| Age | Commit message (Collapse) | Author |
|---|
|
Commit 5dafe255d ("policy: T4194: Add prefix-list duplication checks") added
first support for FRR prefix-list duplication checks. FRR does not allow to
specify the same profix list rule multiple times.
vyos(config)# ip prefix-list foo seq 10 permit 192.0.2.0/24
vyos(config)# ip prefix-list foo seq 20 permit 192.0.2.0/24
% Configuration failed.
Error type: validation
Error description: duplicated prefix list value: 192.0.2.0/24
There is a VyOS verify() function which simply probed for the prefix, action,
le and ge settings - but as Python has excellent support when comparing data,
this can be as simple as a dictionary comparison using "==".
|
|
|
|
firewall: T4345: Fix incorrect firewall rule limit rate format
|
|
|
|
|
|
|
|
interface in VRF
|
|
|
|
|
|
In order to test for proper system authentication and security setup a new
testcase is added which performs an SSH login and command execution with a
predefined user. The result (output of uname -a) must match the output if the
command is run natively.
We also try to login as an invalid user - this is not allowed to work.
|
|
This is actually no longer required in FRR 8.2.2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Commit f8b3d8999c ("ipv6: T4319: do not configure IPv6 related settings if it's
disabled") moved the MTU configuration part under the code path which is only
run if IPv6 is enabled on the system.
This prevented MTU changes on IPv6 disabled systems.
|
|
T4319: bugfixes for disabled IPv6 (current)
|
|
Add new bgp parameter 'no-suppress-duplicates'
set protocols bgp parameters no-suppress-duplicates
|
|
|
|
|
|
|
|
|
|
According to a wrong bug [1] there is no longer a vrf suffix available for
interfaces. This got changed in [2] which no longer print vrf name for
interface config when using vrf-lite.
1: https://github.com/FRRouting/frr/issues/10805
2: https://github.com/FRRouting/frr/pull/10411
|
|
|
|
|
|
This reverts commit 534f677d36285863decb2cdff179687b4fd690cb.
Revert while investigating failure in vyos-configtest.
|
|
|
|
|
|
It should be possible to send the gathered data via a VRF bound interface to
the collector. This is somehow related to T3981 but it's the opposite side of
the netflow process.
set system flow-accounting vrf <name>
|
|
(cherry picked from commit 2fd5eea801bb524c12217c26d98c44a819b2086e)
|
|
|
|
|
|
|
|
|
|
ipsec: T1856: Ability to set SA life bytes and packets
|
|
ipsec: T3948: Add CLI site-to-site peer connection-type none
|
|
|
|
VXLAN does support using multiple remotes but VyOS does not. Add the ability
to set multiple remotes and add their flood lists using "bridge" command.
|
|
set vpn ipsec site-to-site peer 192.0.2.14 connection-type none
|
|
Commit 5d14a04b ("smoketest: dhcp: T4203: move testcase to base class") added
global support in the test case framework for DHCP tests. Some interfaces (e.g.
MACsec) require additional options to be passed before the test can be launched.
In the MACsec case this includes a source interface, or encryption ciphers.
|
|
set vpn ipsec esp-group grp-ESP life-bytes '100000'
set vpn ipsec esp-group grp-ESP life-packets '2000000'
|
|
* t4203-dhcp:
smoketest: dhcp: T4203: move testcase to base class
static: T4203: obey interface dhcp default route distance
interface: T4203: prevent DHCP client restart if not necessary
|
|
vpn: T4254: Add cisco_flexvpn and install_virtual_ip_on options
|
|
We do not only provide DHCP functionality to ethernet interfaces, it's a common
feature so the testcase should be made available for multiple interface types.
|
|
Ability to set Cisco FlexVPN vendor ID payload:
charon.cisco_flexvpn
charon.install_virtual_ip_on
swanctl.connections.<conn>.vips = x.x.x.x, z.z.z.z
set vpn ipsec options flexvpn
set vpn ipsec options virtual-ip
set vpn ipsec options interface tunX
set vpn ipsec site-to-site peer x.x.x.x virtual-address x.x.x.x
|
|
Commit 5fc9ef9e ("DHCP : T4258: Set correct port for dhcp-failover") changed
how the failover port is rendered into the ISC DHCPd configuration - adjustment
of the smoketests was missed out.
|
|
files
This commit updates the eapol code so that it writes the full
certificate chains for both the specified CA and the client certificate
to `<iface>_ca.pem` and `<iface>_cert.pem`, respectively.
The full CA chain is necessary for validating the incoming server
certificate when it is signed by an intermediate CA and the
intermediate CA cert is not included in the EAP-TLS ServerHello. In this
scenario, wpa_supplicant needs to have both the intermediate CA and the
root CA in its `ca_file`.
Similarly, the full client certificate chain is needed when the ISP
expects/requires that the client (wpa_supplicant) sends the client cert
+ the intermediate CA (or even + the root CA) as part of the EAP-TLS
ClientHello.
Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
|
