Age | Commit message (Collapse) | Author |
|
|
|
The following commands will enable nftables flowtable offload on interfaces eth0 eth1:
```
set firewall global-options flow-offload software interface <name>
set firewall global-options flow-offload hardware interface <name>
```
Generated nftables rules:
```
table inet vyos_offload {
flowtable VYOS_FLOWTABLE_software {
hook ingress priority filter - 1; devices = { eth0, eth1, eth2, eth3 };
counter
}
chain VYOS_OFFLOAD_software {
type filter hook forward priority filter - 1; policy accept;
ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software
}
}
```
Use this option to count packets and bytes for each offloaded flow:
```
set system conntrack flow-accounting
```
To verify a connection is offloaded, run
```
cat /proc/net/nf_conntrack|grep OFFLOAD
```
This PR follows firewalld's implementation: https://github.com/firewalld/firewalld/blob/e748b97787d685d0ca93f58e8d4292e87d3f0da6/src/firewall/core/nftables.py#L590
A good introduction to nftables flowtable: https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath
|
|
container: T5563 Fix environment replaced by label
|
|
FRR supports a new way of configuring VLAN-to-VNI mappings for EVPN-VXLAN, when
working with the Linux kernel. In this new way, the mapping of a VLAN to a VNI
is configured against a container VXLAN interface which is referred to as a
'Single VXLAN device (SVD)'.
Multiple VLAN to VNI mappings can be configured against the same SVD. This
allows for a significant scaling of the number of VNIs since a separate VXLAN
interface is no longer required for each VNI.
Sample configuration of SVD with VLAN to VNI mappings is shown below.
set interfaces bridge br0 member interface vxlan0
set interfaces vxlan vxlan0 external
set interfaces vxlan vxlan0 source-interface 'dum0'
set interfaces vxlan vxlan0 vlan-to-vni 10 vni '10010'
set interfaces vxlan vxlan0 vlan-to-vni 11 vni '10011'
set interfaces vxlan vxlan0 vlan-to-vni 30 vni '10030'
set interfaces vxlan vxlan0 vlan-to-vni 31 vni '10031'
|
|
|
|
T5554: Disable sudo for PAM RADIUS
|
|
login: T4754: show configured 2FA OTP key
|
|
Disable sudo for PAM RADIUS template that slows down the CLI commands
To fix it add:
session [default=ignore success=2] pam_succeed_if.so service = sudo
|
|
Currently VyOS has `protocol igmp` option to enable IGMP querier and reports through FRR's pimd.
I would like to add support for IPv6 as well since FRR's IPv6 multicast functionality has significantly improved.
Enabling both MLD and IGMP on a VyOS router will allow us to turn on multicast snooping on layer-3 switches in dual-stack networks.
Example commands:
```
// Enable on interface eth0
set protocols pim6 interface eth0
// Explicitly join multicast group ff18::1234 on interface eth1
set protocols pim6 interface eth1 mld join ff18::1234
// Explicitly join source-specific multicast group ff38::5678 with source address 2001:db8::1 on interface eth1
set protocols pim6 interface eth1 mld join ff38::5678 source 2001:db8::1
```
|
|
T5412: Add support for extending config-mode dependencies in add-on packages
|
|
|
|
|
|
|
|
conntrack: T4309: T4903: Refactor `system conntrack ignore`, add IPv6 support and firewall groups
|
|
T5489: Add sysctl TCP congestion control by default to BBR
|
|
T5423: Fix for op-mode show vpn ike secrets
|
|
T5480: Ability to disable SNMP for keepalived service VRRP
|
|
When using `virtual-server` alongside Keepalived, there can be
situations where the `vrrp` key is completely unused.
|
|
|
|
* netns:
smoketest: T5241: re-work netns assertions and provide common utility helper
netns: T5241: simplify network namespace handling
netns: T5241: improve get_interface_namespace() robustness
netns: T5241: use common interface_exists() helper
netns: T5241: provide is_netns_interface utility helper
T5241: Support netns for veth and dummy interfaces
|
|
|
|
We don't use ipsec.secrets anymore
Fix op-mode for "show vpn ike secrets".
Ability to get "RAW" format
|
|
Add by default sysctl TCP congestion control to BBR.
Default value `cubic` is not optimal.
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
|
|
By default we enable `--snmp` for keepalived unit service
Add ability to disable it
set high-availability vrrp disable-snmp
|
|
T2958: Refactor DHCP-server systemd unit and lease
|
|
T5496: multiple fixes for op-mode command <show firewall>
|
|
easy to read, and we get uniform output for both families, and will look the same when working with inet family in the future. Fix output of geo-ip matchers. Fix output for default-action rules: display N/A for counters in base chains, since they are not available.Change from N/A to N/D for empty groups, and for groups which found no reference in config
|
|
Render isc-dhcp-server systemd unit from configuration
|
|
|
|
add IPv6 support and firewall groups
|
|
T5533: Fix VRRP IPv6 group enters in FAULT state
|
|
Checks if an IPv6 address on a specific network interface is
in the tentative state. IPv6 tentative addresses are not fully configured
and are undergoing Duplicate Address Detection (DAD) to ensure they are
unique on the network.
inet6 2001:db8::3/125 scope global tentative
It tentative state the group enters in FAULT state. Fix it
|
|
https://github.com/sever-sever/vyos-1x into netns
* 'T5241-control-edition' of https://github.com/sever-sever/vyos-1x:
T5241: Support netns for veth and dummy interfaces
|
|
The following command expects to join source-specific multicast group 239.1.2.3
on interface eth0, where the source address is 192.0.2.1.
set protocols igmp interface eth0 join 239.1.2.3 source 192.0.2.1
This command should generate FRR config:
interface eth0
ip igmp
ip igmp join 239.1.2.3 192.0.2.1
exit
However, there is a bug in the Jinja template where `if ifaces[iface].gr_join[group]`
is mostly evaluated as `false` because `iface` is a loop variable from another loop.
|
|
Add AWS load-balancing tunnel handler
https://aws.amazon.com/blogs/networking-and-content-delivery/how-to-integrate-linux-instances-with-aws-gateway-load-balancer/
set service aws glb script on-create '/config/scripts/tmp.sh'
set service aws glb script on-destroy '/config/scripts/tmp.sh'
set service aws glb status format 'simple'
set service aws glb status port '8282'
set service aws glb threads tunnel '4'
set service aws glb threads tunnel-affinity '1-2'
set service aws glb threads udp '4'
set service aws glb threads udp-affinity '0-3'
|
|
T5536: Fix show dhcp client leases
|
|
|
|
Fix helpers was moved to vyos.utils package
Fix empty new address from the lease file causes
OSError: illegal IP address string passed to inet_pton
|
|
T5531: Containers add label option
|
|
eapol: T4782: Support multiple CA chains
|
|
Ability to set labels for container
set container name c1 allow-host-networks
set container name c1 image 'busybox'
set container name c1 label mypods value 'My label for containers'
|
|
|
|
|
|
specified (correct ::/0 for ipv6). Also, add columns for inbound and outbound interfaces
|
|
correct reference in source/destination column
|
|
|
|
firewall: T5080: Disable conntrack unless required by rules
|
|
|
|
|
|
firewall: T3509: Add support for IPv6 reverse path filtering
|