Age | Commit message (Collapse) | Author |
|
|
|
|
|
T6679: add group option for nat66
|
|
T6693: wireless: Enable WiFi-6 (802.11ax) for 2.4GHz AccessPoints
|
|
|
|
|
|
During podman upgrade and a build from the original source the UNIX socket
definition for systemd got lost in translation.
This commit re-adds the UNIX socket which is started on boot to interact with
Podman.
Example:
curl --unix-socket /run/podman/podman.sock -H 'content-type: application/json' \
-sf http://localhost/containers/json
|
|
|
|
T6647: firewall. Introduce patch for accepting invalid ARP and DHCP
|
|
|
|
stateful bridge firewall. This patch is needed because ARP and DHCP are marked as invalid connections. Also, add ehternet-type matcher in bridge firewall.
|
|
|
|
Fix for system option ssh-client source-interface
For the `verify_source_interface` the key `ifname` if required
|
|
T6183: interfaces openvpn: suppport specifying IP protocol version
|
|
ipoe_server: T6649: Accel-ppp separate vlan-mon from listen interfaces
|
|
|
|
T6636: firewall: fix firewall template in order print logs for default-action
|
|
default-action in order to match same structure as in rules. This way op-mode command for showing firewall log prints logs for default-actions too
|
|
rule
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
OPENVPN: T6555: add server-bridge options in mode server
|
|
* Only matching flags and fields used by modern RFC2890 "extended GRE" -
this is backwards-compatible, but does not match all possible flags.
* There are no nftables helpers for the GRE key field, which is critical
to match individual tunnel sessions (more detail in the forum post)
* nft expression syntax is not flexible enough for multiple field
matches in a single rule and the key offset changes depending on flags.
* Thus, clumsy compromise in requiring an explicit match on the "checksum"
flag if a key is present, so we know where key will be. In most cases,
nobody uses the checksum, but assuming it to be off or automatically
adding a "not checksum" match unless told otherwise would be confusing
* The automatic "flags key" check when specifying a key doesn't have similar
validation, I added it first and it makes sense. I would still like
to find a workaround to the "checksum" offset problem.
* If we could add 2 rules from 1 config definition, we could match
both cases with appropriate offsets, but this would break existing
FW generation logic, logging, etc.
* Added a "test_gre_match" smoketest
|
|
T4072: firewall extend bridge firewall
|
|
|
|
|
|
prerouting chain; re introduce <set vrf> in policy; change global options for passing traffic to IPvX firewall; update smoketest
|
|
|
|
T5873: ipsec remote access VPN: support VTI interfaces.
|
|
|
|
vrf: T6603: conntrack ct_iface_map must only contain one entry for iifname/oifname
|
|
* PBR can only target table IDs up to 200 and the previous PR to extend the
range was rejected
* PBR with this PR can now also target VRFs directly by name, working around
targeting problems for VRF table IDs outside the overlapping 100-200 range
* Validation ensures rules can't target both a table ID and a VRF name
(internally they are handled the same)
* Added a simple accessor (get_vrf_table_id) for runtime mapping a VRF name
to table ID, based on vyos.ifconfig.interface._set_vrf_ct_zone().
It does not replace that usage, as it deliberately does not handle non-VRF
interface lookups (would fail with a KeyError).
* Added route table ID lookup dict, global route table and VRF table defs
to vyos.defaults. Table ID references have been updated in code touched
by this PR.
* Added a simple smoketest to validate 'set vrf' usage in PBR rules
|
|
T6362: Create conntrack logger daemon
|
|
OpenVPN CLI-option: T6571: rename ncp-ciphers with data-ciphers
|
|
smoketest: T6592: remove unused "import os"
|
|
smoketest: T6614: initial support for op-mode command testing
|
|
smoketest: T5705: use locally connected remote syslog servers
|
|
(#3616)
* Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for
fw rules
* Add ipsec match-ipsec-out and match-none-out
* Change all the points where the match-ipsec.xml.i include was used
before, making sure the new includes (match-ipsec-in/out.xml.i) are
used appropriately. There were a handful of spots where match-ipsec.xml.i
had snuck back in for output hooked chains already
(the common-rule-* includes)
* Add the -out generators to rendered templates
* Heavy modification to firewall config validators:
* I needed to check for ipsec-in matches no matter how deeply nested
under an output-hook chain(via jump-target) - this always generates
an error.
* Ended up retrofitting the jump-targets validator from root chains
and for named custom chains. It checks for recursive loops and improper
IPsec matches.
* Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation"
smoketests
|
|
As there has been no route to the configured syslog servers, smoketests produced:
rsyslogd: omfwd: socket 8: error 101 sending via udp: Network is unreachable
Rather use some fake syslog servers from 127.0.0.0/8 which are directly
connected and we do not need to look up a route, which will suppress the above
error message.
|
|
|
|
|
|
iifname/oifname
When any of the following features NAT, NAT66 or Firewall is enabled, for every
VRF on the CLI we install one rule into nftables for conntrack:
chain vrf_zones_ct_in {
type filter hook prerouting priority raw; policy accept;
counter packets 3113 bytes 32227 ct original zone set iifname map @ct_iface_map
counter packets 8550 bytes 80739 ct original zone set iifname map @ct_iface_map
counter packets 5644 bytes 67697 ct original zone set iifname map @ct_iface_map
}
This is superfluous.
|
|
|
|
|
|
interface: T6592: remove interface from conntrack ct_iface_map on deletion
|