Age | Commit message (Collapse) | Author |
|
After commit 209ce3d9 ("container: T3769: when container networks are used,
always bridge the networks") IP masquerading (NAT) was disabled. No need to
keep the haipin flag.
|
|
As VyOS is a network operation system with bridging and NATing available from
the VyOS CLI, it makes no sense to let podman do it's own sort of "NAT".
If one really want's to NAT into a container, use the VyOS CLI to do so. If you
wan't to bridge your networks, use the VyOS CLI to do so.
|
|
|
|
Volumes must have both a source and destination path specified. Also the
source path must exist on the current system.
|
|
A call to .items() was missing that triggered the following error:
ValueError: too many values to unpack (expected 2)
|
|
As VyOS CLI is the only truth for dealing with containers we do not need to
query if a container is running, exists or what so ever. We simply always
restart it if something changes and do not rely on the underlaying Linux
status.
If a users does container stuff under the hood - it will be overridden.
|
|
|
|
A container is limited to 256MB memory by default and will always restart on
failure.
|
|
|
|
A environment variable MUST always have a value specified. Non existing
values will cause the following error:
Traceback (most recent call last):
File "/usr/libexec/vyos/conf_mode/containers.py", line 269, in <module>
apply(c)
File "/usr/libexec/vyos/conf_mode/containers.py", line 224, in apply
env_opt += " -e ".join(f"{k}={v['value']}" for k, v in container_config['environment'].items())
File "/usr/libexec/vyos/conf_mode/containers.py", line 224, in <genexpr>
env_opt += " -e ".join(f"{k}={v['value']}" for k, v in container_config['environment'].items())
KeyError: 'value'
|
|
Now that MSS clamping is done on the "per-interface" level the entire PPPoE
stuff would have needed to get a full copy in GNU BASH for this or, participate
in the common library.
Add a new PPP ip-up script named 99-vyos-pppoe-callback which will call the
vyos.ifconfig.PPPoEIf.update() function to configure everything as done with
all other interfaces. This removes duplicated code for VRF assignment and route
installation when a PPPoE interface is brought up or down.
|
|
WWAN does no londer need to render any configuration files.
|
|
level
Getting rid of "set firewall options" and move it from:
set firewall options interface ethX adjust-mss 1400
set firewall options interface ethX adjust-mss6 1400
to:
set interfaces ethernet ethX ip adjust-mss 1400
set interfaces ethernet ethX ipv6 adjust-mss 1400
In addition add an extra option called clamp-mss-to-pmtu instead of a value.
|
|
This adds the following new commands:
set protocols bgp address-family ipv4-unicast route-map vpn export foo-map-out
set protocols bgp address-family ipv4-unicast route-map vpn import foo-map-in
set protocols bgp address-family ipv6-unicast route-map vpn export foo-map-out
set protocols bgp address-family ipv6-unicast route-map vpn import foo-map-in
|
|
|
|
|
|
|
|
|
|
convention
|
|
|
|
|
|
We only delete iptables rules if they really exist - if we try to delete a non-
existing rule a PermissionError exception is thrown.
We could either ignore the error code (that is what the old Vyatta code did),
or we check what we are doing beforehand.
|
|
|
|
Commit 6f87d8c9 ("ospf: T3757: support to configure area at an interface level")
did not allow the old way an area and netwokr was set-up as the if
expression was missing a check if 'area' was set in both the interface and the
ospf process.
|
|
|
|
FRR supports configuring either network prefixes per area, or assign an
interface to an area to participate in the routing process. This is already well
known from other venders and supported by FRR.
A valid VyOS OSPF configuration would then look like:
vyos@vyos# show protocols
ospf {
interface dum0 {
area 0
}
interface eth0.201 {
area 0
authentication {
md5 {
key-id 10 {
md5-key vyos
}
}
}
dead-interval 40
hello-interval 10
priority 1
retransmit-interval 5
transmit-delay 1
}
log-adjacency-changes {
detail
}
parameters {
abr-type cisco
router-id 172.18.254.201
}
passive-interface default
passive-interface-exclude eth0.201
}
|
|
pbr: T3702: Add rules match fwmark
|
|
default behavior
|
|
|
|
When removing bgp (vrf) instances the assigned VRF vni must be deleted from FRR
prior the removal of the bgp settings (T3734).
This is now done by moving the CLI command "set vrf name red vni 1000" to a
dedicated Python script with a priority higher then bgp.
|
|
|
|
isis: T3708: Fix errors in MTU calculation
|
|
|
|
|
|
|
|
|
|
|
|
Somehow we hit a priority inversion here as we need to remove the VRF assigned
VNI before we can remove a BGP bound VRF instance. Maybe move this to an
individual helper script that set's up the VNI for the given VRF after any
routing protocol (in our case this was triggered by running "make testc" when
building an ISO image by the bgp-rpki config).
|
|
This is a completing commit to a55585a833 ("frr: T2175: remove no longer
required loop when removing routing protocols") that was missed out
previously.
|
|
IKE dh-group defaults to 2 (modp1024).
|
|
|
|
|
|
isis: T3693: Adding IPv6 redistribution to ISIS
|
|
In this commit we add the ability to redistribute into
ISIS for IPv6 address family.
|
|
|
|
Commit f520182b ("vyos.util: add is_systemd_service_running() helper function")
added a new helper function that can be used to check if a systemd service is
running.
Drop all custom implementations in favor of this library call.
|
|
|
|
|
|
set vpn ipsec remote-access connection rw authentication client-mode 'eap-radius'
set vpn ipsec remote-access connection rw authentication id '192.0.2.1'
set vpn ipsec remote-access connection rw authentication server-mode 'x509'
set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'CAcert_Class_3_Root'
set vpn ipsec remote-access connection rw authentication x509 certificate 'vyos'
set vpn ipsec remote-access connection rw esp-group 'ESP-RW'
set vpn ipsec remote-access connection rw ike-group 'IKE-RW'
set vpn ipsec remote-access connection rw local-address '192.0.2.1'
set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4'
set vpn ipsec remote-access connection rw unique 'never'
set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.2'
set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.168.22.0/24'
set vpn ipsec remote-access radius nas-identifier 'fooo'
set vpn ipsec remote-access radius server 172.16.100.10 key 'secret'
|
|
As this is only related to remote-access, keeping it under "options" simply
feels wrong.
|