Age | Commit message (Collapse) | Author |
|
Changing the public key of a peer (updating the key material) left the old
WireGuard peer in place, as the key removal command used the new key.
WireGuard only supports peer removal based on the configured public-key, by
deleting the entire interface this is the shortcut instead of parsing out all
peers and removing them one by one.
Peer reconfiguration will always come with a short downtime while the WireGuard
interface is recreated.
(cherry picked from commit 2fc8738bc9c2fb6364a22d86079e8635cee91949)
|
|
firewal, nat and nat66.
(cherry picked from commit 51abbc0f1b2ccf4785cf7f29f1fe6f4af6007ee6)
|
|
In order to minimize the flooding of ARP and ND messages in the VXLAN network,
EVPN includes provisions [1] that allow participating VTEPs to suppress such
messages in case they know the MAC-IP binding and can reply on behalf of the
remote host. In Linux, the above is implemented in the bridge driver using a
per-port option called "neigh_suppress" that was added in kernel version 4.15.
[1] https://www.rfc-editor.org/rfc/rfc7432#section-10
(cherry picked from commit ec9a95502daa88b9632af12524e7cefebf86bab6)
|
|
As we have a bunch of options under "paramteres" already and "external" is
clearly one of them it should be migrated under that node as well.
(cherry picked from commit cc7ba8824a5e9ec818f0bbe7fb85e1713a591527)
|
|
T5643: nat: add interface-groups to nat. Use same cli structure for i… (backport #2355)
|
|
T5637: Firewall: add new rule at the end of base chains for default-a…
|
|
interface-name|interface-group as in firewall.
(cherry picked from commit 2f2c3fa22478c7ba2e116486d655e07df878cdf4)
|
|
This enables logs capabilities for default-action in base chains.
|
|
(cherry picked from commit 0c046a1f5a020af30c9522011aa5c86524874a47)
|
|
T5299: Add missed option ceiling for QoS shaper (backport #2391)
|
|
Add missed option `ceil` for QoS class 'trafficshaper'
(cherry picked from commit 5218241e6293317f8837b3f7c3893d653d960993)
|
|
If ethernet interface is a bond memeber:
1. Allow for changing only specific parameters which are specified
in EthernetIf.get_bond_member_allowed_options function.
2. Added inheritable parameters from bond interface to ethernet
interface which are scpecified
in BondIf.get_inherit_bond_options.
Users can change inheritable options under ethernet interface
but in commit it will be copied from bond interface.
3. All other parameters are denied for changing.
Added migration script. It deletes all denied parameters under
ethernet interface if it is a bond member.
(cherry picked from commit aa0282ceb379df1ab3cc93e4bd019134d37f0d89)
|
|
We have had a mix of both string and list arguments to conf.exists(),
stremaline this to only make use of list calls.
(cherry picked from commit 3f17de7c32621353b51f782ca889a83cad7a6cfd)
|
|
(cherry picked from commit eff58d8b8842e0bac9fe123cebf93801a92f05d3)
|
|
(cherry picked from commit 799d24eba18d6710219b7380cbafb954b9eec5ce)
|
|
(cherry picked from commit 27605426a4ad613f45d36e7db5b1664dc3192981)
|
|
(cherry picked from commit aeb0138c9df73b57489eced152f026c0666d1ee5)
|
|
(cherry picked from commit 81dee963a9ca3224ddbd54767a36efae5851a001)
|
|
Add support for defining config-mode dependencies in add-on packages.
(cherry picked from commit d9ad551816e34f38280534ad75d267697e4f096f)
|
|
(cherry picked from commit 2d3f3297b575f88662495e14a7c7324ff73b6bfc)
|
|
(cherry picked from commit ede0b5b1a19c37547c19d875743e78b0278628d4)
|
|
(cherry picked from commit 56d3f75de487c1dcfd075cf7b65cb16b6501d0ca)
|
|
address, and not only global ipv6 address. This allows to configure ipv6 link local address on vrrp hello-source-address parameter.
(cherry picked from commit b6ae59354b5d69751cc7ea75e0aa4ac0070afa47)
|
|
config-mgmt: T5353: normalize archive updates and commit log entries
|
|
(cherry picked from commit e46afa2c58eea2d81df84e2630a6f346f1f51c2a)
|
|
FRR supports a new way of configuring VLAN-to-VNI mappings for EVPN-VXLAN, when
working with the Linux kernel. In this new way, the mapping of a VLAN to a VNI
is configured against a container VXLAN interface which is referred to as a
'Single VXLAN device (SVD)'.
Multiple VLAN to VNI mappings can be configured against the same SVD. This
allows for a significant scaling of the number of VNIs since a separate VXLAN
interface is no longer required for each VNI.
Sample configuration of SVD with VLAN to VNI mappings is shown below.
set interfaces bridge br0 member interface vxlan0
set interfaces vxlan vxlan0 external
set interfaces vxlan vxlan0 source-interface 'dum0'
set interfaces vxlan vxlan0 vlan-to-vni 10 vni '10010'
set interfaces vxlan vxlan0 vlan-to-vni 11 vni '10011'
set interfaces vxlan vxlan0 vlan-to-vni 30 vni '10030'
set interfaces vxlan vxlan0 vlan-to-vni 31 vni '10031'
(cherry picked from commit 7f6624f5a6f8bd1749b54103ea5ec9f010adf778)
|
|
(cherry picked from commit fd5517b38191f5bb5897912ef62f5a8d1156b7b3)
|
|
The legacy config-mgmt/save-config tools had an abiding bug that would
raise an error if comparing/reading the init archive; this is no longer
an issue.
(cherry picked from commit 52e4b4431ef440f0cffb570ca61c428c78699ee6)
|
|
(cherry picked from commit 730e744931e4ccc1f214d3e5bff0e6a2e589fd50)
|
|
(cherry picked from commit 73e317bee57c03b719019daabd578842d912b761)
|
|
Checks if an IPv6 address on a specific network interface is
in the tentative state. IPv6 tentative addresses are not fully configured
and are undergoing Duplicate Address Detection (DAD) to ensure they are
unique on the network.
inet6 2001:db8::3/125 scope global tentative
It tentative state the group enters in FAULT state. Fix it
|
|
eapol: T4782: Support multiple CA chains
|
|
|
|
See https://vyos.dev/T5519 for more information.
|
|
|
|
|
|
T5472: nat redirect: allow redirection without defining redirected port
|
|
Helper functions can and will be re-use din different code places.
|
|
T5450: allow inverted matcher for interface and interface-group
|
|
|
|
firewall cli
|
|
T5447: Initial support for MACsec static keys
|
|
|
|
|
|
|
|
|
|
|
|
|
|
wireguard: T5409: Added 'set interfaces wireguard wgX threaded'
|
|
Using threaded as CLI node is a very deep term used by kernel threads. To make
this more understandable to users, rename the node to per-client-thread.
It's also not necessary to test if any one peer is configured and probing if
the option is set. There is a base test which requires at least one peer
to be configured.
|