Age | Commit message (Collapse) | Author |
|
>=5.0
random - In kernel 5.0 and newer this is the same as fully-random. In earlier
kernels the port mapping will be randomized using a seeded MD5 hash mix using
source and destination address and destination port.
https://git.netfilter.org/nftables/commit/?id=fbe27464dee4588d906492749251454
|
|
Fixed broken logging for "show log nat"
Added the following commands:
show log nat source
show log nat source rule <ruleNum>
show log nat destination nat
show log nat destination nat rule <ruleNum>
show log nat static
show log nat static rule <ruleNum>
|
|
Allow to set multiple CGNAT internal pools
```
set nat cgnat pool internal int-01 range '100.64.0.0/28'
set nat cgnat pool internal int-01 range '100.64.222.11-100.64.222.14'
```
|
|
|
|
T5756: L2TP RADIUS backup and weight settings
|
|
|
|
Remove `service upnp` as it never worked as expected, nft rules do
not integrated and custom patches do not seem like a suitable
solution for now.
Security:
UPnP has been historically associated with security risks due to its automatic
and potentially unauthenticated nature.
UPnP devices might be vulnerable to unauthorized access or exploitation.
|
|
|
|
ethernet: T6306: add support for EVPN MH uplink/core tracking
|
|
When all the underlay links go down the PE no longer has access to the VxLAN
+overlay.
To prevent blackholing of traffic the server/ES links are protodowned on the PE.
A link can be setup for uplink tracking via the following configuration:
set interfaces ethernet eth0 evpn uplink
|
|
Bond: T6303: add system mac address on interfaces bond
|
|
|
|
sstp: T4393: Add support to configure host-name (SNI)
|
|
|
|
|
|
|
|
bgp: T6189: L3VPN connectivity is broken after re-enabling VRF
|
|
When adding and removing VRF instances on the fly it was noticed that the vni
statement under the VRF instance in FRR vanishes. This was caused by a race
condition which was previously designed to fix another bug.
The wierd design of a Python helper below the VRF tree to only generate the
VNI configuration nodes is now gone and all is rendered in the proper place.
|
|
pppoe-server: T6234: PPPoE-server pado-delay refactoring
|
|
Add the ability to configure the API port if the API on the secondary
server works on a non-default port.
The primary node will connect to configured port for config-sync
```
set service config-sync secondary address '192.0.2.11'
set service config-sync secondary port '8443'
```
|
|
This srv recors looks valid:
```
set service dns forwarding authoritative-domain _tcp.db.mongors1.example.com records srv _mongodb entry 0 hostname 'mongors1.example.com'
```
But FQDN validator cannot validate it correctly, use regex to fix
|
|
T6273: Allowed the use of "-" and "_" in PPPoE access-concentrator name
|
|
Allowed the use of "-" and "_" in PPPoE access-concentrator name
|
|
|
|
|
|
Add abiilty to change `base_reachable_time_ms` option
/proc/sys/net/ipv6/neigh/{ifname}/base_reachable_time_ms
|
|
T6226: add HAPROXY tcp-request related block to load-balancing reverse proxy config
|
|
config
|
|
xml: T5738: fix typo in radius-additions.xml.i
|
|
|
|
T6237: IPSec remote access VPN: ability to set EAP ID of clients
|
|
|
|
T6246: improve haproxy http check configuration
|
|
|
|
|
|
|
|
T5722: Failover route add option onlink
|
|
server certificates
|
|
onlink pretend that the nexthop is directly attached to this link,
even if it does not match any interface prefix.
Useful when gateway not in the same interface network
set interfaces ethernet eth0 vif 10 address '10.20.30.1/32'
set protocols static route 10.20.30.0/32 interface eth0.10
set protocols failover route 192.0.2.11/32 next-hop 10.20.30.0 onlink
```
vyos@r4# sudo ip route add 192.0.2.111/32 via 10.20.30.0 dev eth0.10 metric 1 proto failover
Error: Nexthop has invalid gateway.
[edit]
vyos@r4#
[edit]
vyos@r4# sudo ip route add 192.0.2.111/32 via 10.20.30.0 dev eth0.10 onlink metric 1 proto failover
[edit]
vyos@r4#
```
|
|
to firewall global-optinos
|
|
qos: T6035: QoS policy shaper queue-type random-detect requires limit avpkt
|
|
Added params for configuration red on the shaper policy
|
|
T5169: Add PoC for generating CGNAT rules rfc6888
|
|
T6214: T6213: change constraint <alpha-numeric-hyphen-underscore-dot.xml.i>
|
|
in order to not allow string starting with dot character; use such constraint in firewall group definitions.
|
|
|
|
Add PoC for generating CGNAT rules
https://datatracker.ietf.org/doc/html/rfc6888
Not all requirements are implemented, but some of them.
Implemented:
REQ-2
```
A CGN MUST have a default "IP address pooling" behavior of "Paired"
CGN must use the same external IP
address mapping for all sessions associated with the same internal
IP address, be they TCP, UDP, ICMP, something else, or a mix of
different protocols.
```
REQ-3
```
The CGN function SHOULD NOT have any limitations on the size
or the contiguity of the external address pool
```
REQ-4
```
A CGN MUST support limiting the number of external ports (or,
equivalently, "identifiers" for ICMP) that are assigned per
subscriber
```
CLI:
```
set nat cgnat pool external ext1 external-port-range '1024-65535'
set nat cgnat pool external ext1 per-user-limit port '1000'
set nat cgnat pool external ext1 range 192.0.2.222/32
set nat cgnat pool internal int1 range '100.64.0.0/28'
set nat cgnat rule 10 source pool 'int1'
set nat cgnat rule 10 translation pool 'ext1'
```
|
|
ethernet: T5862: default MTU is not acceptable in some environments
|
|
Containers have the ability to add Linux system capabilities to them, this is
done using the "set container name <name> cap-add" command.
The CLI node sounds off and rather should be "set container name <name>
capability" instead as we use and pass a capability to a container and not
add/invent new ones.
|
|
In order to lower the Ethernet default MTU we need to drop the common
defaultValue from the XML mtu-68-16000.xml.i building block. Per interface
default MTU is later overloaded by XML.
|