Age | Commit message (Collapse) | Author |
|
vyos.configtree: T6620: allow list_nodes() to work on non-existent paths
|
|
and return an empty list in that case
(handy for migration scripts and the like)
|
|
T6362: Create conntrack logger daemon
|
|
OpenVPN CLI-option: T6571: rename ncp-ciphers with data-ciphers
|
|
firewall: T4694: incomplete node checks in migration script
|
|
This patch on #3616 will only attempt to fix ipsec matches in rules if the
firewall config tree passed to migrate_chain() has rules attached.
|
|
T6349: Fix typo in file name
|
|
|
|
smoketest: T6592: remove unused "import os"
|
|
smoketest: T6614: initial support for op-mode command testing
|
|
smoketest: T5705: use locally connected remote syslog servers
|
|
Strongswan does not initiate session after termination via vici.
Added an CHILD SAs initialization on the initiator side
of the tunnel.
|
|
(#3616)
* Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for
fw rules
* Add ipsec match-ipsec-out and match-none-out
* Change all the points where the match-ipsec.xml.i include was used
before, making sure the new includes (match-ipsec-in/out.xml.i) are
used appropriately. There were a handful of spots where match-ipsec.xml.i
had snuck back in for output hooked chains already
(the common-rule-* includes)
* Add the -out generators to rendered templates
* Heavy modification to firewall config validators:
* I needed to check for ipsec-in matches no matter how deeply nested
under an output-hook chain(via jump-target) - this always generates
an error.
* Ended up retrofitting the jump-targets validator from root chains
and for named custom chains. It checks for recursive loops and improper
IPsec matches.
* Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation"
smoketests
|
|
As there has been no route to the configured syslog servers, smoketests produced:
rsyslogd: omfwd: socket 8: error 101 sending via udp: Network is unreachable
Rather use some fake syslog servers from 127.0.0.0/8 which are directly
connected and we do not need to look up a route, which will suppress the above
error message.
|
|
|
|
op_mode: T5744: PKI import OpenVPN shared key includess unexpected BEGIN and END
|
|
|
|
|
|
|
|
|
|
iifname/oifname
When any of the following features NAT, NAT66 or Firewall is enabled, for every
VRF on the CLI we install one rule into nftables for conntrack:
chain vrf_zones_ct_in {
type filter hook prerouting priority raw; policy accept;
counter packets 3113 bytes 32227 ct original zone set iifname map @ct_iface_map
counter packets 8550 bytes 80739 ct original zone set iifname map @ct_iface_map
counter packets 5644 bytes 67697 ct original zone set iifname map @ct_iface_map
}
This is superfluous.
|
|
|
|
|
|
Debian: T6598: depend on podman version >=4.9.5
|
|
|
|
|
|
|
|
interface: T6592: remove interface from conntrack ct_iface_map on deletion
|
|
vrf: T6602: verify supplied VRF name on all interface types
|
|
deletion
Now that interfaces are deleted from ct_iface_map during deletion it's time to
also add a smoketest ensuring there is no entry in the ct_iface_map once an
interface was deleted from the CLI.
|
|
op_mode: T6593: Release DHCP interface does not work
|
|
op_mode: T6596: pppoe operation command failed
|
|
system_option: T5552: Apply IPv4 and IPv6 options after reapplying sysctls by TuneD
|
|
|
|
|
|
Only some (e.g. ethernet or wireguard) interfaces validate if the supplied VRF
actually exists. If this is not validated, one can pass an invalid VRF to the
system which generates an OSError exception.
To reproduce
set interfaces vxlan vxlan1 vni 1000
set interfaces vxlan vxlan1 remote 1.2.3.4
set interfaces vxlan vxlan1 vrf smoketest
results in
OSError: [Errno 255] failed to run command: ip link set dev vxlan1 master smoketest_mgmt
This commit adds the missing verify_vrf() call to the missing interface types
and an appropriate smoketest for all interfaces supporting VRF assignment.
|
|
We always have had stale interface entries in the ct_iface_map of nftables/
conntrack for any interface that once belonged to a VRF.
This commit will always clean the nftables interface map when the interface
is deleted from the system.
|
|
by TuneD
|
|
T6589: Return a dict when querying information about a single interface
|
|
T6525: Add default dir for ext-scripts without absolute path
|
|
|
|
openvpn: T3834: verify() is not allowed to change anything on the system
|
|
T6594: Add missed pppd_compat module
|
|
vrf: T6592: remove unused import get_interface_config
|
|
interfaces that don't exist
|
|
Commit e3c71af1466 ("remove secrets file if the tunnel is deleted and fix
opmode commands") added a code path into verify() which removed files on the
system if TOTP was not defined.
This commit moves the code path to the appropriate generate() function.
|
|
wireless: T6597: improve hostapd startup and corresponding smoketests
|
|
T6599: ipsec: support disabling rekey of CHILD_SA, converge and fix defaults
|
|
|
|
Also adds support for life_bytes, life_packets, and DPD for
remote-access connections. Changes behavior of remote-access esp-group
lifetime setting to have parity with site-to-site connections.
|