Age | Commit message (Collapse) | Author |
|
Only some (e.g. ethernet or wireguard) interfaces validate if the supplied VRF
actually exists. If this is not validated, one can pass an invalid VRF to the
system which generates an OSError exception.
To reproduce
set interfaces vxlan vxlan1 vni 1000
set interfaces vxlan vxlan1 remote 1.2.3.4
set interfaces vxlan vxlan1 vrf smoketest
results in
OSError: [Errno 255] failed to run command: ip link set dev vxlan1 master smoketest_mgmt
This commit adds the missing verify_vrf() call to the missing interface types
and an appropriate smoketest for all interfaces supporting VRF assignment.
(cherry picked from commit dd0ebffa33728e452ac6e11737c2283f0e390359)
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
(cherry picked from commit 71926f64385d7ab66431c60afa1fc8554ad7e2dc)
|
|
(cherry picked from commit 8bf6687b5276589e64988c3c54dbf61a628ee2a0)
|
|
(cherry picked from commit f6485f7df8713298d81ec0d45c548417db111523)
|
|
Authored-By: Alain Lamar <alain_lamar@yahoo.de>
(cherry picked from commit d5e988ba2d0fa0189feff22374c9b46eb49e2e79)
|
|
Commit 9e22ab6b2a ("wireless: T6318: move country-code to a system wide
configuration") removed the per wifi interface setting for a country-code. This
commit adjust the smoketests to the new design.
(cherry picked from commit 312273c9569d973c510d871adb941709804d8868)
|
|
(cherry picked from commit 578fbe0eb436697132e5a738fec5a4ac61ced8da)
|
|
(cherry picked from commit 23a3419d512139650cfe3dc76759b370b0c0c3d6)
|
|
Also adds support for life_bytes, life_packets, and DPD for
remote-access connections. Changes behavior of remote-access esp-group
lifetime setting to have parity with site-to-site connections.
(cherry picked from commit fd5d7ff0b4fd69b248ecb29c6ec1f3cf844c41cf)
|
|
Commit 452068ce7 ("interfaces: T6592: moving an interface between VRF instances
failed") introduced a new helper to retrieve the VRF table ID from the Kernel.
This commit migrates the old code path where the individual fields got queried
to the new helper vyos.utils.network.get_vrf_tableid().
(cherry picked from commit 36f3791e0c15267483d59a3bb74465811d08df88)
|
|
To reproduce:
set vrf name mgmt table '150'
set vrf name no-mgmt table '151'
set interfaces ethernet eth2 vrf 'mgmt'
commit
set interfaces ethernet eth2 vrf no-mgmt
commit
This resulted in an error while interacting with nftables:
[Errno 1] failed to run command: nft add element inet vrf_zones ct_iface_map { "eth2" : 151 }
The reason is that the old mapping entry still exists and was not removed.
This commit adds a new utility function get_vrf_tableid() and compares the
current and new VRF table IDs assigned to an interface. If the IDs do not
match, the nftables ct_iface_map entry is removed before the new entry is added.
(cherry picked from commit 452068ce78581bb6fba2df4dba197e95b9aeb33d)
|
|
(cherry picked from commit ad43aa885a8ef689da212088d6ebb37c32d72883)
|
|
openvpn: T5487: Remove deprecated option --cipher for server and client mode
|
|
(cherry picked from commit 06e6e011cdf12e8d10cf1f6d4d848fd5db51720d)
|
|
|
|
Add Loki plugin to telegraf
set service monitoring telegraf loki url xxx
(cherry picked from commit 3365eb7ab99fa9a259fe440eb51e82fc0a0a4dc6)
|
|
(cherry picked from commit 4c7719efa27d9d2966b70b924c90aa2c90022388)
|
|
(cherry picked from commit f29caa824c02c833a3978b9236391e4277c1a6ba)
|
|
openvpn: T5487: Remove deprecated option --cipher for server and client mode
|
|
|
|
Commit 770edf016838523 ("T3900: T6394: extend functionalities in firewall")
changed the position in the CLI for conntrack timeout. This lead to failing
smoketests because of a regression in the migrator.
|
|
vyos.utils: T5195: import vyos.cpu to this package
|
|
|
|
|
|
The intention of vyos.utils package is to have a common ground for repeating
actions/helpers. This is also true for number of CPUs and their respective
core count.
Move vyos.cpu to vyos.utils.cpu
|
|
T3900: Add support for raw tables in firewall
|
|
isis: T6429: fix isis metric-style configuration missing
|
|
|
|
timeout parameters defined in conntrack to firewall global-opton section.
|
|
|
|
dns: T6422: allow multiple redundant NS records
|
|
added new syntax to work with class match filters in QoS policy
|
|
style fixes
|
|
T4576: Accel-ppp logging level configuration
|
|
reverse-proxy: T6419: build full CA chain when verifying backend server
|
|
haproxy supports both ":::80 v4v6" and "[::]:80 v4v6" as listen statement,
where the later one is more humand readable. Both act in the same way.
|
|
T6411: CGNAT fix sequences for external address ranges
|
|
ISIS: T6332: Fix isis not working only ipv6
|
|
|
|
T5786: Add set/show system image to /image endpoint
|
|
Fix the bug where address external alocation was not rely on sequences
of the external IP addresses (if set)
|
|
|
|
|
|
|
|
|
|
add ability to change logging level config for:
* VPN L2TP
* VPN PPTP
* VPN SSTP
* IPoE Server
* PPPoE Serve
|
|
|
|
reverse-proxy: T6370: Set custom HTTP headers in reverse-proxy responses
|
|
>=5.0
random - In kernel 5.0 and newer this is the same as fully-random. In earlier
kernels the port mapping will be randomized using a seeded MD5 hash mix using
source and destination address and destination port.
https://git.netfilter.org/nftables/commit/?id=fbe27464dee4588d906492749251454
|
|
|