Age | Commit message (Collapse) | Author |
|
without the validators FRR commit errors would happen.
|
|
Currently, all VRFs share the same connection tracking table, which can
lead to problems:
- traffic leaks to a wrong VRF
- improper NAT rules handling when multiple VRFs contain the same IP
networks
- stateful firewall rules issues
The commit implements connection tracking zones support. Each VRF
utilizes its own zone, so connections will never mix up.
It also adds some restrictions to VRF names and assigned table numbers,
because of nftables and conntrack requirements:
- VRF name should always start from a letter (interfaces that start from
numbers are not supported in nftables rules)
- table number must be in the 100-65535 range because conntrack supports
only 65535 zones
|
|
|
|
Add XML for configuration mode firewall. Used for future rewriting it to Python style.
|
|
migrate from old vyatta-cfg-system / Perl implementation.
|
|
|
|
|
|
The regex only validated interfaces according to the VyOS naming scheme, but
third party interfacs that are legit (e.g. exists within the kernel) failed
to validate.
The validator now also supports any kind of local interfaces attached to
the OS kernel.
|
|
VyOS 1.2 (crux) rejected prefixes other then of site /64.
[ interfaces ethernet eth0 ipv6 address eui64 2006:ab00:abe1::2/127 ]
Error: Prefix lenght is 127. It must be 64.
Same should be done on VyOS 1.3 and newer
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This reverts commit 9541355433e202fade4692851bffa33ba9d48f44.
|
|
|
|
|
|
Since it's relatively rarely used, Python's startup time should't
be much of a problem.
|
|
|
|
|
|
It allows IP protocol numbers 0-255, protocol names e.g. tcp, ip, ipv6 and the
negated form with a leading "!".
|
|
Exclude validators are required to support the ! (not) operator on the CLI to
exclude addresses from NAT.
|
|
|
|
|
|
|
|
|
|
$ time for i in {1..1000}; do /usr/libexec/vyos/validators/numeric --range 1-9999 666; done
real 0m56.933s
user 0m48.045s
sys 0m9.064s
$ time for i in {1..1000}; do /usr/libexec/vyos/validators/numeric--range 1-9999 666; done
real 0m44.552s
user 0m37.760s
sys 0m6.989s
This is a performance improvement of 21%, running in an ESXi VM with Quad
Intel(R) Xeon(R) CPU E5-2630L v3 @ 1.80GHz.
|
|
- allow configuring IPv6 server addresses and push options
- add IPv6 server client IP pool
- add IPv6 push dhcp-option DNS6
- allow configuring IPv6 server client addresses
- allow configuring IPv6 site-to-site addresses
- validate all IPv6 options and addresses
- use protos that explicitely open an IPv6 listening socket
(tcp6-server, tcp6-client, udp6) as the default on Linux listens on
IPv4 only (https://community.openvpn.net/openvpn/ticket/360)
- add validator for any IPv6 address, host or network (used by pool)
|
|
|
|
Fix the regex to allow vrf instances like "eth0vrf" but not to allow
"eth0"
|
|
|
|
Every VRF that's created is not allowed to be named like any interface that
can be active on the system. This includes eth, lan, br, dum, lo ....
In theoriy this would work but as soon as such a regular interface is created
things will go sideways rather quick thus we limit the namespace which can
be used to create a VRF.
Appending an interface name is still possible like coolvrf-eth0.
|
|
|
|
The current node.def based implementtion should be migrated from
vyatta-cfg-system to vyos-1x. During the migration also provide a migration
script which transforms some ole timezones like "Los_Angeles" into a proper
IANA assigned timezone which should be "America/Los_Angeles".
|
|
|
|
Verify if a file exists or not on the system. Can be called by:
<constraint>
<validator name="file-exists" argument="--directory /config/auth"/>
</constraint>
The --directory option is used to ensure a given file path lies under this
(mandatory) directory. A directory can be mandatory when the optional argument
-e, --error is used. This will return '1' instead of '0'.
|
|
|
|
- added a validator for checking if the address is any cidr noted address
|
|
|
|
https://phabricator.vyos.net/T772
|
|
|
|
|
|
|
|
|
|
|