Age | Commit message (Collapse) | Author |
|
By default SSTP bind port '443' and this port can be used by
another service like 'service https' or 'vpn openconnect'
Check if port bound to another service
|
|
Change openconnect port as both ocserv and sstp bind
by default the same port 443
|
|
firewall: T4622: Add TCP MSS option
|
|
A macsec interface requires a dedicated source interface, it can not be
shared with another macsec or a pseudo-ethernet interface.
set interfaces macsec macsec10 address '192.168.2.1/30'
set interfaces macsec macsec10 security cipher 'gcm-aes-256'
set interfaces macsec macsec10 security encrypt
set interfaces macsec macsec10 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4232e44b7fda6f8e2d88a07bf78a7aff4'
set interfaces macsec macsec10 security mka ckn '09924585a6f3010208cf5222ef24c821405b0e34f4b4f63b1f0ced474b9bb6e6'
set interfaces macsec macsec10 source-interface 'eth1'
commit
set interfaces pseudo-ethernet peth0 source-interface eth1
commit
Reuslts in
FileNotFoundError: [Errno 2] failed to run command: ip link add peth0 link eth1 type macvlan mode private
returned:
exit code: 2
noteworthy:
cmd 'ip link add peth0 link eth1 type macvlan mode private'
returned (out):
returned (err):
RTNETLINK answers: Device or resource busy
[[interfaces pseudo-ethernet peth0]] failed
Commit failed
|
|
nat66: T4626: Rewrite op-mode show nat66 rules
|
|
opennhrp: T1070: Fixed removal all SAs in script
|
|
|
|
|
|
|
|
support monitoring
* all
* l2tp
* sstp
* pptp
|
|
|
|
BGP: T4634: Allow configuration of disable-connected-check
|
|
keepalived: T4526: keepalived-fifo.py unable to load config
|
|
https: T4597: Verify bind port before apply HTTPS API service
|
|
conntrack: T4623: Add conntrack statistics for op-mode
|
|
Policy: T4641: allow only ipv4 prefixes on prefix-list
|
|
|
|
Rewrite op-mode "show nat66 source|destination rules" to the
new format
use "show_rules --direction <direction> --family <inet|inet6>"
Delete old script show_nat66_rules.py
|
|
Fixed removal all dmvpn SAs. Changed vici terminate by child-sa
name on terminate by ike-id
|
|
|
|
|
|
If Nginx address/port is already binded to another service
(for exampmle openconnect default port 443)
https api cannot start and we don't see any error in the output.
Add this check before applying service/commit
|
|
keepalived-fifo.py cannot load the VyOS config because the
script is started before the commit is completely finished.
This change makes sure the script waits for the commit
to be completed. It retries every 0.5 seconds. If the commit
is still not completed it will continue as did the original
implementation.
|
|
|
|
|
|
The VLAN aware bridge was forwarding traffic between member ports, but traffic
destined torwards the CPU was dropped. This resulted in a gateway not reachable
or DHCP leases that could not be handed out.
Tested via:
VyOS
set interfaces bridge br0 enable-vlan
set interfaces bridge br0 member interface eth1 allowed-vlan '10'
set interfaces bridge br0 member interface eth1 allowed-vlan '20'
set interfaces bridge br0 member interface eth1 allowed-vlan '30'
set interfaces bridge br0 member interface eth1 allowed-vlan '40'
set interfaces bridge br0 member interface eth1 native-vlan '40'
set interfaces bridge br0 member interface eth2 allowed-vlan '30'
set interfaces bridge br0 member interface eth2 allowed-vlan '20'
set interfaces bridge br0 member interface eth2 allowed-vlan '10'
set interfaces bridge br0 member interface eth2 allowed-vlan '40'
set interfaces bridge br0 vif 10 address '10.0.10.1/24'
set interfaces bridge br0 vif 20 address '10.0.20.1/24'
set interfaces bridge br0 vif 30 address '10.0.30.1/24'
set interfaces bridge br0 vif 40 address '10.0.40.1/24'
Arista vEOS
vlan 10,20,30,40
interface Ethernet1
switchport trunk allowed vlan 10,20,30,40
interface Vlan10
ip address 10.0.10.2/24
interface Vlan20
ip address 10.0.20.2/24
interface Vlan30
ip address 10.0.30.2/24
interface Vlan40
ip address 10.0.40.2/24
interface Ethernet1
switchport trunk allowed vlan 10,20,30,40
switchport mode trunk
spanning-tree portfast
Cisco vIOS
interface GigabitEthernet0/0
ip address 10.0.40.3 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 10.0.10.3 255.255.255.0
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 10.0.20.3 255.255.255.0
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 10.0.30.3 255.255.255.0
!
|
|
|
|
Ability to configure src/dst/translation port and protocol for
SNAT and DNAT IPv6
|
|
ocserv: T4597: Fix check bounded port by service itself
|
|
We check listen port before commit service if is port available and
not bounded, but when we start openconnect our own port starts be
bounded by "ocserv-main" process and next commit will be fail as
port is already bound
To fix it, extend check if port already bonded and it is not our
self process "ocserv-main"
|
|
UPnP: T4211: T4620 Fix upnp template
|
|
When MACsec was bound to an ethernet interface and the underlaying
source-interface got changed (even description only) this terminated the
MACsec session running on top of it.
The root cause is when EAPoL was implemented in commit d59354e52a8a7f we
re-used the same systemd unit which is responsible for MACsec. That indeed lead
to the fact that wpa_supplicant was always stopped when anything happened on
the underlaying source-interface that was not related to EAPoL.
|
|
From the doc miniupnpd
IP/mask format must be nnn.nnn.nnn.nnn/nn
Comment out invalid option "anchor"
|
|
Ability to drop|accept packets based on TCP MSS size
set firewall name <tag> rule <tag> tcp mss '501-1460'
|
|
upnp: T4613: Verify listen key in dictionary
|
|
T4619: Replacing instead of adding a static arp entry
|
|
|
|
There is no check if 'listen' is exist in the dictionary, fix it
Fix odd ValueHelp format
|
|
|
|
ocserv: T4596: Rewrite show openconnect sessions op-mode
|
|
|
|
dhcp-relay: T4601: restart dhcp relay-agent
|
|
The command "restart dhcp relay-agent" doesn't restart "isc-dhcp-relay" service.
|
|
set vpn openconnect network-settings split-dns <domain>
|
|
|
|
|
|
container: T4609: Fix restart container
|
|
Add 2 dashes for arg "name"
|
|
dmvpn: T4595: Fix dpd profile options
|
|
l2tp: T4603: Add RADIUS nas-ip-address option
|