Age | Commit message (Collapse) | Author |
|
In a service provider network a service provider typically supports multiple
bridge domains with overlapping vlans. One bridge domain per customer. Vlans in
each bridge domain are mapped to globally unique VXLAN VNI ranges assigned to
each customer.
Without the ability of VNI filtering, we can not provide VXLAN tunnels
with multiple tenants all requiring e.g. VLAN 10.
To Test:
set interfaces vxlan vxlan987 parameters external
set interfaces vxlan vxlan987 source-interface eth0
set interfaces vxlan vxlan987 parameters vni-filter
set interfaces vxlan vxlan987 vlan-to-vni 50 vni 10050
set interfaces vxlan vxlan987 vlan-to-vni 51 vni 10051
set interfaces vxlan vxlan987 vlan-to-vni 52 vni 10052
set interfaces vxlan vxlan987 vlan-to-vni 53 vni 10053
set interfaces vxlan vxlan987 vlan-to-vni 54 vni 10054
set interfaces vxlan vxlan987 vlan-to-vni 60 vni 10060
set interfaces vxlan vxlan987 vlan-to-vni 69 vni 10069
set interfaces bridge br0 member interface vxlan987
Add new op-mode command: show bridge vni
Interface VNI
----------- -----------
vxlan987 10050-10054
vxlan987 10060
vxlan987 10069
|
|
Remove stray whitespace in sed script and call Section.interfaces with
vlan=False instead of a custom filter.
This extends commit f19c92f25 ("tunnel: T3894: fix design when building
synthetic MAC addresses")
|
|
Add op-mode "show interfaces summary"
Add MAC, VRF and MTU options:
vyos@r4# run show interfaces summary
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address MAC VRF MTU S/L Description
----------- ----------------- ----------------- ------- ----- ----- -------------
dum0 203.0.113.1/32 96:44:ad:c5:a1:a5 default 1500 u/u
eth0 192.168.122.14/24 52:54:00:f1:fd:77 default 1500 u/u WAN
eth1 192.0.2.1/24 52:54:00:04:33:2b foo 1500 u/u LAN-eth1
eth2 - 52:54:00:40:2e:af default 1504 u/u LAN-eth2
eth3 - 52:54:00:09:a4:b4 default 1500 A/D
|
|
pim(6): T5733: add missing FRR related features
|
|
remote: T5726: Disable the progressbar if the shell is noninteractive or the terminal is missing capabilities
|
|
terminal is missing capabilities
|
|
Migrate CLI configuration retrival to common get_config_dict(). In addition
add new functionality to VyOS that is PIM related and already available in FRR.
|
|
mtr: T5658: Add VRF support for mtr (+ op_mode wrapper)
|
|
Reduce amount of duplicated (3 times) code in op-mode scripts for ping,
traceroute and mtr.
|
|
<enable|disable> commands; log and state moved to new syntax.
|
|
Changing the public key of a peer (updating the key material) left the old
WireGuard peer in place, as the key removal command used the new key.
WireGuard only supports peer removal based on the configured public-key, by
deleting the entire interface this is the shortcut instead of parsing out all
peers and removing them one by one.
Peer reconfiguration will always come with a short downtime while the WireGuard
interface is recreated.
|
|
T1797: Delete VPP from vyos-1x as it is implemented in addon
|
|
vxlan: T5668: add CLI knob to enable ARP/ND suppression
|
|
As we have a bunch of options under "paramteres" already and "external" is
clearly one of them it should be migrated under that node as well.
|
|
In order to minimize the flooding of ARP and ND messages in the VXLAN network,
EVPN includes provisions [1] that allow participating VTEPs to suppress such
messages in case they know the MAC-IP binding and can reply on behalf of the
remote host. In Linux, the above is implemented in the bridge driver using a
per-port option called "neigh_suppress" that was added in kernel version 4.15.
[1] https://www.rfc-editor.org/rfc/rfc7432#section-10
|
|
(valid for interfaces and groups) in firewal, nat and nat66.
|
|
T5643: nat: add interface-groups to nat. Use same cli structure for i…
|
|
|
|
Add missed option `ceil` for QoS class 'trafficshaper'
|
|
bridge: T5670: add missing constraint on "member interface" node
|
|
T5637: add new rule at the end of base chains for default-actions and log capabilities
|
|
We have had a mix of both string and list arguments to conf.exists(),
stremaline this to only make use of list calls.
|
|
|
|
|
|
remote: T5650: Resize-aware progressbar implementation
|
|
|
|
bonding: T5254: Fixed changing ethernet when it is a bond member
|
|
interface-name|interface-group as in firewall.
|
|
enables log capabilities for default-action in base chains. And of course, add option for enabling log for default-action
|
|
config: T5631: save copy of config in JSON format on commit
|
|
|
|
|
|
If ethernet interface is a bond memeber:
1. Allow for changing only specific parameters which are specified
in EthernetIf.get_bond_member_allowed_options function.
2. Added inheritable parameters from bond interface to ethernet
interface which are scpecified
in BondIf.get_inherit_bond_options.
Users can change inheritable options under ethernet interface
but in commit it will be copied from bond interface.
3. All other parameters are denied for changing.
Added migration script. It deletes all denied parameters under
ethernet interface if it is a bond member.
|
|
filter and in policy route.
|
|
|
|
T5217: Add firewall synproxy
|
|
|
|
smoketest: T5607: support getting SCSI device by drive-id
|
|
Add ability to SYNPROXY connections
It is useful to protect against TCP SYN flood attacks and port-scanners
set firewall global-options syn-cookies 'enable'
set firewall ipv4 input filter rule 10 action 'synproxy'
set firewall ipv4 input filter rule 10 destination port '22'
set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1'
set firewall ipv4 input filter rule 10 protocol 'tcp'
set firewall ipv4 input filter rule 10 synproxy tcp mss '1460'
set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
|
|
|
|
|
|
|
|
init: T5239: configure system hostname prior to FRR startup
|
|
supports HW flowtable offload
- Add required offload setting for interfaces + flowtable offload (hw-tc-offload)
- Verification of interface support for hardware offloaded flowtables
|
|
`set firewall flowtable <name> interface <ifname>`
`set firewall flowtable <name> offload [software|hardware]`
`set firewall [ipv4|ipv6] forward filter rule N action offload`
`set firewall [ipv4|ipv6] forward filter rule N offload-target <name>`
|
|
|
|
T5590: firewall log rule: fix order which rule are processed
|
|
conntrack: T5571: Refactor conntrack using vyos.configdep
|
|
- Moves MSS node out of `tcp-flags.xml.i` and into `tcp-mss.xml.i`
- Update smoketest to verify TCP flag matching
|
|
should be added at the end of the rule, after all matchers and befora action. Also change 2 lines in policy_route smoketest, which suddenly wasn't working as expected
|