summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2022-08-25sstp: T4644: Check SSTP bind port before commitViacheslav Hletenko
By default SSTP bind port '443' and this port can be used by another service like 'service https' or 'vpn openconnect' Check if port bound to another service
2022-08-25smoketest: T4643: Change openconnect default portViacheslav Hletenko
Change openconnect port as both ocserv and sstp bind by default the same port 443
2022-08-25Merge pull request #1478 from sever-sever/T4622Christian Poessinger
firewall: T4622: Add TCP MSS option
2022-08-24T4630: can not use same source-interface for macsec and pseudo-ethernetChristian Poessinger
A macsec interface requires a dedicated source interface, it can not be shared with another macsec or a pseudo-ethernet interface. set interfaces macsec macsec10 address '192.168.2.1/30' set interfaces macsec macsec10 security cipher 'gcm-aes-256' set interfaces macsec macsec10 security encrypt set interfaces macsec macsec10 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4232e44b7fda6f8e2d88a07bf78a7aff4' set interfaces macsec macsec10 security mka ckn '09924585a6f3010208cf5222ef24c821405b0e34f4b4f63b1f0ced474b9bb6e6' set interfaces macsec macsec10 source-interface 'eth1' commit set interfaces pseudo-ethernet peth0 source-interface eth1 commit Reuslts in FileNotFoundError: [Errno 2] failed to run command: ip link add peth0 link eth1 type macvlan mode private returned: exit code: 2 noteworthy: cmd 'ip link add peth0 link eth1 type macvlan mode private' returned (out): returned (err): RTNETLINK answers: Device or resource busy [[interfaces pseudo-ethernet peth0]] failed Commit failed
2022-08-24Merge pull request #1491 from sever-sever/T4626Christian Poessinger
nat66: T4626: Rewrite op-mode show nat66 rules
2022-08-24Merge pull request #1490 from aapostoliuk/T1070-sagittaChristian Poessinger
opennhrp: T1070: Fixed removal all SAs in script
2022-08-24smoketest: bgp: T4634: validate "disable-connected-check" optionChristian Poessinger
2022-08-24proxy: T4642: bugfix regex, add hyphen to allow listChristian Poessinger
2022-08-24op-mode: T4390: migrate "show log vpn" to journalctlChristian Poessinger
2022-08-24op-mode: extend "monitor log vpn" optionChristian Poessinger
support monitoring * all * l2tp * sstp * pptp
2022-08-24ipsec: T2185: use systemd to start/stop serviceChristian Poessinger
2022-08-24Merge pull request #1483 from roedie/T4634Christian Poessinger
BGP: T4634: Allow configuration of disable-connected-check
2022-08-24Merge pull request #1486 from roedie/T4526-2Christian Poessinger
keepalived: T4526: keepalived-fifo.py unable to load config
2022-08-24Merge pull request #1488 from sever-sever/T4597Christian Poessinger
https: T4597: Verify bind port before apply HTTPS API service
2022-08-24Merge pull request #1489 from sever-sever/T4623Christian Poessinger
conntrack: T4623: Add conntrack statistics for op-mode
2022-08-24Merge pull request #1492 from nicolas-fort/T4641Christian Poessinger
Policy: T4641: allow only ipv4 prefixes on prefix-list
2022-08-24Policy: T4641: allow only ipv4 prefixes on prefix-listNicolas Fort
2022-08-24nat66: T4626: Rewrite op-mode show nat66 rulesViacheslav Hletenko
Rewrite op-mode "show nat66 source|destination rules" to the new format use "show_rules --direction <direction> --family <inet|inet6>" Delete old script show_nat66_rules.py
2022-08-24opennhrp: T1070: Fixed removal all SAs in scriptaapostoliuk
Fixed removal all dmvpn SAs. Changed vici terminate by child-sa name on terminate by ike-id
2022-08-23graphql: T3993: reorganize/rename directory structureJohn Estabrook
2022-08-23conntrack: T4623: Add conntrack statistics for op-modeViacheslav Hletenko
2022-08-23https: T4597: Verify bind port before apply HTTPS API serviceViacheslav Hletenko
If Nginx address/port is already binded to another service (for exampmle openconnect default port 443) https api cannot start and we don't see any error in the output. Add this check before applying service/commit
2022-08-22keepalived: T4526: keepalived-fifo.py unable to load configSander Klein
keepalived-fifo.py cannot load the VyOS config because the script is started before the commit is completely finished. This change makes sure the script waits for the commit to be completed. It retries every 0.5 seconds. If the commit is still not completed it will continue as did the original implementation.
2022-08-22graphql: T4544: fix for directly running on system for testingJohn Estabrook
2022-08-22graphql: T3993: add missing sys.exit()John Estabrook
2022-08-22bridge: T4632: vlan aware bridge lacks CPU forwardingChristian Poessinger
The VLAN aware bridge was forwarding traffic between member ports, but traffic destined torwards the CPU was dropped. This resulted in a gateway not reachable or DHCP leases that could not be handed out. Tested via: VyOS set interfaces bridge br0 enable-vlan set interfaces bridge br0 member interface eth1 allowed-vlan '10' set interfaces bridge br0 member interface eth1 allowed-vlan '20' set interfaces bridge br0 member interface eth1 allowed-vlan '30' set interfaces bridge br0 member interface eth1 allowed-vlan '40' set interfaces bridge br0 member interface eth1 native-vlan '40' set interfaces bridge br0 member interface eth2 allowed-vlan '30' set interfaces bridge br0 member interface eth2 allowed-vlan '20' set interfaces bridge br0 member interface eth2 allowed-vlan '10' set interfaces bridge br0 member interface eth2 allowed-vlan '40' set interfaces bridge br0 vif 10 address '10.0.10.1/24' set interfaces bridge br0 vif 20 address '10.0.20.1/24' set interfaces bridge br0 vif 30 address '10.0.30.1/24' set interfaces bridge br0 vif 40 address '10.0.40.1/24' Arista vEOS vlan 10,20,30,40 interface Ethernet1 switchport trunk allowed vlan 10,20,30,40 interface Vlan10 ip address 10.0.10.2/24 interface Vlan20 ip address 10.0.20.2/24 interface Vlan30 ip address 10.0.30.2/24 interface Vlan40 ip address 10.0.40.2/24 interface Ethernet1 switchport trunk allowed vlan 10,20,30,40 switchport mode trunk spanning-tree portfast Cisco vIOS interface GigabitEthernet0/0 ip address 10.0.40.3 255.255.255.0 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/0.10 encapsulation dot1Q 10 ip address 10.0.10.3 255.255.255.0 ! interface GigabitEthernet0/0.20 encapsulation dot1Q 20 ip address 10.0.20.3 255.255.255.0 ! interface GigabitEthernet0/0.30 encapsulation dot1Q 30 ip address 10.0.30.3 255.255.255.0 !
2022-08-22BGP: T4634: Allow configuration of disable-connected-checkSander Klein
2022-08-20nat66: T4631: Add port and protocol to nat66Viacheslav Hletenko
Ability to configure src/dst/translation port and protocol for SNAT and DNAT IPv6
2022-08-20Merge pull request #1481 from sever-sever/T4597Christian Poessinger
ocserv: T4597: Fix check bounded port by service itself
2022-08-20ocserv: T4597: Fix check bounded port by service itselfViacheslav Hletenko
We check listen port before commit service if is port available and not bounded, but when we start openconnect our own port starts be bounded by "ocserv-main" process and next commit will be fail as port is already bound To fix it, extend check if port already bonded and it is not our self process "ocserv-main"
2022-08-19Merge pull request #1476 from sever-sever/T4620Christian Poessinger
UPnP: T4211: T4620 Fix upnp template
2022-08-19ethernet: T4538: fix wrong systemd unit used for EAPoLChristian Poessinger
When MACsec was bound to an ethernet interface and the underlaying source-interface got changed (even description only) this terminated the MACsec session running on top of it. The root cause is when EAPoL was implemented in commit d59354e52a8a7f we re-used the same systemd unit which is responsible for MACsec. That indeed lead to the fact that wpa_supplicant was always stopped when anything happened on the underlaying source-interface that was not related to EAPoL.
2022-08-19UPnP: T4611: Rule must be as prefix instead of an addressViacheslav Hletenko
From the doc miniupnpd IP/mask format must be nnn.nnn.nnn.nnn/nn Comment out invalid option "anchor"
2022-08-18firewall: T4622: Add TCP MSS optionViacheslav Hletenko
Ability to drop|accept packets based on TCP MSS size set firewall name <tag> rule <tag> tcp mss '501-1460'
2022-08-16Merge pull request #1475 from sever-sever/T4613Christian Poessinger
upnp: T4613: Verify listen key in dictionary
2022-08-16Merge pull request #1474 from DaniilHarun/currentChristian Poessinger
T4619: Replacing instead of adding a static arp entry
2022-08-16UPnP: T4620: Fix Jinja2 template rulesViacheslav Hletenko
2022-08-16upnp: T4613: Verify listen key in dictionaryViacheslav Hletenko
There is no check if 'listen' is exist in the dictionary, fix it Fix odd ValueHelp format
2022-08-16T4619: Replacing instead of adding a static arp entryDaniilHarun
2022-08-16Merge pull request #1462 from sever-sever/T4596Christian Poessinger
ocserv: T4596: Rewrite show openconnect sessions op-mode
2022-08-16Debian: T4584: remove version number from hostap package requirementChristian Poessinger
2022-08-16Merge pull request #1471 from mkorobeinikov/currentChristian Poessinger
dhcp-relay: T4601: restart dhcp relay-agent
2022-08-16dhcp-relay: T4601: restart dhcp relay-agentmkorobeinikov
The command "restart dhcp relay-agent" doesn't restart "isc-dhcp-relay" service.
2022-08-15ocserv: openconnect: T4614: add support for split-dnsChristian Poessinger
set vpn openconnect network-settings split-dns <domain>
2022-08-15smoketest: ocserv: implement config file validationChristian Poessinger
2022-08-15ocserv: T4333: migrate to new vyos_defined Jinja2 testChristian Poessinger
2022-08-15Merge pull request #1468 from sever-sever/T4609Christian Poessinger
container: T4609: Fix restart container
2022-08-15container: T4609: Fix restart containerViacheslav Hletenko
Add 2 dashes for arg "name"
2022-08-15Merge pull request #1465 from sever-sever/T4595Christian Poessinger
dmvpn: T4595: Fix dpd profile options
2022-08-11Merge pull request #1464 from sever-sever/T4603Christian Poessinger
l2tp: T4603: Add RADIUS nas-ip-address option