Age | Commit message (Collapse) | Author |
|
Linux netfilter patch https://patchwork.ozlabs.org/project/netfilter-devel/patch/d0f84a97f9c86bec4d537536a26d0150873e640d.1439559328.git.daniel@iogearbox.net/
adds direction support for conntrack zones, which makes it possible to
do NAT with conflicting IP address/port tuples from multiple, isolated tenants on a host.
According to the description of the kernel patch:
> ... overlapping tuples can be made unique with the zone identifier in
original direction, where the NAT engine will then allocate a unique
tuple in the commonly shared default zone for the reply direction.
I did some basic tests in my lab and it worked fine to forward packets
from eth0 to pppoe0.
- eth0 192.168.1.1/24 in VRF red
- pppoe0 dynamic public IP from ISP VRF default
- set vrf name red protocols static route 0.0.0.0/0 interface pppoe0 vrf 'default'
- set protocols static route 192.168.1.0/24 interface eth0 vrf 'red'
`conntrack -L` shows something like:
```
tcp 6 113 ESTABLISHED src=192.168.1.2 dst=1.1.1.1 sport=58946 dport=80 zone-orig=250 packets=6 bytes=391 src=1.1.1.1 dst=<my-public-ip> sport=80 dport=58946 packets=4 bytes=602 [ASSURED] mark=0 helper=tns use=1
```
It would be much appreciated if someone could test this with more
complex VRF setup.
|
|
container: T5563 Fix environment replaced by label
|
|
(cherry picked from commit 79a46675b031a4edc0ea925a45066077c0804b9b)
|
|
FRR supports a new way of configuring VLAN-to-VNI mappings for EVPN-VXLAN, when
working with the Linux kernel. In this new way, the mapping of a VLAN to a VNI
is configured against a container VXLAN interface which is referred to as a
'Single VXLAN device (SVD)'.
Multiple VLAN to VNI mappings can be configured against the same SVD. This
allows for a significant scaling of the number of VNIs since a separate VXLAN
interface is no longer required for each VNI.
Sample configuration of SVD with VLAN to VNI mappings is shown below.
set interfaces bridge br0 member interface vxlan0
set interfaces vxlan vxlan0 external
set interfaces vxlan vxlan0 source-interface 'dum0'
set interfaces vxlan vxlan0 vlan-to-vni 10 vni '10010'
set interfaces vxlan vxlan0 vlan-to-vni 11 vni '10011'
set interfaces vxlan vxlan0 vlan-to-vni 30 vni '10030'
set interfaces vxlan vxlan0 vlan-to-vni 31 vni '10031'
(cherry picked from commit 7f6624f5a6f8bd1749b54103ea5ec9f010adf778)
|
|
T5489: Add sysctl TCP congestion control by default to BBR
|
|
T5423: Fix for op-mode show vpn ike secrets
|
|
T5554: Disable sudo for PAM RADIUS
|
|
Disable sudo for PAM RADIUS template that slows down the CLI commands
To fix it add:
session [default=ignore success=2] pam_succeed_if.so service = sudo
(cherry picked from commit 01b30eb6d83cdb2ae43b956d29ac7ac1d4445776)
|
|
We don't use ipsec.secrets anymore
Fix op-mode for "show vpn ike secrets".
Ability to get "RAW" format
(cherry picked from commit 97326920e2907bdb545853887dc54c6a02b76f28)
|
|
Add by default sysctl TCP congestion control to BBR.
Default value `cubic` is not optimal.
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
(cherry picked from commit b99ed37dd1cff3310437ff8ccf1a27cd20714c41)
|
|
save-config: T5551: check if None before write, as is the case at boot
|
|
system: T5555: Fix time-zone migrator changing valid time-zones to UTC
|
|
|
|
T5548: Fix load-balancing reverse-proxy timeouts
|
|
T2958: Refactor DHCP-server systemd unit and lease
|
|
By default haproxy uses timeouts in millisecond but we set timeouts
in seconds from CLI
Fix template to use 'seconds' units
(cherry picked from commit 257019520c49c20824b7e5cad01d2d29ef5f62e6)
|
|
Render isc-dhcp-server systemd unit from configuration
|
|
(cherry picked from commit 3fe5482a29042c92298d3e69d90c0c38404d2fcc)
|
|
T5533: Fix VRRP IPv6 group enters in FAULT state
|
|
Checks if an IPv6 address on a specific network interface is
in the tentative state. IPv6 tentative addresses are not fully configured
and are undergoing Duplicate Address Detection (DAD) to ensure they are
unique on the network.
inet6 2001:db8::3/125 scope global tentative
It tentative state the group enters in FAULT state. Fix it
|
|
feat(T5544): Allow CAP_SYS_MODULE to be set on containers
|
|
Signed-off-by: Anthony Rabbito <hello@anthonyrabbito.com>
|
|
Signed-off-by: Anthony Rabbito <hello@anthonyrabbito.com>
|
|
The following command expects to join source-specific multicast group 239.1.2.3
on interface eth0, where the source address is 192.0.2.1.
set protocols igmp interface eth0 join 239.1.2.3 source 192.0.2.1
This command should generate FRR config:
interface eth0
ip igmp
ip igmp join 239.1.2.3 192.0.2.1
exit
However, there is a bug in the Jinja template where `if ifaces[iface].gr_join[group]`
is mostly evaluated as `false` because `iface` is a loop variable from another loop.
|
|
|
|
Commit 6896aabb6 ("wireless: T5540: fix VHT capability settings for 802.11ac"
changed how the VHT channel-sidth is configured in hostapd - but smoketests
did not get adjusted.
|
|
|
|
|
|
|
|
T5536: Fix show dhcp client leases
|
|
|
|
Fix helpers was moved to vyos.utils package
Fix empty new address from the lease file causes
OSError: illegal IP address string passed to inet_pton
|
|
T5531: Containers add label option
|
|
eapol: T4782: Support multiple CA chains
|
|
Ability to set labels for container
set container name c1 allow-host-networks
set container name c1 image 'busybox'
set container name c1 label mypods value 'My label for containers'
|
|
|
|
T5496: firewall: fix op-mode command show firewall
|
|
specified (correct ::/0 for ipv6). Also, add columns for inbound and outbound interfaces
|
|
correct reference in source/destination column
|
|
|
|
|
|
|
|
|
|
|
|
|
|
T5519: Fix `vyos.utils.process.call` hangs
|
|
See https://vyos.dev/T5519 for more information.
|
|
firewall: T5080: Disable conntrack unless required by rules
|
|
github: Labeler needs to run on `pull_request_target`
|
|
Ref: https://github.com/actions/labeler#permissions
|