Age | Commit message (Collapse) | Author |
|
used
We need to ensure that source-address is assigned on source-interface before
applying the configuration, else SSH client will have a hard time talking to
someone.
|
|
|
|
Commit 846e306700a ("ssh: T2651: add cli options for source address") added
support for a basic SSH client option, but it grabbed the entire
/etc/ssh/ssh_config file without the ability to make custom user
adjustments via the /etc/ssh/ssh_config.d/ folder.
This vommit places the VyOS SSH options under /etc/ssh/ssh_config.d/ leaving
the common override system alive.
|
|
This makes transitions/updates faster and less error prone
|
|
T4904: keepalived virtual-server allow multiple ports with fwmark
|
|
|
|
Allow multiple ports for high-availability virtual-server
The current implementation allows balance only one "virtual" address
and port between between several "real servers"
Allow matching "fwmark" to set traffic which should be balanced
Allow to set port 0 (all traffic) if we use "fwmark"
Add health-check script
set high-availability virtual-server 203.0.113.1 fwmark '111'
set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 health-check script '/bin/true'
set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 port '0'
|
|
T4893: Add ppp-options ipv6-interface-id for L2TP
|
|
|
|
Add ppp-options IPv6 interface id for vpn L2TP
- fixed or random interface identifier for IPv6
- peer interface identifier for IPv6
- whether to accept peer’s interface identifier
set vpn l2tp remote-access ppp-options ipv6-accept-peer-intf-id
set vpn l2tp remote-access ppp-options ipv6-intf-id 'random'
set vpn l2tp remote-access ppp-options ipv6-peer-intf-id 'calling-sid'
|
|
`leaf_node_changed` returns `[]` (empty list) after a leaf node is
added.
e.g. Setting `source-interface` doesn't work on an existing vxlan
interface.
Steps to reproduce:
- Add a vxlan interface without `source-address` or `source-interface` options set:
```
set interfaces vxlan vxlan999 vni 999
set interfaces vxlan vxlan999 remote 192.168.100.100
commit
```
- Then set `source-address` or `source-interface`:
```
set interfaces vxlan vxlan999 source-interface eth0
commit
```
Actual result:
Source address or source-interface are not set:
```
ip -d link show dev vxlan999
76: vxlan999: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 56:08:ba:4d:4e:a8 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535
vxlan id 999 remote 192.168.100.100 srcport 0 0 dstport 8472 tos inherit ttl 16 ageing 300 udpcsum noudp6zerocsumtx noudp6zerocsumrx addrgenmode none numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
```
Expected result:
```
77: vxlan999: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 9e:05:d9:58:1a:af brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535
vxlan id 999 remote 192.168.100.100 dev eth0 srcport 0 0 dstport 8472 tos inherit ttl 16 ageing 300 udpcsum noudp6zerocsumtx noudp6zerocsumrx addrgenmode none numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
```
All invocations of leaf_node_changed() should be migrated to is_node_changes() if you are only interested in if something changed and don‘t care what exactly changed (content).
|
|
leaf_node_changed()
We only need to use leaf_node_changed() if we are interested in the detailed
change to a CLI node (what was the previous content). If we are only interested
in if a node changed "at all" is_node_changed() should be used.
|
|
We only need to use leaf_node_changed() if we are interested in the detailed
change to a CLI node (what was the previous content). If we are only interested
in if a node changed "at all" is_node_changed() should be used.
|
|
We only need to use leaf_node_changed() if we are interested in the detailed
change to a CLI node (what was the previous content). If we are only interested
in if a node changed "at all" is_node_changed() should be used.
|
|
|
|
Instead of hardcoding the default protocol as TCP in the Python script we shall
use the XML based defaultValue approach instead. This also automatically exports
the default to the CLI completion helper.
|
|
If port is specified on the CLI so must be source and destination under
the port node.
|
|
|
|
|
|
The implementation of is_node_changed() is less error prone and should always
be favoured.
|
|
T4780: Firewall: add firewall groups in firewall. Extend matching cri…
|
|
1. Added in script update webproxy blacklists generation of all DBs
2. Fixed: if the blacklist category does not have generated db,
the template generates an empty dest category
in squidGuard.conf and a Warning message.
3. Added template generation for local's categories
in the rule section.
4. Changed syntax in the generation dest section for blacklist's
categories
4. Fixed generation dest local sections in squidGuard.conf
5. Fixed bug in syntax. The word 'allow' changed to the word 'any'
in acl squidGuard.conf
|
|
routing: T1237: Add new feature failover route
|
|
There was a mistake in a config level that caused triggering the
`shutdown_required` flag, even if there were no new interfaces added to a
bonding.
This commit sets the proper config level to avoid the problem.
|
|
Failover route allows to install static routes to the kernel routing
table only if required target or gateway is alive
When target or gateway doesn't respond for ICMP/ARP checks this route
deleted from the routing table
Routes are marked as protocol 'failover' (rt_protos)
cat /etc/iproute2/rt_protos.d/failover.conf
111 failover
ip route add 203.0.113.1 metric 2 via 192.0.2.1 dev eth0 proto failover
$ sudo ip route show proto failover
203.0.113.1 via 192.0.2.1 dev eth0 metric 1
So we can safely flush such routes
|
|
vyos@vyos# show interfaces sstpc
sstpc sstpc10 {
authentication {
password vyos
user vyos
}
server sstp.vyos.net
ssl {
ca-certificate VyOS-CA
}
}
|
|
|
|
L2TP 'ppp-options ipv6 x' can work without declaring IPv6 pool
As we can get addresses via RADIUS attributes:
- Framed-IPv6-Prefix
- Delegated-IPv6-Prefix
|
|
Fix l2tp dae server template and python config dict for correctlly
handling Dynamic Authorization Extension server configuration
|
|
Every change in openconnect restarts the ocserv.service
Replace "restart" to "reload-or-restart" to avoid disconnect
clients during change configs
|
|
T4860: Verify if mode in openconnect ocserv dict
|
|
openconnect authentication mode must be set
check dict that 'mode' exists in openconnect authentication
|
|
ocserv template expects list of routes but gets str "default"
it cause wrong routes like:
route = d
route = e
route = f
route = a
route = u
route = l
route = t
Fix it
|
|
firewall: T478: Fix firewall group circular dependency check
|
|
|
|
T4805: Restart pppoe-server if client pool was changed
|
|
T4825: Verify if you are trying to add a new vethX to exists pair
|
|
|
|
Verify if you are trying to add a new vethX to exists pair:
set int virtual-ethernet veth0 peer-name 'veth1'
set int virtual-ethernet veth1 peer-name 'veth0'
set int virtual-ethernet veth12 peer-name 'veth0'
Verify veth-name and peer-name cannot be the same:
set interfaces virtual-ethernet veth0 peer-name veth0
|
|
Some changes for 'service pppoe-server' require 'restart' the
accel-ppp@pppoe.service
But we use option 'reload-or-restart' that doesn't work correctly
with 'accel-ppp'
Restart pppoe-server if client pool was changed
|
|
|
|
|
|
|
|
|
|
Prevent to delete interface "vethX" which used for another
interface as "vethY peer-name vethX"
set interfaces virtual-ethernet veth0 peer-name 'veth1'
set interfaces virtual-ethernet veth1 peer-name 'veth0'
commit
delete interfaces virtual-ethernet veth0
commit
|
|
|
|
Add interface type veth (Virtual ethernet)
One of the usecases it's interconnect different vrf's and
default vrf via bridge
set interfaces virtual-ethernet veth0 peer-name 'veth1010'
set interfaces virtual-ethernet veth1010 address '10.0.0.10/24'
set interfaces virtual-ethernet veth1010 peer-name 'veth0'
set interfaces virtual-ethernet veth1010 vrf 'foo'
set interfaces bridge br0 address '10.0.0.1/24'
set interfaces bridge br0 member interface veth0
|
|
route-map action 'deny' cannot be used for "continue"
as FRR does not validate it
r14(config)# route-map FOO permit 100
r14(config-route-map)# route-map FOO deny 50
r14(config-route-map)# on-match goto 100
% Configuration failed.
Error type: validation
r14(config-route-map)#
|
|
so this new group can be used in inbound and outbound matcher
|
|
firewall: T4821: correct calling of conf_mode script dependencies
|