Age | Commit message (Collapse) | Author |
|
|
|
When any configured peer is set to `disable` while the Wireguard tunnel is up
and running it does not get actively revoked and removed. This poses a security
risk as connections keep beeing alive.
Whenever any parameter of a peer changes we actively remove the peer and fully
recreate it on the fly.
(cherry picked from commit a4feb96af9ac45aff41ded1744cf302b5c5a9e7e)
|
|
T4630: disallow same source-interface for macsec and pseudo-ethernet
|
|
openvpn: T4679: Fix incorrect verify local and remote address 1.3
|
|
In the OpenVPN site-to-site config we can use IPv6 peers
without IPv4 configurations but "verify()" checks also local and
remote IPv4 addresses that in this case will be empty lists
For example:
set interfaces openvpn vtun2 local-address 2001:db8::1
set interfaces openvpn vtun2 remote-address 2001:db8::2
Check in the commit (v4loAddr == v4remAddr) <= both empty lists
commit
DEBUG: [] == [] or ['2001:db8::2'] == []
So we should also check v4loAddr, v4remAddr, v6loAddr, v6remAddr
are not empty
|
|
(cherry picked from commit f3420a967ad5597c57093b5279a844dca4c516c0)
|
|
A macsec interface requires a dedicated source interface, it can not be
shared with another macsec or a pseudo-ethernet interface.
set interfaces macsec macsec10 address '192.168.2.1/30'
set interfaces macsec macsec10 security cipher 'gcm-aes-256'
set interfaces macsec macsec10 security encrypt
set interfaces macsec macsec10 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4232e44b7fda6f8e2d88a07bf78a7aff4'
set interfaces macsec macsec10 security mka ckn '09924585a6f3010208cf5222ef24c821405b0e34f4b4f63b1f0ced474b9bb6e6'
set interfaces macsec macsec10 source-interface 'eth1'
commit
set interfaces pseudo-ethernet peth0 source-interface eth1
commit
Reuslts in
FileNotFoundError: [Errno 2] failed to run command: ip link add peth0 link eth1 type macvlan mode private
returned:
exit code: 2
noteworthy:
cmd 'ip link add peth0 link eth1 type macvlan mode private'
returned (out):
returned (err):
RTNETLINK answers: Device or resource busy
[[interfaces pseudo-ethernet peth0]] failed
Commit failed
(cherry picked from commit eb4a7ee3afc0765671ce0fa379ab5e3518e9e49e)
|
|
backport: bonding: T4668: Fix bond members not adding/interface state incorrect
|
|
pppoe: T4648: fix incorrect installation of IPv6 default route even when default-route is set to none
|
|
Fixes several bugs around bonding member interface states not matching
the committed configuration, including:
- Disabled removed interfaces coming back up
- Newly added disabled interfaces not staying down
- Newly added interfaces not showing up in the bond
|
|
Refactor interfaces-bonding.py to simplify existing code and to remove
potentially bugprone sections in preparation for member add/remove
fixes for T4668.
|
|
ethernet: T4653: bugfix copy-paste when processing NIC offloading
|
|
Commit 31169fa8a763e ("vyos.ifconfig: T3619: only set offloading options if
supported by NIC") added the new implementation which handles NIC offloading.
Unfortunately every single implementation was copied from "gro" which resulted
in a change to gro for each offloading option - thus options like lro, sg, tso
had no effect at all.
It all comes down to copy/paste errors ... one way or another.
(cherry picked from commit b01f27b3bb3f4cbc6096011856d83009d0440313)
|
|
rpki: T4654: Fix RPKI cache description (1.3)
|
|
Fix wrong descriptions for the RPKI server
It was mentioned about the NTP server
|
|
Adds a sysctl parameter to ignore the default router obtained from
router advertisements when pppoe default-route is set to 'none'.
|
|
proxy: T4642: bugfix regex, add hyphen to allow list
|
|
(cherry picked from commit 73be77ec42d06a369974bfb1255839164f73c276)
|
|
(cherry picked from commit bfa13e367d0b77105ba350a34da8212859f07f59)
|
|
ethernet: T4538: fix wrong systemd unit used for EAPoL (equuleus)
|
|
bridge: T4632: vlan aware bridge lacks CPU forwarding
|
|
The VLAN aware bridge was forwarding traffic between member ports, but traffic
destined torwards the CPU was dropped. This resulted in a gateway not reachable
or DHCP leases that could not be handed out.
Tested via:
VyOS
set interfaces bridge br0 enable-vlan
set interfaces bridge br0 member interface eth1 allowed-vlan '10'
set interfaces bridge br0 member interface eth1 allowed-vlan '20'
set interfaces bridge br0 member interface eth1 allowed-vlan '30'
set interfaces bridge br0 member interface eth1 allowed-vlan '40'
set interfaces bridge br0 member interface eth1 native-vlan '40'
set interfaces bridge br0 member interface eth2 allowed-vlan '30'
set interfaces bridge br0 member interface eth2 allowed-vlan '20'
set interfaces bridge br0 member interface eth2 allowed-vlan '10'
set interfaces bridge br0 member interface eth2 allowed-vlan '40'
set interfaces bridge br0 vif 10 address '10.0.10.1/24'
set interfaces bridge br0 vif 20 address '10.0.20.1/24'
set interfaces bridge br0 vif 30 address '10.0.30.1/24'
set interfaces bridge br0 vif 40 address '10.0.40.1/24'
Arista vEOS
vlan 10,20,30,40
interface Ethernet1
switchport trunk allowed vlan 10,20,30,40
interface Vlan10
ip address 10.0.10.2/24
interface Vlan20
ip address 10.0.20.2/24
interface Vlan30
ip address 10.0.30.2/24
interface Vlan40
ip address 10.0.40.2/24
interface Ethernet1
switchport trunk allowed vlan 10,20,30,40
switchport mode trunk
spanning-tree portfast
Cisco vIOS
interface GigabitEthernet0/0
ip address 10.0.40.3 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 10.0.10.3 255.255.255.0
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 10.0.20.3 255.255.255.0
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 10.0.30.3 255.255.255.0
!
(cherry picked from commit f60d0e1ce029925b843f635b36154c90049b9577)
|
|
T4629: Raised ConfigErrors contain dict instead of only the dict key (equuleus)
|
|
interface dict on error
(cherry picked from commit 475fbb785dca76868715827833dc44115635c4a6)
|
|
When MACsec was bound to an ethernet interface and the underlaying
source-interface got changed (even description only) this terminated the
MACsec session running on top of it.
The root cause is when EAPoL was implemented in commit d59354e52a8a7f we
re-used the same systemd unit which is responsible for MACsec. That indeed lead
to the fact that wpa_supplicant was always stopped when anything happened on
the underlaying source-interface that was not related to EAPoL.
(cherry picked from commit f92a23ef9ab8be59681e5b7ba627e399d89bce53)
|
|
ocserv: openconnect: T4614: add support for split-dns (equuleus)
|
|
syslog: T4039: Add protocol23format logging for UDP
|
|
Add protocol23format for rsyslog protocol UDP
Add ability to use IPv6 addresses (bracketize_ipv6) for
protocol TCP and UDP, when protocol is configured explicity
|
|
Debian: T4584: remove version number from hostap package requirement
|
|
(cherry picked from commit 681bdf2946d1d10f3b432f70452a8d018b7a98ae)
|
|
To reproduce:
set vpn openconnect authentication mode local
commit
Traceback (most recent call last):
File "/usr/libexec/vyos/conf_mode/vpn_openconnect.py", line 147, in <module>
verify(c)
File "/usr/libexec/vyos/conf_mode/vpn_openconnect.py", line 64, in verify
if not ocserv["authentication"]["local_users"] or not ocserv["authentication"]["local_users"]["username"]:
KeyError: 'local_users'
|
|
set vpn openconnect network-settings split-dns <domain>
(cherry picked from commit e41685a2f56cca0a53b4f8c084f61a85cf561c80)
|
|
(cherry picked from commit bd102eac6d0c97a5f75324d1248814ebdad42da5)
|
|
MACsec: T4537: fix AES-GCM-256 support
|
|
(cherry picked from commit 0943ac00412b0049b7a20a54e27e7b8025726598)
|
|
AES-GCM-256
(cherry picked from commit e19889adf8cef101d85a279055271a68b078ec73)
|
|
(cherry picked from commit 993961f60ead2a18912eb577b1152463d4eb8b4e)
|
|
(cherry picked from commit 17e76dc77801ac58b2587f664c884c0d671a55c0)
|
|
(cherry picked from commit 258e6873b60531fe70d868d2e53ce2f921fe7f13)
|
|
(cherry picked from commit fa25d349aebc86e43957f37db765787fb7e431db)
|
|
(cherry picked from commit 5e919d3f91bccaf64878a94756c21766896db132)
|
|
(cherry picked from commit b2ff1407330e383a9fff688376377efc534bcfbc)
|
|
(cherry picked from commit bc70c1f502bc587627b1bd15f6803c6c09d20a66)
|
|
(cherry picked from commit 82d8494d349edd7707c3811a71ca0e9c0648204e)
|
|
(cherry picked from commit 393355f7feaa921eba46b83d4f15ad4a5c37adab)
|
|
Fix missing dict_search import in interfaces-macsec.py
|
|
|
|
mtu: T4572: Add DHCP-option MTU to get values from DHCP-server
|
|
bridge: bugfixes for equuleus
|
|
backport: router-advert: T4582: fix preferred cannot equal valid lifetime
|