Age | Commit message (Collapse) | Author |
|
T5586: Disable by default SNMP for Keeplived VRRP service
|
|
T5261: Add AWS load-balancing tunnel handler
|
|
T4502: Fix syntax error introduced by #2062
|
|
AgentX does not work stable. From time to time we see the system
service crashing/degrading if something is wrong with SNMP from
util net-snmp.
We should disable it by default and enable it only if configured.
set high-availability vrrp snmp
|
|
When rebasing https://github.com/vyos/vyos-1x/pull/2062, some additional
lines are mistakenly included.
https://github.com/vyos/vyos-1x/commit/45cfd569119b66abd2f0dfb954042b57921881bd
has removed the extra `}`, but the `{{ group_tmpl.groups(group, True)
}}` line needs to be removed as well.
|
|
ddclient: T5585: Fix file access mode for dynamic dns configuration
|
|
After commit 976f82785 ("T5575: ARP/NDP table-size isnt set properly") the
system bootup process got interrupted as both system-ip.py and system-ipv6.py
tried to talk to FRR which was yet not started.
This has been fixed by using a conditional path to only execute when FRR service
has been enabled. This is safe to do as the initial commit call will has FRR
service running and the path will be executed.
|
|
|
|
After commit 0ccbbca01b ("openvpn: T3214: specify nopool on --server line only
if needed") that removed the net30 option and nopool smoketests needed a fix.
|
|
ddclient.conf file is expected to have permission 600. We need to set
the permission explicitly while creating the file.
|
|
T5579: show log firewall - Fix and extend command
|
|
structure; extend command options so it can be used on every layer ; use journalctl to get the logs
|
|
T4072: Firewall op-mode command: add bridge capabilities
|
|
T5561: nat: inbound|outbound interface should not be mandatory
|
|
T5575: ARP/NDP table-size isnt set properly
|
|
op mode: T5582: Add 'force ntp synchronization'
|
|
|
|
openvpn: T3214: fix server-ipv6 and nopool handling
|
|
T4502: firewall: Add software flow offload using flowtable
|
|
T2044: RPKI doesn't boot properly
|
|
|
|
|
|
|
|
In CLI we can choose authentication logic:
- `mandatory` - if TACACS+ answered with `REJECT`, authentication must be
stopped and access denied immediately.
- `optional` (default) - if TACACS+ answers with `REJECT`, authentication
continues using the next module.
In `mandatory` mode authentication will be stopped only if TACACS+ clearly
answered that access should be denied (no user in TACACS+ database, wrong
password, etc.). If TACACS+ is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
|
|
T671: do not preserve old tech-support report implementation
|
|
In CLI we can choose authentication logic:
- `mandatory` - if RADIUS answered with `Access-Reject`, authentication must
be stopped and access denied immediately.
- `optional` (default) - if RADIUS answers with `Access-Reject`,
authentication continues using the next module.
In `mandatory` mode authentication will be stopped only if RADIUS clearly
answered that access should be denied (no user in RADIUS database, wrong
password, etc.). If RADIUS is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
|
|
|
|
T5576: Add BGP remove-private-as all option
|
|
op-mode: T5581: add "show ip nht" command (IPv4 nexthop tracking table)
|
|
vyos@vyos:~$ show ip nht
172.18.254.202
resolved via ospf
via 172.18.201.254, eth0.201 (vrf default), weight 1
Client list: bgp(fd 28)
|
|
|
|
frr: T5239: fix process startup order
|
|
while configuring dNAT|sNAT rule
|
|
Add the ability to use the option all for remove-private-as.
Remove private ASNs in outbound updates.
all - Apply to all AS numbers
set protocols bgp neighbor <tag> address-family ipv4-unicast remove-private-as all
|
|
We need separated groups for RADIUS and TACACS+ system users because they need
to be used in PAM rules independently.
|
|
Now that the caching fixes are in place, we can update the config to
remove legacy treatment of ipv4 related properties.
|
|
T4309: Conntrack ignore fix to handle interface any
|
|
Interface 'any' not expected in nft rules, it means that option
iifname shouldn't exist at all
set system conntrack ignore ipv4 rule 10 inbound-interface 'any'
table ip raw {
chain VYOS_CT_IGNORE {
iifname "any" counter packets 0 bytes 0 notrack comment "ignore-10"
return
}
}
Fix it
|
|
|
|
- Reuse existing utility functions to check if a boot is ongoing
(boot_configuration_complete())
- Run system_frr.py script to configure FRR daemon before initial launch
- Add safety net to always have FRR running on the system
This does yet not solve the error in T5239 but it's a small step towards
the solution.
|
|
|
|
|
|
|
|
|
|
|
|
vxlan: T3700: Revert change to `vyos.utils.process.cmd`
|
|
|
|
T3655: Fix NAT problem with VRF
|
|
Linux netfilter patch https://patchwork.ozlabs.org/project/netfilter-devel/patch/d0f84a97f9c86bec4d537536a26d0150873e640d.1439559328.git.daniel@iogearbox.net/
adds direction support for conntrack zones, which makes it possible to
do NAT with conflicting IP address/port tuples from multiple, isolated tenants on a host.
According to the description of the kernel patch:
> ... overlapping tuples can be made unique with the zone identifier in
original direction, where the NAT engine will then allocate a unique
tuple in the commonly shared default zone for the reply direction.
I did some basic tests in my lab and it worked fine to forward packets
from eth0 to pppoe0.
- eth0 192.168.1.1/24 in VRF red
- pppoe0 dynamic public IP from ISP VRF default
- set vrf name red protocols static route 0.0.0.0/0 interface pppoe0 vrf 'default'
- set protocols static route 192.168.1.0/24 interface eth0 vrf 'red'
`conntrack -L` shows something like:
```
tcp 6 113 ESTABLISHED src=192.168.1.2 dst=1.1.1.1 sport=58946 dport=80 zone-orig=250 packets=6 bytes=391 src=1.1.1.1 dst=<my-public-ip> sport=80 dport=58946 packets=4 bytes=602 [ASSURED] mark=0 helper=tns use=1
```
It would be much appreciated if someone could test this with more
complex VRF setup.
|
|
|