summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-09-12T4309: Conntrack ignore fix to handle interface anyViacheslav Hletenko
Interface 'any' not expected in nft rules, it means that option iifname shouldn't exist at all set system conntrack ignore ipv4 rule 10 inbound-interface 'any' table ip raw { chain VYOS_CT_IGNORE { iifname "any" counter packets 0 bytes 0 notrack comment "ignore-10" return } } Fix it
2023-09-12frr: T5239: T2061: prevent writing logs to /var/log/frr/frr.logChristian Breunig
2023-09-11frr: T5239: fix process startup orderChristian Breunig
- Reuse existing utility functions to check if a boot is ongoing (boot_configuration_complete()) - Run system_frr.py script to configure FRR daemon before initial launch - Add safety net to always have FRR running on the system This does yet not solve the error in T5239 but it's a small step towards the solution.
2023-09-11GitHub: fix workflow folder for MergifyIoChristian Breunig
2023-09-11GitHub: add MergifyIo actionChristian Breunig
2023-09-11T4072: Firewall op-mode command: add bridge capabilitiesNicolas Fort
2023-09-11init: remove dependency on frr.service - required for router shutdownChristian Breunig
2023-09-11T5241: Revert change to vyos.utils.process.cmdChristian Breunig
2023-09-11Merge pull request #2238 from sarthurdev/currentChristian Breunig
vxlan: T3700: Revert change to `vyos.utils.process.cmd`
2023-09-10vxlan: T3700: Revert change to `vyos.utils.process.cmd`sarthurdev
2023-09-10Merge pull request #2236 from vfreex/fix-nat-problem-with-vrfChristian Breunig
T3655: Fix NAT problem with VRF
2023-09-11T3655: Fix NAT problem with VRFYuxiang Zhu
Linux netfilter patch https://patchwork.ozlabs.org/project/netfilter-devel/patch/d0f84a97f9c86bec4d537536a26d0150873e640d.1439559328.git.daniel@iogearbox.net/ adds direction support for conntrack zones, which makes it possible to do NAT with conflicting IP address/port tuples from multiple, isolated tenants on a host. According to the description of the kernel patch: > ... overlapping tuples can be made unique with the zone identifier in original direction, where the NAT engine will then allocate a unique tuple in the commonly shared default zone for the reply direction. I did some basic tests in my lab and it worked fine to forward packets from eth0 to pppoe0. - eth0 192.168.1.1/24 in VRF red - pppoe0 dynamic public IP from ISP VRF default - set vrf name red protocols static route 0.0.0.0/0 interface pppoe0 vrf 'default' - set protocols static route 192.168.1.0/24 interface eth0 vrf 'red' `conntrack -L` shows something like: ``` tcp 6 113 ESTABLISHED src=192.168.1.2 dst=1.1.1.1 sport=58946 dport=80 zone-orig=250 packets=6 bytes=391 src=1.1.1.1 dst=<my-public-ip> sport=80 dport=58946 packets=4 bytes=602 [ASSURED] mark=0 helper=tns use=1 ``` It would be much appreciated if someone could test this with more complex VRF setup.
2023-09-10Debian: bump package version to 1.5dev0Christian Breunig
2023-09-10Merge pull request #2232 from alainlamar/T5567Christian Breunig
T5567: Increase allowed range for maximum-object-size to 1GB for webproxy
2023-09-10Merge pull request #2235 from sever-sever/T5564Christian Breunig
T5564: Fix show firewall group and show firewall summary
2023-09-10T5564: Fix show firewall group and show firewall summaryViacheslav Hletenko
The `rule` key could be not exists in the entry of the dictionary for examppe `{'default_action': 'drop'}` Fix it
2023-09-10Merge pull request #2234 from sever-sever/T4309Viacheslav Hletenko
T4309: Fix conntrack teamplate group
2023-09-10T4309: Fix conntrack teamplate groupViacheslav Hletenko
2023-09-10Merge pull request #2233 from vfreex/fix-mld-smoketestsChristian Breunig
T5518: pim6: Fix smoketests
2023-09-10T5518: pim6: Fix smoketestsYuxiang Zhu
2023-09-09T5567: Increase allowed range for maximum-object-size to 1000000 KB for the ↵Alain Lamar
webproxy service
2023-09-09Merge pull request #2179 from vfreex/add-mldChristian Breunig
T5518: Add basic MLD support
2023-09-09Merge pull request #2230 from sever-sever/T5562Christian Breunig
T5562: Cleanup netns for smoketest load-balancing wan
2023-09-09T5562: Cleanup netns for smoketest load-balancing wanViacheslav Hletenko
Cleanup nets for the smoketest load-balancing Remove deleting container interfaces from default netns as those interfaces leave inly in netns.
2023-09-09T4754: Fix path for popen moved to utils processViacheslav Hletenko
2023-09-09T4502: firewall: Add software flow offload using flowtableYuxiang Zhu
The following commands will enable nftables flowtable offload on interfaces eth0 eth1: ``` set firewall global-options flow-offload software interface <name> set firewall global-options flow-offload hardware interface <name> ``` Generated nftables rules: ``` table inet vyos_offload { flowtable VYOS_FLOWTABLE_software { hook ingress priority filter - 1; devices = { eth0, eth1, eth2, eth3 }; counter } chain VYOS_OFFLOAD_software { type filter hook forward priority filter - 1; policy accept; ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software } } ``` Use this option to count packets and bytes for each offloaded flow: ``` set system conntrack flow-accounting ``` To verify a connection is offloaded, run ``` cat /proc/net/nf_conntrack|grep OFFLOAD ``` This PR follows firewalld's implementation: https://github.com/firewalld/firewalld/blob/e748b97787d685d0ca93f58e8d4292e87d3f0da6/src/firewall/core/nftables.py#L590 A good introduction to nftables flowtable: https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath
2023-09-09Merge pull request #2228 from hlhc/fix/env-replaced-by-labelChristian Breunig
container: T5563 Fix environment replaced by label
2023-09-09vxlan: T3700: support VLAN tunnel mapping of VLAN aware bridgesChristian Breunig
FRR supports a new way of configuring VLAN-to-VNI mappings for EVPN-VXLAN, when working with the Linux kernel. In this new way, the mapping of a VLAN to a VNI is configured against a container VXLAN interface which is referred to as a 'Single VXLAN device (SVD)'. Multiple VLAN to VNI mappings can be configured against the same SVD. This allows for a significant scaling of the number of VNIs since a separate VXLAN interface is no longer required for each VNI. Sample configuration of SVD with VLAN to VNI mappings is shown below. set interfaces bridge br0 member interface vxlan0 set interfaces vxlan vxlan0 external set interfaces vxlan vxlan0 source-interface 'dum0' set interfaces vxlan vxlan0 vlan-to-vni 10 vni '10010' set interfaces vxlan vxlan0 vlan-to-vni 11 vni '10011' set interfaces vxlan vxlan0 vlan-to-vni 30 vni '10030' set interfaces vxlan vxlan0 vlan-to-vni 31 vni '10031'
2023-09-09container: T5563 Fix environment replaced by labelCyrus
2023-09-08Merge pull request #2222 from nicolas-fort/T4072-fwall-bridgeChristian Breunig
T4072: add firewall bridge filtering.
2023-09-08Merge pull request #2220 from sever-sever/T5554Christian Breunig
T5554: Disable sudo for PAM RADIUS
2023-09-08Merge pull request #2223 from vyos/sonarViacheslav Hletenko
Revert Sonar "Create build.yml"
2023-09-08Merge pull request #1602 from goodNETnick/goodnetnick-shloginotp-T4754Viacheslav Hletenko
login: T4754: show configured 2FA OTP key
2023-09-08T5554: Disable sudo for PAM RADIUSViacheslav Hletenko
Disable sudo for PAM RADIUS template that slows down the CLI commands To fix it add: session [default=ignore success=2] pam_succeed_if.so service = sudo
2023-09-08Revert "Create build.yml"Viacheslav Hletenko
This reverts commit 7a99a59b338fecd73d34819a0a95646c054a0f12. SonarCloud is not configured for now properly. Revert this commit until we confiugre all properly if we'll use it in the future.
2023-09-08T5518: Add basic MLD supportYuxiang Zhu
Currently VyOS has `protocol igmp` option to enable IGMP querier and reports through FRR's pimd. I would like to add support for IPv6 as well since FRR's IPv6 multicast functionality has significantly improved. Enabling both MLD and IGMP on a VyOS router will allow us to turn on multicast snooping on layer-3 switches in dual-stack networks. Example commands: ``` // Enable on interface eth0 set protocols pim6 interface eth0 // Explicitly join multicast group ff18::1234 on interface eth1 set protocols pim6 interface eth1 mld join ff18::1234 // Explicitly join source-specific multicast group ff38::5678 with source address 2001:db8::1 on interface eth1 set protocols pim6 interface eth1 mld join ff38::5678 source 2001:db8::1 ```
2023-09-08Merge pull request #2221 from sarthurdev/configtest_extendChristian Breunig
smoketest: T5558: Extend configtest to allow checking of migration script results
2023-09-07T4072: add firewall bridge filtering. First implementation only applies for ↵Nicolas Fort
forward chain and few matchers. Should be extended in the future.
2023-09-07smoketest: T5558: Extend configtest to allow checking of migration script ↵sarthurdev
results
2023-09-07config-mgmt: T5556: fix bug in revision to archive updateJohn Estabrook
2023-09-07Merge pull request #2216 from jestabro/ext-dependencyChristian Breunig
T5412: Add support for extending config-mode dependencies in add-on packages
2023-09-07Merge pull request #2217 from sarthurdev/T5555Christian Breunig
system: T5555: Fix time-zone migrator changing valid time-zones to UTC
2023-09-07system: T5555: Fix time-zone migrator changing valid time-zones to UTCsarthurdev
2023-09-06conf-mode: T5412: move dependency check from smoketest to nosetestJohn Estabrook
2023-09-06conf-mode: T5412: add script for add-on package check of dependenciesJohn Estabrook
2023-09-06conf-mode: T5412: add support for supplemental dependency definitionsJohn Estabrook
Add support for defining config-mode dependencies in add-on packages.
2023-09-06Merge pull request #2199 from sarthurdev/T4309Christian Breunig
conntrack: T4309: T4903: Refactor `system conntrack ignore`, add IPv6 support and firewall groups
2023-09-06Merge pull request #2205 from sever-sever/T5489Christian Breunig
T5489: Add sysctl TCP congestion control by default to BBR
2023-09-06Merge pull request #2206 from sever-sever/T5423Christian Breunig
T5423: Fix for op-mode show vpn ike secrets
2023-09-06Merge pull request #2208 from sarthurdev/T5550Christian Breunig
interface: T5550: Interface source-validation priority over global value