summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-09-10T3655: Fix NAT problem with VRFYuxiang Zhu
Linux netfilter patch https://patchwork.ozlabs.org/project/netfilter-devel/patch/d0f84a97f9c86bec4d537536a26d0150873e640d.1439559328.git.daniel@iogearbox.net/ adds direction support for conntrack zones, which makes it possible to do NAT with conflicting IP address/port tuples from multiple, isolated tenants on a host. According to the description of the kernel patch: > ... overlapping tuples can be made unique with the zone identifier in original direction, where the NAT engine will then allocate a unique tuple in the commonly shared default zone for the reply direction. I did some basic tests in my lab and it worked fine to forward packets from eth0 to pppoe0. - eth0 192.168.1.1/24 in VRF red - pppoe0 dynamic public IP from ISP VRF default - set vrf name red protocols static route 0.0.0.0/0 interface pppoe0 vrf 'default' - set protocols static route 192.168.1.0/24 interface eth0 vrf 'red' `conntrack -L` shows something like: ``` tcp 6 113 ESTABLISHED src=192.168.1.2 dst=1.1.1.1 sport=58946 dport=80 zone-orig=250 packets=6 bytes=391 src=1.1.1.1 dst=<my-public-ip> sport=80 dport=58946 packets=4 bytes=602 [ASSURED] mark=0 helper=tns use=1 ``` It would be much appreciated if someone could test this with more complex VRF setup.
2023-09-09Merge pull request #2229 from c-po/sagittaViacheslav Hletenko
container: T5563 Fix environment replaced by label
2023-09-09container: T5563 Fix environment replaced by labelCyrus
(cherry picked from commit 79a46675b031a4edc0ea925a45066077c0804b9b)
2023-09-09vxlan: T3700: support VLAN tunnel mapping of VLAN aware bridgesChristian Breunig
FRR supports a new way of configuring VLAN-to-VNI mappings for EVPN-VXLAN, when working with the Linux kernel. In this new way, the mapping of a VLAN to a VNI is configured against a container VXLAN interface which is referred to as a 'Single VXLAN device (SVD)'. Multiple VLAN to VNI mappings can be configured against the same SVD. This allows for a significant scaling of the number of VNIs since a separate VXLAN interface is no longer required for each VNI. Sample configuration of SVD with VLAN to VNI mappings is shown below. set interfaces bridge br0 member interface vxlan0 set interfaces vxlan vxlan0 external set interfaces vxlan vxlan0 source-interface 'dum0' set interfaces vxlan vxlan0 vlan-to-vni 10 vni '10010' set interfaces vxlan vxlan0 vlan-to-vni 11 vni '10011' set interfaces vxlan vxlan0 vlan-to-vni 30 vni '10030' set interfaces vxlan vxlan0 vlan-to-vni 31 vni '10031' (cherry picked from commit 7f6624f5a6f8bd1749b54103ea5ec9f010adf778)
2023-09-08Merge pull request #2224 from sever-sever/T5489-sagViacheslav Hletenko
T5489: Add sysctl TCP congestion control by default to BBR
2023-09-08Merge pull request #2226 from sever-sever/T5423-sagViacheslav Hletenko
T5423: Fix for op-mode show vpn ike secrets
2023-09-08Merge pull request #2227 from sever-sever/T5554-sagViacheslav Hletenko
T5554: Disable sudo for PAM RADIUS
2023-09-08T5554: Disable sudo for PAM RADIUSViacheslav Hletenko
Disable sudo for PAM RADIUS template that slows down the CLI commands To fix it add: session [default=ignore success=2] pam_succeed_if.so service = sudo (cherry picked from commit 01b30eb6d83cdb2ae43b956d29ac7ac1d4445776)
2023-09-08T5423: Fix for op-mode show vpn ike secretsViacheslav Hletenko
We don't use ipsec.secrets anymore Fix op-mode for "show vpn ike secrets". Ability to get "RAW" format (cherry picked from commit 97326920e2907bdb545853887dc54c6a02b76f28)
2023-09-08T5489: Add sysctl TCP congestion control by default to BBRViacheslav Hletenko
Add by default sysctl TCP congestion control to BBR. Default value `cubic` is not optimal. net.core.default_qdisc=fq net.ipv4.tcp_congestion_control=bbr (cherry picked from commit b99ed37dd1cff3310437ff8ccf1a27cd20714c41)
2023-09-08Merge pull request #2207 from jestabro/T5551-sagittaChristian Breunig
save-config: T5551: check if None before write, as is the case at boot
2023-09-07Merge pull request #2218 from sarthurdev/T5555_sagittaChristian Breunig
system: T5555: Fix time-zone migrator changing valid time-zones to UTC
2023-09-07system: T5555: Fix time-zone migrator changing valid time-zones to UTCsarthurdev
2023-09-05Merge pull request #2210 from sever-sever/T5548-sagViacheslav Hletenko
T5548: Fix load-balancing reverse-proxy timeouts
2023-09-05Merge pull request #2209 from sever-sever/T2958-sagViacheslav Hletenko
T2958: Refactor DHCP-server systemd unit and lease
2023-09-05T5548: Fix load-balancing reverse-proxy timeoutsViacheslav Hletenko
By default haproxy uses timeouts in millisecond but we set timeouts in seconds from CLI Fix template to use 'seconds' units (cherry picked from commit 257019520c49c20824b7e5cad01d2d29ef5f62e6)
2023-09-05T2958: Refactor DHCP-server systemd unit and leaseViacheslav Hletenko
Render isc-dhcp-server systemd unit from configuration
2023-09-05save-config: T5551: check if None before write, as is the case at bootJohn Estabrook
(cherry picked from commit 3fe5482a29042c92298d3e69d90c0c38404d2fcc)
2023-09-04Merge pull request #2192 from sever-sever/T5533vyos/1.5dev0zdc
T5533: Fix VRRP IPv6 group enters in FAULT state
2023-09-04T5533: Fix VRRP IPv6 group enters in FAULT stateViacheslav Hletenko
Checks if an IPv6 address on a specific network interface is in the tentative state. IPv6 tentative addresses are not fully configured and are undergoing Duplicate Address Detection (DAD) to ensure they are unique on the network. inet6 2001:db8::3/125 scope global tentative It tentative state the group enters in FAULT state. Fix it
2023-09-04Merge pull request #2197 from anthr76/cap-sys-moduleChristian Breunig
feat(T5544): Allow CAP_SYS_MODULE to be set on containers
2023-09-03fix: sys-module auto-tab completionAnthony Rabbito
Signed-off-by: Anthony Rabbito <hello@anthonyrabbito.com>
2023-09-03feat(T5544): Allow CAP_SYS_MODULE to be set on containersAnthony Rabbito
Signed-off-by: Anthony Rabbito <hello@anthonyrabbito.com>
2023-09-03T5543: IGMP: fix source address handling in static joinsYuxiang Zhu
The following command expects to join source-specific multicast group 239.1.2.3 on interface eth0, where the source address is 192.0.2.1. set protocols igmp interface eth0 join 239.1.2.3 source 192.0.2.1 This command should generate FRR config: interface eth0 ip igmp ip igmp join 239.1.2.3 192.0.2.1 exit However, there is a bug in the Jinja template where `if ifaces[iface].gr_join[group]` is mostly evaluated as `false` because `iface` is a loop variable from another loop.
2023-09-03ipoe: T5542: fix Jinja2 template and add missing dhcp relay configNiklas Polte
2023-09-03wireless: T5540: fix smoketests after adjusting VHT channel widthChristian Breunig
Commit 6896aabb6 ("wireless: T5540: fix VHT capability settings for 802.11ac" changed how the VHT channel-sidth is configured in hostapd - but smoketests did not get adjusted.
2023-09-03wireless: T5540: use elif in Jinja2 template for VHT channel widthChristian Breunig
2023-09-02wireless: T5540: fix VHT capability settings for 802.11acalainlamar
2023-09-01container: T4353: capitalize ascii -> ASCIIChristian Breunig
2023-09-01Merge pull request #2193 from sever-sever/T5536Christian Breunig
T5536: Fix show dhcp client leases
2023-09-01T2546: re-add "monitor command" op-mode command with a new "diff" option as wellChristian Breunig
2023-09-01T5536: Fix show dhcp client leasesViacheslav Hletenko
Fix helpers was moved to vyos.utils package Fix empty new address from the lease file causes OSError: illegal IP address string passed to inet_pton
2023-08-31Merge pull request #2189 from sever-sever/T5531Christian Breunig
T5531: Containers add label option
2023-08-31Merge pull request #2190 from sarthurdev/T4782Christian Breunig
eapol: T4782: Support multiple CA chains
2023-08-31T5531: Containers add label optionViacheslav Hletenko
Ability to set labels for container set container name c1 allow-host-networks set container name c1 image 'busybox' set container name c1 label mypods value 'My label for containers'
2023-08-31eapol: T4782: Support multiple CA chainssarthurdev
2023-08-30Merge pull request #2186 from nicolas-fort/T5496Christian Breunig
T5496: firewall: fix op-mode command show firewall
2023-08-29T5496: firewall op-mode: add fix for source and destination when not ↵Nicolas Fort
specified (correct ::/0 for ipv6). Also, add columns for inbound and outbound interfaces
2023-08-29T5496: firewall op-mode: add fix for firewall statics. Include groups ↵Nicolas Fort
correct reference in source/destination column
2023-08-29Debian: T5521: remove unused tacacs UNIX groupChristian Breunig
2023-08-29T5496: firewall op-mode: fix show command for group member and referencesNicolas Fort
2023-08-29Debian: T5521: use bash over dash for postinstall scriptChristian Breunig
2023-08-28Debian: T5521: use --no-create-home for TACACS usersChristian Breunig
2023-08-28Debian: T5521: place AAA users in users group (besides aaa group)Christian Breunig
2023-08-28Debian: T5521: both RADIUS and TACACS users belong to aaa group, add group firstChristian Breunig
2023-08-28Merge pull request #2180 from vfreex/fix-call-hangsChristian Breunig
T5519: Fix `vyos.utils.process.call` hangs
2023-08-28T5519: Fix `vyos.utils.process.call` hangsYuxiang Zhu
See https://vyos.dev/T5519 for more information.
2023-08-27Merge pull request #2176 from sarthurdev/T5080Christian Breunig
firewall: T5080: Disable conntrack unless required by rules
2023-08-27Merge pull request #2178 from sarthurdev/labelsChristian Breunig
github: Labeler needs to run on `pull_request_target`
2023-08-27github: Labeler needs to run on `pull_request_target`sarthurdev
Ref: https://github.com/actions/labeler#permissions