Age | Commit message (Collapse) | Author |
|
|
|
firewall: T3560: Add support for MAC address groups
|
|
|
|
|
|
This chain was missing from the XML/Python rewrite thus all traffic fell through to the `notrack` rule.
|
|
firewall: T4178: T3873: tcp flags syntax refactor, intra-zone-filtering fix
|
|
|
|
NTP-server with option "allow-clients address x.x.x.x" should
accept requests only from clients addresses which declared in
configuration if this option exists
Add "restrict default ignore" to fix it, in another case it
responce to any address
|
|
Telegraf ethtool input filter expected ethX interfaces and not
other interfaces like vlans/tunnels/dummy
Add "interface_include" option to telegraf template.
|
|
* Migrates all policy route references from `ipv6-route` to `route6`
* Update test config `dialup-router-medium-vpn` to test migration of `ipv6-route` to `route6`
|
|
file for group definitions.
|
|
In order to have a consistent looking CLI we should rename this CLI node.
There is:
* access-list and access-list6 (policy)
* prefix-list and prefix-list6 (policy)
* route and route6 (static routes)
|
|
|
|
|
|
|
|
vrrp: T1972: Ability to set IP address on not vrrp interface
|
|
keepalived: T4150: Fix template option conntrack_sync_group
|
|
Add missed 'holding-time' option for shortcut-target address
|
|
Ability to set virtual_address on not vrrp-listen interface
Add ability don't track primary vrrp interface "exclude-vrrp-interface"
Add ability to set tracking (state UP/Down) on desired interfaces
For example eth0 is used for vrrp and we want to track another eth1
interface that not belong to any vrrp-group
|
|
conntrack_sync_group option not under 'vrrp' section but part of
high-avalability dictionary
|
|
|
|
|
|
firewall: zone-policy: T2199: T4130: Fixes for firewall, state-policy and zone-policy
|
|
zone-policy
|
|
keepalived: T4109: Add high-availability virtual-server
|
|
Add new feature, high-availability virtual-server
Change XML, python and templates
Move vrrp to root node 'high-availability' as all logic are
handler by root node 'high-availability'
|
|
firewall: T4130: Fix firewall state-policy errors
|
|
Also fixes:
* Issue with multiple state-policy rules being created on firewall updates
* Prevents interface rules being inserted before state-policy
|
|
monitoring: T3872: Add a new feature service monitoring
|
|
|
|
* 'firewall' of https://github.com/sarthurdev/vyos-1x:
zone_policy: T3873: Implement intra-zone-filtering
policy: T2199: Migrate policy route op-mode to XML/Python
policy: T2199: Migrate policy route to XML/Python
zone-policy: T2199: Migrate zone-policy op-mode to XML/Python
zone-policy: T2199: Migrate zone-policy to XML/Python
firewall: T2199: Migrate firewall op-mode to XML/Python
firewall: T2199: Migrate firewall to XML/Python
|
|
Add priority for policy based IPSec VPN tunnels
If 2 tunnels have the same pair of local and remote traffic
selectors (prefixes) it allows to set more preforable install
policy from required peer
The lowest priority is more preforable
|
|
|
|
IPv6 addresses on webproxy/SQUID where not added correctly.
They need to be added in brackets.
Modified squid.conf.tmpl to bracketize the address
|
|
Peer name must not contain dots and colons, otherwise
swanct can't generate correct configuration for swanctl.conf
This is used in connection names and child SA names
Add filter 'dot_colon_to_dash' which replace dots and colons
|
|
syslog: T4039: Add protocol23format logging for UDP
|
|
Add protocol23format for rsyslog protocol UDP
Add ability to use IPv6 addresses (bracketize_ipv6) for
protocol TCP and UDP, when protocol is configured explicity
|
|
Add XML for required 'virtual-server' configuration commands
|
|
|
|
|
|
|
|
|
|
|
|
* t4097-flow-accounting:
flow-accounting: T4106: support specification of capture packet length
flow-accounting: T4105: drop "sflow agent-address auto"
flow-accounting: T4099: rename "netflow source-ip" to source-address
flow-accounting: T4097: move to get_config_dict()
|
|
|
|
sFlow uses the source-address CLI node and netflow uses source-ip this is just
confusing and should be synced to the common source-address CLI node.
|
|
|
|
keepalived: T4081: Fix health-checking when syn-group is used
|
|
|
|
If health-check scripts are used in vrrp group and vrrp group
is membmer of sync-group, then health-check scripts should be
part of the section "vrrp_sync_group". In other case the
health-scripts won't work anymore.
|