Age | Commit message (Collapse) | Author |
|
(cherry picked from commit 3abe7c72c95c3d9b825db08b092c555786e9fbcf)
Co-authored-by: Viacheslav Hletenko <v.gletenko@vyos.io>
|
|
|
|
config-mgmt: T5976: add option for commit-confirm to use 'soft' rollback
|
|
|
|
pbr: T6430: Local IP rules targeting VRFs by name as well as route table IDs
|
|
* This is the `policy local-route*` part of T6430, manipulating ip rules,
another PR covers firewall-backed `policy route*` for similar functionality
* Local PBR (policy local-route*) can only target table IDs up to 200 and
the previous PR to extend the range was rejected
* PBR with this PR can now also target VRFs directly by name, working around
targeting problems for VRF table IDs outside the overlapping 100-200 range
* Validation ensures rules can't target both a table ID and a VRF name
(internally they are handled the same)
* Relocated TestPolicyRoute.verify_rules() into VyOSUnitTestSHIM.TestCase,
extended to allow lookups in other address families (IPv6 in the new tests).
verify_rules() is used by original pbr and new lpbr smoketests in this PR.
|
|
pki: T6481: auto import ACME certificate chain into CLI
|
|
When using an ACME based certificate with VyOS we provide the necessary PEM
files opaque in the background when using the internal tools. This however will
not properly work with the CA chain portion, as the system is based on the
"pki certificate <name> acme" CLI node of a certificate but CA chains reside
under "pki ca".
This adds support for importing the PEM data of a CA chain issued via ACME into
the "pki ca AUTOCHAIN_<name> certificate" subsystem so it can be queried by
other daemons. Importing the chain only happens, when the chain was not already
added manually by the user.
ACME certificate chains that are automatically added to the CLI are all prefixed
using AUTOCHAIN_certname so they can be consumed by any daemon. This also adds
a safeguard when the intermediate CA changes, the referenced name on the CLI
stays consitent for any pending daemon updates.
|
|
This fixes the error message:
Can not use both blackhole and reject for prefix "{prefix}"!
Added in commit bb78f3a9ad28 ("static: T4283: support "reject" routes - emit an
ICMP unreachable when matched")
|
|
Commit-confirm will restore a previous configuration if a confirmation
is not received in N minutes. Traditionally, this was restored by a
reboot into the last configuration on disk; add a configurable option to
reload the last completed commit without a reboot. The default setting
is to reboot.
|
|
|
|
ipsec: T6101: Add validation for proposal option used in IKE group
|
|
T973: add basic node_exporter implementation
|
|
|
|
|
|
T6687: add fqdn support to nat rules.
|
|
|
|
bridge: T6675: VXLAN Interface configuration lost due to improper bridge detachment
|
|
|
|
|
|
detachment
|
|
syslog: T5367: add format option to include timezone in message
|
|
|
|
|
|
|
|
Instead of having EAPoL (Extensible Authentication Protocol over Local Area
Network) support only available for ethernet interfaces, move this to common
ground at vyos.ifconfig.interface making it available for all sorts of
interfaces by simply including the XML portion
#include <include/interface/eapol.xml.i>
|
|
Add CLI option to include the systems timezone in the syslog message sent to
a collector. This can be enabled using:
set system syslog host <hostname> format include-timezone
|
|
policy: T6676: Invalid route-map caused bgpd to crash
|
|
T6703: Adds option to configure AMD pstate driver
|
|
openfabric: T6652: Add support for OpenFabric protocol
|
|
T6701: Added ability to disable the container DNS plugin
|
|
|
|
|
|
|
|
|
|
Add ability to set the container network with a disable-dns setting to disable
the DNS plugin that is on be default.
set container network <network> no-name-server
|
|
OpenFabric is a routing protocol providing link-state routing with efficient flooding for topologies like spine-leaf networks.
FRR implements OpenFabric in a daemon called fabricd
|
|
|
|
Fix for system option ssh-client source-interface
For the `verify_source_interface` the key `ifname` if required
|
|
T6183: interfaces openvpn: suppport specifying IP protocol version
|
|
|
|
|
|
each other
|
|
The function verify_interface_exists requires a reference to the ambient
config_dict rather than creating an instance. As access is required to
the 'interfaces' path, provide as attribute of class ConfigDict, so as
not to confuse path searches of script-specific config_dict instances.
|
|
|
|
|
|
|
|
OPENVPN: T6555: add server-bridge options in mode server
|
|
T5873: T6619: remove unused imports
|
|
* Only matching flags and fields used by modern RFC2890 "extended GRE" -
this is backwards-compatible, but does not match all possible flags.
* There are no nftables helpers for the GRE key field, which is critical
to match individual tunnel sessions (more detail in the forum post)
* nft expression syntax is not flexible enough for multiple field
matches in a single rule and the key offset changes depending on flags.
* Thus, clumsy compromise in requiring an explicit match on the "checksum"
flag if a key is present, so we know where key will be. In most cases,
nobody uses the checksum, but assuming it to be off or automatically
adding a "not checksum" match unless told otherwise would be confusing
* The automatic "flags key" check when specifying a key doesn't have similar
validation, I added it first and it makes sense. I would still like
to find a workaround to the "checksum" offset problem.
* If we could add 2 rules from 1 config definition, we could match
both cases with appropriate offsets, but this would break existing
FW generation logic, logging, etc.
* Added a "test_gre_match" smoketest
|