summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2022-10-11Merge pull request #1583 from sever-sever/T4680-eqChristian Poessinger
monitoring: T4680: Bracketize prometheus listen-address
2022-10-11monitoring: T4680: Bracketize prometheus listen-addressViacheslav Hletenko
Fix correct format for prometheus listen-address when we use IPv6 address, we must use square 'brackets' http://[2001:db8::11e]:9273
2022-10-11conntrack-sync: T4730: Fix listen-address jinja2 templateViacheslav Hletenko
Listen address has option 'multi' As result we have an incorrect template value for listen-address - conntrack-sync listen-address '192.0.2.11' in template It looks like "IPv4_address ['192.0.2.11']" in the conntrackd.conf but the correct string expected without brackets Fix it
2022-10-10ddclient: T4743: Add option for IPv6 Dynamic DNSViacheslav Hletenko
Allow to set IPv6 address for Dynamic DNS set service dns dynamic interface eth2 ipv6-enable
2022-10-03Merge pull request #1548 from c-po/t4702-equuleus-wireguardChristian Poessinger
wireguard: T4702: actively revoke peer if it gets disabled
2022-10-03Merge pull request #1520 from c-po/t4652-equuleus-pdns-47Christian Poessinger
smoketest: T4652: upgrade PowerDNS recursor to 4.7 series
2022-10-03Merge pull request #1556 from c-po/equules-t3171Daniil Baturin
ethernet: T3171: enable RPS (Receive Packet Steering) for all RX queues
2022-09-26firewall: T4709: adjust TCP MSS clamping ranges and optionsinitramfs
This commit fixes MSS clamping ranges as well as reintroduces the clamp-mss-to-pmtu option value to clamp to PMTU instead.
2022-09-24ethernet: T3171: enable RPS (Receive Packet Steering) for all RX queuesChristian Poessinger
The initial implementation in commit 9fb9e5cade ("ethernet: T3171: add CLI option to enable RPS (Receive Packet Steering)" only changed the CPU affinity for RX queue 0. This commit takes all RX queues into account. (cherry picked from commit 13645bc2cfd31f1525078469f23e89491987e0ea)
2022-09-20policy: local-route(6): set priority propertyHenning Surmeier
Co-authored-by: initramfs <initramfs@initramfs.io>
2022-09-20local-route6: use ipv6 value help for sourceHenning Surmeier
2022-09-17wireguard: T4702: actively revoke peer if it gets disabledChristian Poessinger
When any configured peer is set to `disable` while the Wireguard tunnel is up and running it does not get actively revoked and removed. This poses a security risk as connections keep beeing alive. Whenever any parameter of a peer changes we actively remove the peer and fully recreate it on the fly. (cherry picked from commit a4feb96af9ac45aff41ded1744cf302b5c5a9e7e)
2022-09-15Merge pull request #1519 from c-po/t4630-equuleus-peth-macsecDaniil Baturin
T4630: disallow same source-interface for macsec and pseudo-ethernet
2022-09-15Merge pull request #1539 from sever-sever/T4679-eqDaniil Baturin
openvpn: T4679: Fix incorrect verify local and remote address 1.3
2022-09-14openvpn: T4679: Fix incorrect verify local and remote addressViacheslav Hletenko
In the OpenVPN site-to-site config we can use IPv6 peers without IPv4 configurations but "verify()" checks also local and remote IPv4 addresses that in this case will be empty lists For example: set interfaces openvpn vtun2 local-address 2001:db8::1 set interfaces openvpn vtun2 remote-address 2001:db8::2 Check in the commit (v4loAddr == v4remAddr) <= both empty lists commit DEBUG: [] == [] or ['2001:db8::2'] == [] So we should also check v4loAddr, v4remAddr, v6loAddr, v6remAddr are not empty
2022-09-05smoketest: T4652: upgrade PowerDNS recursor to 4.7 seriesChristian Poessinger
(cherry picked from commit f3420a967ad5597c57093b5279a844dca4c516c0)
2022-09-04T4630: can not use same source-interface for macsec and pseudo-ethernetChristian Poessinger
A macsec interface requires a dedicated source interface, it can not be shared with another macsec or a pseudo-ethernet interface. set interfaces macsec macsec10 address '192.168.2.1/30' set interfaces macsec macsec10 security cipher 'gcm-aes-256' set interfaces macsec macsec10 security encrypt set interfaces macsec macsec10 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4232e44b7fda6f8e2d88a07bf78a7aff4' set interfaces macsec macsec10 security mka ckn '09924585a6f3010208cf5222ef24c821405b0e34f4b4f63b1f0ced474b9bb6e6' set interfaces macsec macsec10 source-interface 'eth1' commit set interfaces pseudo-ethernet peth0 source-interface eth1 commit Reuslts in FileNotFoundError: [Errno 2] failed to run command: ip link add peth0 link eth1 type macvlan mode private returned: exit code: 2 noteworthy: cmd 'ip link add peth0 link eth1 type macvlan mode private' returned (out): returned (err): RTNETLINK answers: Device or resource busy [[interfaces pseudo-ethernet peth0]] failed Commit failed (cherry picked from commit eb4a7ee3afc0765671ce0fa379ab5e3518e9e49e)
2022-09-04Merge pull request #1518 from initramfs/equuleus-fix-bond-members1.3.2Christian Poessinger
backport: bonding: T4668: Fix bond members not adding/interface state incorrect
2022-09-04Merge pull request #1498 from initramfs/fix-v6-default-routeChristian Poessinger
pppoe: T4648: fix incorrect installation of IPv6 default route even when default-route is set to none
2022-09-02bonding: T4668: fix live bonding member add or removeinitramfs
Fixes several bugs around bonding member interface states not matching the committed configuration, including: - Disabled removed interfaces coming back up - Newly added disabled interfaces not staying down - Newly added interfaces not showing up in the bond
2022-09-02bonding: T4668: refactor configuration mode interface bonding scriptinitramfs
Refactor interfaces-bonding.py to simplify existing code and to remove potentially bugprone sections in preparation for member add/remove fixes for T4668.
2022-08-29Merge pull request #1507 from c-po/t4653-offloading-equuleusChristian Poessinger
ethernet: T4653: bugfix copy-paste when processing NIC offloading
2022-08-29ethernet: T4653: bugfix copy-paste when processing NIC offloadingChristian Poessinger
Commit 31169fa8a763e ("vyos.ifconfig: T3619: only set offloading options if supported by NIC") added the new implementation which handles NIC offloading. Unfortunately every single implementation was copied from "gro" which resulted in a change to gro for each offloading option - thus options like lro, sg, tso had no effect at all. It all comes down to copy/paste errors ... one way or another. (cherry picked from commit b01f27b3bb3f4cbc6096011856d83009d0440313)
2022-08-29Merge pull request #1504 from sever-sever/T4654-eqDaniil Baturin
rpki: T4654: Fix RPKI cache description (1.3)
2022-08-29rpki: T4654: Fix RPKI cache descriptionViacheslav Hletenko
Fix wrong descriptions for the RPKI server It was mentioned about the NTP server
2022-08-27pppoe: T4648: stop default route from being installed under IPv6initramfs
Adds a sysctl parameter to ignore the default router obtained from router advertisements when pppoe default-route is set to 'none'.
2022-08-25Merge pull request #1494 from c-po/equuleus-proxy-t4642Christian Poessinger
proxy: T4642: bugfix regex, add hyphen to allow list
2022-08-25proxy: T4642: allow https proxy transportsChristian Poessinger
(cherry picked from commit 73be77ec42d06a369974bfb1255839164f73c276)
2022-08-24proxy: T4642: bugfix regex, add hyphen to allow listChristian Poessinger
(cherry picked from commit bfa13e367d0b77105ba350a34da8212859f07f59)
2022-08-22Merge pull request #1479 from c-po/macsec-t4538-equuleusDaniil Baturin
ethernet: T4538: fix wrong systemd unit used for EAPoL (equuleus)
2022-08-22Merge pull request #1484 from c-po/bridge-fixesChristian Poessinger
bridge: T4632: vlan aware bridge lacks CPU forwarding
2022-08-22bridge: T4632: vlan aware bridge lacks CPU forwardingChristian Poessinger
The VLAN aware bridge was forwarding traffic between member ports, but traffic destined torwards the CPU was dropped. This resulted in a gateway not reachable or DHCP leases that could not be handed out. Tested via: VyOS set interfaces bridge br0 enable-vlan set interfaces bridge br0 member interface eth1 allowed-vlan '10' set interfaces bridge br0 member interface eth1 allowed-vlan '20' set interfaces bridge br0 member interface eth1 allowed-vlan '30' set interfaces bridge br0 member interface eth1 allowed-vlan '40' set interfaces bridge br0 member interface eth1 native-vlan '40' set interfaces bridge br0 member interface eth2 allowed-vlan '30' set interfaces bridge br0 member interface eth2 allowed-vlan '20' set interfaces bridge br0 member interface eth2 allowed-vlan '10' set interfaces bridge br0 member interface eth2 allowed-vlan '40' set interfaces bridge br0 vif 10 address '10.0.10.1/24' set interfaces bridge br0 vif 20 address '10.0.20.1/24' set interfaces bridge br0 vif 30 address '10.0.30.1/24' set interfaces bridge br0 vif 40 address '10.0.40.1/24' Arista vEOS vlan 10,20,30,40 interface Ethernet1 switchport trunk allowed vlan 10,20,30,40 interface Vlan10 ip address 10.0.10.2/24 interface Vlan20 ip address 10.0.20.2/24 interface Vlan30 ip address 10.0.30.2/24 interface Vlan40 ip address 10.0.40.2/24 interface Ethernet1 switchport trunk allowed vlan 10,20,30,40 switchport mode trunk spanning-tree portfast Cisco vIOS interface GigabitEthernet0/0 ip address 10.0.40.3 255.255.255.0 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/0.10 encapsulation dot1Q 10 ip address 10.0.10.3 255.255.255.0 ! interface GigabitEthernet0/0.20 encapsulation dot1Q 20 ip address 10.0.20.3 255.255.255.0 ! interface GigabitEthernet0/0.30 encapsulation dot1Q 30 ip address 10.0.30.3 255.255.255.0 ! (cherry picked from commit f60d0e1ce029925b843f635b36154c90049b9577)
2022-08-22Merge pull request #1480 from c-po/t4629-equuleusDaniil Baturin
T4629: Raised ConfigErrors contain dict instead of only the dict key (equuleus)
2022-08-19vyos.config.configdict: T4592: T4629: only print interface name, not ↵Christian Poessinger
interface dict on error (cherry picked from commit 475fbb785dca76868715827833dc44115635c4a6)
2022-08-19ethernet: T4538: fix wrong systemd unit used for EAPoLChristian Poessinger
When MACsec was bound to an ethernet interface and the underlaying source-interface got changed (even description only) this terminated the MACsec session running on top of it. The root cause is when EAPoL was implemented in commit d59354e52a8a7f we re-used the same systemd unit which is responsible for MACsec. That indeed lead to the fact that wpa_supplicant was always stopped when anything happened on the underlaying source-interface that was not related to EAPoL. (cherry picked from commit f92a23ef9ab8be59681e5b7ba627e399d89bce53)
2022-08-18Merge pull request #1470 from c-po/openconnect-T4614Daniil Baturin
ocserv: openconnect: T4614: add support for split-dns (equuleus)
2022-08-16Merge pull request #1473 from dmbaturin/T4039-equViacheslav Hletenko
syslog: T4039: Add protocol23format logging for UDP
2022-08-16syslog: T4039: Add protocol23format logging for UDPViacheslav
Add protocol23format for rsyslog protocol UDP Add ability to use IPv6 addresses (bracketize_ipv6) for protocol TCP and UDP, when protocol is configured explicity
2022-08-16Merge pull request #1472 from c-po/debian-t4584-equuleusDaniil Baturin
Debian: T4584: remove version number from hostap package requirement
2022-08-16Debian: T4584: remove version number from hostap package requirementChristian Poessinger
(cherry picked from commit 681bdf2946d1d10f3b432f70452a8d018b7a98ae)
2022-08-15openconnect: T4616: bugfix KeyError: 'local_users'Christian Poessinger
To reproduce: set vpn openconnect authentication mode local commit Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/vpn_openconnect.py", line 147, in <module> verify(c) File "/usr/libexec/vyos/conf_mode/vpn_openconnect.py", line 64, in verify if not ocserv["authentication"]["local_users"] or not ocserv["authentication"]["local_users"]["username"]: KeyError: 'local_users'
2022-08-15ocserv: openconnect: T4614: add support for split-dnsChristian Poessinger
set vpn openconnect network-settings split-dns <domain> (cherry picked from commit e41685a2f56cca0a53b4f8c084f61a85cf561c80)
2022-08-15smoketest: ocserv: implement config file validationChristian Poessinger
(cherry picked from commit bd102eac6d0c97a5f75324d1248814ebdad42da5)
2022-08-15Merge pull request #1469 from c-po/macsec-equuleusChristian Poessinger
MACsec: T4537: fix AES-GCM-256 support
2022-08-15macsec: T4537: macsec_csindex can be set even without encryptionChristian Poessinger
(cherry picked from commit 0943ac00412b0049b7a20a54e27e7b8025726598)
2022-08-15smoketest: macsec: T4537: validate macsec_csindex for both AES-GCM-128 and ↵Christian Poessinger
AES-GCM-256 (cherry picked from commit e19889adf8cef101d85a279055271a68b078ec73)
2022-08-15macsec: T4592: can not create two interfaces using the same source-interfaceChristian Poessinger
(cherry picked from commit 993961f60ead2a18912eb577b1152463d4eb8b4e)
2022-08-15smoketest: macsec: T4537: verify macsec_csindexChristian Poessinger
(cherry picked from commit 17e76dc77801ac58b2587f664c884c0d671a55c0)
2022-08-15macsec: T4537: add missing macsec_csindex option to support GCM-AES-256Christian Poessinger
(cherry picked from commit 258e6873b60531fe70d868d2e53ce2f921fe7f13)
2022-08-15macsec: T4537: remove debug falg "-d" from systemd service fileChristian Poessinger
(cherry picked from commit fa25d349aebc86e43957f37db765787fb7e431db)