |
|
|
|
The VLAN aware bridge was forwarding traffic between member ports, but traffic
destined torwards the CPU was dropped. This resulted in a gateway not reachable
or DHCP leases that could not be handed out.
Tested via:
VyOS
set interfaces bridge br0 enable-vlan
set interfaces bridge br0 member interface eth1 allowed-vlan '10'
set interfaces bridge br0 member interface eth1 allowed-vlan '20'
set interfaces bridge br0 member interface eth1 allowed-vlan '30'
set interfaces bridge br0 member interface eth1 allowed-vlan '40'
set interfaces bridge br0 member interface eth1 native-vlan '40'
set interfaces bridge br0 member interface eth2 allowed-vlan '30'
set interfaces bridge br0 member interface eth2 allowed-vlan '20'
set interfaces bridge br0 member interface eth2 allowed-vlan '10'
set interfaces bridge br0 member interface eth2 allowed-vlan '40'
set interfaces bridge br0 vif 10 address '10.0.10.1/24'
set interfaces bridge br0 vif 20 address '10.0.20.1/24'
set interfaces bridge br0 vif 30 address '10.0.30.1/24'
set interfaces bridge br0 vif 40 address '10.0.40.1/24'
Arista vEOS
vlan 10,20,30,40
interface Ethernet1
switchport trunk allowed vlan 10,20,30,40
interface Vlan10
ip address 10.0.10.2/24
interface Vlan20
ip address 10.0.20.2/24
interface Vlan30
ip address 10.0.30.2/24
interface Vlan40
ip address 10.0.40.2/24
interface Ethernet1
switchport trunk allowed vlan 10,20,30,40
switchport mode trunk
spanning-tree portfast
Cisco vIOS
interface GigabitEthernet0/0
ip address 10.0.40.3 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 10.0.10.3 255.255.255.0
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 10.0.20.3 255.255.255.0
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 10.0.30.3 255.255.255.0
!
|
|
|
|
Ability to configure src/dst/translation port and protocol for
SNAT and DNAT IPv6
|
|
ocserv: T4597: Fix check bounded port by service itself
|
|
We check listen port before commit service if is port available and
not bounded, but when we start openconnect our own port starts be
bounded by "ocserv-main" process and next commit will be fail as
port is already bound
To fix it, extend check if port already bonded and it is not our
self process "ocserv-main"
|
|
UPnP: T4211: T4620 Fix upnp template
|
|
When MACsec was bound to an ethernet interface and the underlaying
source-interface got changed (even description only) this terminated the
MACsec session running on top of it.
The root cause is when EAPoL was implemented in commit d59354e52a8a7f we
re-used the same systemd unit which is responsible for MACsec. That indeed lead
to the fact that wpa_supplicant was always stopped when anything happened on
the underlaying source-interface that was not related to EAPoL.
|
|
From the doc miniupnpd
IP/mask format must be nnn.nnn.nnn.nnn/nn
Comment out invalid option "anchor"
|
|
Ability to drop|accept packets based on TCP MSS size
set firewall name <tag> rule <tag> tcp mss '501-1460'
|
|
Ability to set static NAT (one-to-one) in one rule
set nat static rule 10 destination address '203.0.113.0/24'
set nat static rule 10 inbound-interface 'eth0'
set nat static rule 10 translation address '192.0.2.0/24'
It will be enough for PREROUTING and POSTROUTING rules
Use a separate table 'vyos_static_nat' as SRC/DST rules and
STATIC rules can have the same rule number
|
|
upnp: T4613: Verify listen key in dictionary
|
|
T4619: Replacing instead of adding a static arp entry
|
|
|
|
There is no check if 'listen' is exist in the dictionary, fix it
Fix odd ValueHelp format
|
|
|
|
ocserv: T4596: Rewrite show openconnect sessions op-mode
|
|
|
|
dhcp-relay: T4601: restart dhcp relay-agent
|
|
The command "restart dhcp relay-agent" doesn't restart "isc-dhcp-relay" service.
|
|
set vpn openconnect network-settings split-dns <domain>
|
|
|
|
|
|
container: T4609: Fix restart container
|
|
Add 2 dashes for arg "name"
|
|
dmvpn: T4595: Fix dpd profile options
|
|
l2tp: T4603: Add RADIUS nas-ip-address option
|
|
Fix template for configuration DMVPN IKE profile
dead-peer-detection delay and dead-peer-detecion timeout options
|
|
Add l2tp authentication radius nas-ip-address option
which will be sent in NAS-IP-Address Radius attribute
|
|
nat66: T4598: Add exclude options in nat66
|
|
and nat-rule.xml.i
|
|
Rewrite "show openconnect-server sessions" to vyos.opmode format
Ability to get raw and formatted output
Ability to get data via API
|
|
ocserv: T4597: Check bind port before openconnect commit
|
|
|
|
Check if openconnect listen port is available and not used by
another service
|
|
T2719: add an exception hierarchy for op mode errors
|
|
|
|
* https://github.com/Cheeze-It/vyos-1x:
bgp: T4257: Changing BGP "local-as" to "system-as"
|
|
|
|
AES-GCM-256
|
|
|
|
nat66: T4586: Add SNAT destination prefix and DNAT address
|
|
Rewrite op-mode "show vpn ipsec sa" to new format
Use vyos.opmode format
Ability to get raw and formatted output
|
|
Add overwritten script 'ipsec.py' to 'op-mode-standardized.json'
|
|
Convert multiple types of data to types usable in CLI
For example 'vici' returns values in bytestring/bytes and we can
decode them all at once
|
|
|
|
on error
|
|
|
|
T4480: webproxy: Add safe-ports and ssl-safe-ports for acl squid config
|
|
Ability to configure SNAT destination prefix and
DNAT source address
Add option "!" - not address/prefix for NAT66
|