Age | Commit message (Collapse) | Author |
|
* 'T4651' of https://github.com/nicolas-fort/vyos-1x:
Firewall: T4651: Change proposed cli from ip-length to packet-length
Firewall: T4651: Add options to match packet size on firewall rules.
|
|
|
|
nat: T538: Add static NAT one-to-one
|
|
T4665: Keepalived: Allow same VRID on interface
|
|
Fix the issue when configured pseudo-ethernet interface cannot
change self mode
|
|
Using the same VRID on an interface is allowed as long as
the address family is different (VRRPv2 vs VRRPv3)
|
|
|
|
This extends the implementation of commit 0cc7e0a49094 ("firewall: T4655: Fix
default action 'drop' for the firewall") in a way that we can now also use the
XML <defaultValue> node under "firewall name" and "firewall ipv6-name". This
is a much cleaner approach which also adds the default value automatically to
the CLIs completion helper ("?").
|
|
nat: T4367: Move nat rules from /tmp to /run/nftables_nat.conf
|
|
console: T4646: Fixed USB console issues
|
|
* fixed the `systemctl restart` command that used a value from config instead
converted to `ttyUSBX`
* moved systemd units from `/etc/` to `/run/`
|
|
Move nftables nat configuration from /tmp to /run
As we have for other services like firewall, conntrack
Don't remove the config file '/run/nftables_nat.conf' after commit
|
|
|
|
graphql: T4640: add schema defs and resolver support for op-mode errors
|
|
opennhrp: T1070: Fixed creating IPSEC tunnel to Hub
|
|
Section.interface()
Commit cfde4b49 ("ifconfig: T2223: add vlan switch for Section.interfaces()")
added the functionality of the local get_interfaces() function to the base
class so all other parts in the system can query for interface names of a given
type including or excluding their vlan sub-interfaces.
|
|
Rewrite op-moe "show nat|nat66 translation" to vyos.opmode format
Ability to get machine-readable format "raw"
|
|
Fixed creating IPSEC tunnel to Hub. Added continues of execution
generator functions.
|
|
|
|
ipsec: T4594: Rewrite op-mode 'show vpn ipsec sa' to the new format
|
|
|
|
|
|
|
|
op-mode: T4645: Show nat source statistics missing argument --family
|
|
As we use in commit 8d4205a9 argument '--family' for the
function '_get_raw_data_rules(direction, family)' we must use it
and for 'nat.py show_statistics' as it get raw data from the same
function
|
|
By default SSTP bind port '443' and this port can be used by
another service like 'service https' or 'vpn openconnect'
Check if port bound to another service
|
|
A macsec interface requires a dedicated source interface, it can not be
shared with another macsec or a pseudo-ethernet interface.
set interfaces macsec macsec10 address '192.168.2.1/30'
set interfaces macsec macsec10 security cipher 'gcm-aes-256'
set interfaces macsec macsec10 security encrypt
set interfaces macsec macsec10 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4232e44b7fda6f8e2d88a07bf78a7aff4'
set interfaces macsec macsec10 security mka ckn '09924585a6f3010208cf5222ef24c821405b0e34f4b4f63b1f0ced474b9bb6e6'
set interfaces macsec macsec10 source-interface 'eth1'
commit
set interfaces pseudo-ethernet peth0 source-interface eth1
commit
Reuslts in
FileNotFoundError: [Errno 2] failed to run command: ip link add peth0 link eth1 type macvlan mode private
returned:
exit code: 2
noteworthy:
cmd 'ip link add peth0 link eth1 type macvlan mode private'
returned (out):
returned (err):
RTNETLINK answers: Device or resource busy
[[interfaces pseudo-ethernet peth0]] failed
Commit failed
|
|
nat66: T4626: Rewrite op-mode show nat66 rules
|
|
opennhrp: T1070: Fixed removal all SAs in script
|
|
|
|
keepalived: T4526: keepalived-fifo.py unable to load config
|
|
https: T4597: Verify bind port before apply HTTPS API service
|
|
conntrack: T4623: Add conntrack statistics for op-mode
|
|
Rewrite op-mode "show nat66 source|destination rules" to the
new format
use "show_rules --direction <direction> --family <inet|inet6>"
Delete old script show_nat66_rules.py
|
|
Fixed removal all dmvpn SAs. Changed vici terminate by child-sa
name on terminate by ike-id
|
|
|
|
|
|
If Nginx address/port is already binded to another service
(for exampmle openconnect default port 443)
https api cannot start and we don't see any error in the output.
Add this check before applying service/commit
|
|
keepalived-fifo.py cannot load the VyOS config because the
script is started before the commit is completely finished.
This change makes sure the script waits for the commit
to be completed. It retries every 0.5 seconds. If the commit
is still not completed it will continue as did the original
implementation.
|
|
|
|
|
|
We check listen port before commit service if is port available and
not bounded, but when we start openconnect our own port starts be
bounded by "ocserv-main" process and next commit will be fail as
port is already bound
To fix it, extend check if port already bonded and it is not our
self process "ocserv-main"
|
|
When MACsec was bound to an ethernet interface and the underlaying
source-interface got changed (even description only) this terminated the
MACsec session running on top of it.
The root cause is when EAPoL was implemented in commit d59354e52a8a7f we
re-used the same systemd unit which is responsible for MACsec. That indeed lead
to the fact that wpa_supplicant was always stopped when anything happened on
the underlaying source-interface that was not related to EAPoL.
|
|
Ability to set static NAT (one-to-one) in one rule
set nat static rule 10 destination address '203.0.113.0/24'
set nat static rule 10 inbound-interface 'eth0'
set nat static rule 10 translation address '192.0.2.0/24'
It will be enough for PREROUTING and POSTROUTING rules
Use a separate table 'vyos_static_nat' as SRC/DST rules and
STATIC rules can have the same rule number
|
|
upnp: T4613: Verify listen key in dictionary
|
|
There is no check if 'listen' is exist in the dictionary, fix it
Fix odd ValueHelp format
|
|
|
|
ocserv: T4596: Rewrite show openconnect sessions op-mode
|
|
The command "restart dhcp relay-agent" doesn't restart "isc-dhcp-relay" service.
|
|
nat66: T4598: Add exclude options in nat66
|