Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
|
|
|
|
* 't31-vrf' of github.com:c-po/vyos-1x:
vrf: T31: enable vrf support for dummy interface
templates: T2099: make op-mode path completion helper working
vrf: T31: reorder routing table lookups
vrf: T31: adding unreachable routes to the routing tables
vrf: T31: prior to the v4.8 kernel iif and oif rules are needed
vrf: T31: create iproute2 table to name mapping reference
vrf: T31: rename 'vrf disable-bind-to-all ipv4' to 'vrf bind-to-all'
vrf: T31: support add/remove of interfaces from vrf
vrf: T31: remove superfluous vyos.vrf library functions
vrf: T31: reduce script complexity
vrf: T31: no need to use sudo calls in vrf.py
vrf: T31: make 'show vrf' command behave like other 'show interface commands'
xml: include: description: adjust help message
vrf: T31: improve help for routing table
vrf: T31: reuse interface-description.xml.i for instance description
vrf: T31: use embedded regex on 'vrf name' instead of python script
vrf: T31: initial support for a VRF backend in XML/Python
ifconfig: T2057: generic interface option setting
|
|
|
|
|
|
Linux routing uses rules to find tables - routing targets are then looked up in
those tables. If the lookup got a matching route, the process ends.
TL;DR; first table with a matching entry wins!
You can see your routing table lookup rules using "ip rule", sadly the local
lookup is hit before any VRF lookup. Pinging an addresses from the VRF will
usually find a hit in the local table, and never reach the VRF routing table -
this is usually not what you want. Thus we will re-arrange the tables and move
the local lookup furhter down once VRFs are enabled.
|
|
|
|
.. we run on 4.19 thus this is no longer needed.
|
|
|
|
By default the scope of the port bindings for unbound sockets is limited to the
default VRF. That is, it will not be matched by packets arriving on interfaces
enslaved to an l3mdev and processes may bind to the same port if they bind to
an l3mdev.
TCP & UDP services running in the default VRF context (ie., not bound to any
VRF device) can work across all VRF domains by enabling the 'vrf bind-to-all'
option.
|
|
|
|
vyos.vrf.list_vrfs() was only used in one function thus building a library is
no longer needed. If it is needed in the future it should be placed into a
library again.
|
|
Keep it simple and stupid :)
|
|
All configuration mode scripts are already run with sudo.
|
|
- remove the additional depth for querying discrete VRF names
- retrieve available VRF names from via <path> from CLI rather then invoking
an external script
|
|
|
|
|
|
|
|
|
|
This is a work in progress to complete T31 whoever thought it was less than
1 hour of work was ..... optimistic.
Only VRF vreation and show is supported right now. No interface can be bound
to any one VRF.
|
|
this patch allows to get or change many interface options (mtu, arp settings, ...)
using get_interface / set_interface functions
|
|
|
|
ifconfig: T2057: allow unknown config keys, and fix variable name ref.
|
|
|
|
ifconfig: T2057: fix multiple issues with initial patch
|
|
|
|
Error introduced in commit b38dcaf ("ifconfig: T2057: generic interface option
setting").
File "/usr/lib/python3/dist-packages/vyos/ifconfig.py", line 146, in _get_sysfs
filename = self._sysfs_get[name]['location'].format(config)
KeyError: 'ifname'
|
|
Fixes error when creating bridge interfaces:
ValueError: <module 'time' (built-in)> must be a number
|
|
ifconfig: T2057: generic interface option setting
|
|
this patch allows to get or change many interface options (mtu, arp settings, ...)
using get_interface / set_interface functions
|
|
os.environ['VYOS_TAGNODE_VALUE']
This has been only a theoretical problem but then the error condition was
triggered - only an error has been printed instead of raising an Exception.
|
|
dhcp-server: T2092: add default route to rfc3442-static-route option
|
|
ifconfig: T2074: add check for sysfs files
|
|
|
|
|
|
dhcp-server: T2062: Fix static route bytes
|
|
|
|
|
|
Do not query RADIUS servers when commit is running started from a non RADIUS
user (localuser, root). This should reduce the overall system boot time.
|
|
|
|
|
|
|
|
ifconfig: T2082: fix checking of argument passed
|
|
|
|
ifconfig: T2057: generalised Interface configuration
|
|
Encrypt and authenticate all control channel packets with the key from keyfile.
Encrypting (and authenticating) control channel packets:
* provides more privacy by hiding the certificate used for the TLS connection
* makes it harder to identify OpenVPN traffic as such
* provides "poor-man's" post-quantum security, against attackers who will
never know the pre-shared key (i.e. no forward secrecy)
|
|
We should not rely on the home dir value stored in user['home_dir'] as if a
crazy user will choose username root or any other system user this will fail.
Should be deny using root at all?
|