Age | Commit message (Collapse) | Author |
|
regular firewall ruleset.
|
|
T6687: add fqdn support to nat rules.
|
|
Recent ethtool 6.10 supports JSON output for the base driver features. Remove
our old text based processing code and use the machine readable output of
ethtool.
|
|
|
|
Commit 0ee8d5e35 ("ethernet: T6709: move EAPoL support to common framework")
added support to also have EAPoL on other interface types then ethernet. This
introduced a regression where the wireless interface wpa_supplicant configuration
would get deleted.
|
|
T861: op-mode: initial parts for UEFI secure boot CLI
|
|
vyos@vyos:~$ show ver
...
Architecture: x86_64
Boot via: installed image
System type: KVM guest
Secure Boot: enabled
...
|
|
|
|
Instead of having EAPoL (Extensible Authentication Protocol over Local Area
Network) support only available for ethernet interfaces, move this to common
ground at vyos.ifconfig.interface making it available for all sorts of
interfaces by simply including the XML portion
#include <include/interface/eapol.xml.i>
|
|
|
|
openfabric: T6652: Add support for OpenFabric protocol
|
|
|
|
T6679: add group option for nat66
|
|
|
|
OpenFabric is a routing protocol providing link-state routing with efficient flooding for topologies like spine-leaf networks.
FRR implements OpenFabric in a daemon called fabricd
|
|
|
|
T6647: firewall. Introduce patch for accepting invalid ARP and DHCP
|
|
stateful bridge firewall. This patch is needed because ARP and DHCP are marked as invalid connections. Also, add ehternet-type matcher in bridge firewall.
|
|
|
|
|
|
|
|
T5743: HTTPS API ability to import PKI certificates
|
|
|
|
|
|
op_mode: T6651: Add a top level op mode word "execute"
|
|
T6646: conntrack: in ignore rules, if protocols=all, do not append it to the rule
|
|
xml: T6650: add initial op-mode cache support
|
|
rule
|
|
|
|
|
|
|
|
The function verify_interface_exists requires a reference to the ambient
config_dict rather than creating an instance. As access is required to
the 'interfaces' path, provide as attribute of class ConfigDict, so as
not to confuse path searches of script-specific config_dict instances.
|
|
|
|
|
|
|
|
The CStore in_session check is a false positive outside of a config
session if a specific environment variable is set with an existing
referent in unionfs. To allow extensions when running under configd and
avoid confusion, enforce in_session returns False.
|
|
* Only matching flags and fields used by modern RFC2890 "extended GRE" -
this is backwards-compatible, but does not match all possible flags.
* There are no nftables helpers for the GRE key field, which is critical
to match individual tunnel sessions (more detail in the forum post)
* nft expression syntax is not flexible enough for multiple field
matches in a single rule and the key offset changes depending on flags.
* Thus, clumsy compromise in requiring an explicit match on the "checksum"
flag if a key is present, so we know where key will be. In most cases,
nobody uses the checksum, but assuming it to be off or automatically
adding a "not checksum" match unless told otherwise would be confusing
* The automatic "flags key" check when specifying a key doesn't have similar
validation, I added it first and it makes sense. I would still like
to find a workaround to the "checksum" offset problem.
* If we could add 2 rules from 1 config definition, we could match
both cases with appropriate offsets, but this would break existing
FW generation logic, logging, etc.
* Added a "test_gre_match" smoketest
|
|
new chains, priorities, and firewall groups
|
|
T5873: ipsec remote access VPN: support VTI interfaces.
|
|
system: op-mode: T3334: allow delayed getty restart when configuring serial ports
|
|
Make it more obvious for the user aber the severity of his action.
|
|
ports
* Created op-mode command "restart serial console"
* Relocated service control to vyos.utils.serial helpers, used by conf- and
op-mode serial console handling
* Checking for logged-in serial sessions that may be affected by getty reconfig
* Warning the user when changes are committed and serial sessions are active,
otherwise restart services as normal. No prompts issued during commit,
all config gen/commit steps still occur except for the service restarts
(everything remains consistent)
* To apply committed changes, user will need to run "restart serial console"
to complete the process or reboot the whole router
* Added additional flags and target filtering for generic use of helpers.
|
|
Commit 452068ce78 ("interfaces: T6592: moving an interface between VRF instances
failed") added a similar but more detailed implementation of get_vrf_table_id()
that was added in commit adeac78ed of this PR. Move to the common available
implementation.
|
|
* PBR can only target table IDs up to 200 and the previous PR to extend the
range was rejected
* PBR with this PR can now also target VRFs directly by name, working around
targeting problems for VRF table IDs outside the overlapping 100-200 range
* Validation ensures rules can't target both a table ID and a VRF name
(internally they are handled the same)
* Added a simple accessor (get_vrf_table_id) for runtime mapping a VRF name
to table ID, based on vyos.ifconfig.interface._set_vrf_ct_zone().
It does not replace that usage, as it deliberately does not handle non-VRF
interface lookups (would fail with a KeyError).
* Added route table ID lookup dict, global route table and VRF table defs
to vyos.defaults. Table ID references have been updated in code touched
by this PR.
* Added a simple smoketest to validate 'set vrf' usage in PBR rules
|
|
and return an empty list in that case
(handy for migration scripts and the like)
|
|
OpenVPN CLI-option: T6571: rename ncp-ciphers with data-ciphers
|
|
Strongswan does not initiate session after termination via vici.
Added an CHILD SAs initialization on the initiator side
of the tunnel.
|
|
(#3616)
* Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for
fw rules
* Add ipsec match-ipsec-out and match-none-out
* Change all the points where the match-ipsec.xml.i include was used
before, making sure the new includes (match-ipsec-in/out.xml.i) are
used appropriately. There were a handful of spots where match-ipsec.xml.i
had snuck back in for output hooked chains already
(the common-rule-* includes)
* Add the -out generators to rendered templates
* Heavy modification to firewall config validators:
* I needed to check for ipsec-in matches no matter how deeply nested
under an output-hook chain(via jump-target) - this always generates
an error.
* Ended up retrofitting the jump-targets validator from root chains
and for named custom chains. It checks for recursive loops and improper
IPsec matches.
* Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation"
smoketests
|
|
|
|
|