Age | Commit message (Collapse) | Author |
|
When any configured peer is set to `disable` while the Wireguard tunnel is up
and running it does not get actively revoked and removed. This poses a security
risk as connections keep beeing alive.
Whenever any parameter of a peer changes we actively remove the peer and fully
recreate it on the fly.
|
|
|
|
The initial Accel-PPP PPPoE implementation used:
set service pppoe-server interface <name> vlan-id <id>
set service pppoe-server interface <name> vlan-range <start-stop>
This is actually a duplicated CLI node.
|
|
vyos@vyos# show firewall
+name foo {
+ rule 1 {
+ action accept
+ packet-length 100
+ packet-length 105
+ packet-length 200-300
+ packet-length 220-250
+ }
+}
will report a nftables error upon load: Error: conflicting intervals specified
With nftables 1.0.3 there is an "auto-merge" option which corrects this:
https://lwn.net/Articles/896732/
|
|
ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer
|
|
|
|
Migration and Change boolean nodes "enable/disable" to
disable-xxxx, enable-xxxx and just xxx for VPN IPsec
configurations
- IKE changes:
- replace 'ipsec ike-group <tag> mobike disable'
=> 'ipsec ike-group <tag> disable-mobike'
- replace 'ipsec ike-group <tag> ikev2-reauth yes|no'
=> 'ipsec ike-group <tag> ikev2-reauth'
- ESP changes:
- replace 'ipsec esp-group <tag> compression enable'
=> 'ipsec esp-group <tag> compression'
- PEER changes:
- replace: 'peer <tag> id xxx'
=> 'peer <tag> local-id xxx'
- replace: 'peer <tag> force-encapsulation enable'
=> 'peer <tag> force-udp-encapsulation'
- add option: 'peer <tag> remote-address x.x.x.x'
Add 'peer <name> remote-address <name>' via migration script
|
|
policy-route: T4697: Add missing rule_id for verify_rule func
|
|
|
|
This will set the listen-host ocserv configuration option.
|
|
After T4669 added support for range validation to the OCaml validator there is
no need to keep the slow Python validator in place.
Raplace all occurances of <validator name="range" argument="--min=1 --max=65535"/>
with <validator name="numeric" argument="--range 1-65535"/>.
|
|
There is a missing 'rule_id' in verify_rule() function
We call it from the loop but don't provide argument 'rule_id'
It cause "NameError: name 'rule_id' is not defined"
Fix it
|
|
T3896(adjacent): Fix ocserv local user requirement, add groupconfig
|
|
Add new VyOS CLI command:
set protocols bgp parameters bestpath peer-type multipath-relax
This command specifies that BGP decision process should consider paths from all
peers for multipath computation. If this option is enabled, paths learned from
any of eBGP, iBGP, or confederation neighbors will be multipath if they are
otherwise considered equal cost. [1]
[1]: http://docs.frrouting.org/en/stable-8.3/bgp.html#clicmd-bgp-bestpath-peer-type-multipath-relax
|
|
In addition to verify the queue lengths when CLI option is set, we also need
to verify that all values are resetted back to "0" which is the Kernel default.
|
|
|
|
* 'T4689' of https://github.com/jack9603301/vyos-1x:
rfs: T4689: Support RFS(Receive Flow Steering)
|
|
|
|
|
|
Kernel 5.15.y and newer only support an upper boundary of 255.
vyos@vyos:~$ sudo sysctl -w net.netfilter.nf_conntrack_tcp_max_retrans=255
net.netfilter.nf_conntrack_tcp_max_retrans = 255
vyos@vyos:~$ sudo sysctl -w net.netfilter.nf_conntrack_tcp_max_retrans=256
sysctl: setting key "net.netfilter.nf_conntrack_tcp_max_retrans": Invalid argument
|
|
The old value of 1024 is no longer supported by the most recent Kernel
|
|
support
|
|
keymap: T4695: Add Spain 'es' and Japan 'jp106' keymaps
|
|
Add Spain (es) and Japan (jp106) keymaps
set system option keyboard-layout es|jp106
|
|
openvpn: T4679: Fix incorrect verify local and remote address
|
|
firewall: nat66: policy: T2199: Fix smoketests for nftables updated output
|
|
In the OpenVPN site-to-site config we can use IPv6 peers
without IPv4 configurations but "verify()" checks also local and
remote IPv4 addresses that in this case will be empty lists
For example:
set interfaces openvpn vtun2 local-address 2001:db8::1
set interfaces openvpn vtun2 remote-address 2001:db8::2
Check in the commit (v4loAddr == v4remAddr) <= both empty lists
commit
DEBUG: [] == [] or ['2001:db8::2'] == []
So we should also check v4loAddr, v4remAddr, v6loAddr, v6remAddr
are not empty
|
|
|
|
nhrp: T2199: Use separate table in nftables for NHRP rules
|
|
|
|
firewall: zone-policy: T2199: T4605: Refactor firewall, migrate zone-policy
|
|
isis: T4693: Fix ISIS segment routing configurations
|
|
This change is to fix a bug in which ISIS segment routing was broken due to a refactor.
This change also is going to introduce a smoketest to make sure this is caught in the future.
|
|
|
|
|
|
|
|
|
|
firewall node
* Refactor firewall and zone-policy rule creation and cleanup
* Migrate interface firewall values to `firewall interfaces <name> <direction> name/ipv6-name <name>`
* Remove `firewall-interface.py` conf script
|
|
This reverts commit 53355271a2864d844daca89a064c21e514e10adb.
|
|
|
|
|
|
T4665: Keepalived: Fix interface names
|
|
rfs: T4689: Support RFS(Receive Flow Steering)
|
|
When applying the same VRID for IPv4 and IPv6 with RFC3768
compatibility enabled, the IPv6 interfaces came back with the
wrong name. For example:
Name Interface VRID State Priority Last Transition
------ ----------- ------ ------- ---------- -----------------
v4-10 eth1v10 10 MASTER 100 21s
v6-10 vrrpv10 10 MASTER 100 21s
Because of this, the IPv6 interface didn't show up in `show int`.
This change suffixes the interface with the IP version so
`show int` works again.
Name Interface VRID State Priority Last Transition
------ ----------- ------ ------- ---------- -----------------
v4-10 eth1v10v4 10 MASTER 100 21s
v6-10 eth1v10v6 10 MASTER 100 21s
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
[....]
eth1v10v4 192.168.10.60/24 u/u
eth1v10v6 2001:ffff::1/64 u/u
[....]
|
|
|
|
policy: T4685: fix non-existent inbound-interface in local-policy(6)
|
|
The local-policy and local-policy6 nodes were missing their priority
property causing an ordering issue between the creation of dynamic
interfaces (like VLAN/Bonding) and referencing said interface in PBR
rules.
Add a priority value to order local-policy(6) to be after all interface
definitions.
|
|
route: T4684: Set execution flag to op-mode route.py
|
|
Set execution flag to route.py op-mode
|
|
system: T4682: standardize op-mode 'show system storage'
|