Age | Commit message (Collapse) | Author |
|
nat66: T4626: Rewrite op-mode show nat66 rules
|
|
opennhrp: T1070: Fixed removal all SAs in script
|
|
|
|
keepalived: T4526: keepalived-fifo.py unable to load config
|
|
https: T4597: Verify bind port before apply HTTPS API service
|
|
conntrack: T4623: Add conntrack statistics for op-mode
|
|
Rewrite op-mode "show nat66 source|destination rules" to the
new format
use "show_rules --direction <direction> --family <inet|inet6>"
Delete old script show_nat66_rules.py
|
|
Fixed removal all dmvpn SAs. Changed vici terminate by child-sa
name on terminate by ike-id
|
|
|
|
|
|
If Nginx address/port is already binded to another service
(for exampmle openconnect default port 443)
https api cannot start and we don't see any error in the output.
Add this check before applying service/commit
|
|
keepalived-fifo.py cannot load the VyOS config because the
script is started before the commit is completely finished.
This change makes sure the script waits for the commit
to be completed. It retries every 0.5 seconds. If the commit
is still not completed it will continue as did the original
implementation.
|
|
|
|
|
|
We check listen port before commit service if is port available and
not bounded, but when we start openconnect our own port starts be
bounded by "ocserv-main" process and next commit will be fail as
port is already bound
To fix it, extend check if port already bonded and it is not our
self process "ocserv-main"
|
|
When MACsec was bound to an ethernet interface and the underlaying
source-interface got changed (even description only) this terminated the
MACsec session running on top of it.
The root cause is when EAPoL was implemented in commit d59354e52a8a7f we
re-used the same systemd unit which is responsible for MACsec. That indeed lead
to the fact that wpa_supplicant was always stopped when anything happened on
the underlaying source-interface that was not related to EAPoL.
|
|
From ocserv documentation:
```
If the groupconfig option is set, then config-per-user will be
overriden, and all configuration will be read from radius. That
also includes the Acct-Interim-Interval, and Session-Timeout
values.
```
Implement yes/no configuration and parameter handling during jinja
rendering.
Fix bug wherein openconnect-server configuration requires creation
of local user accounts even when RADIUS authentication is used.
Testing:
Set the groupconfig=yes param and observed change in generated
/run/ocserv/ocserv.conf.
Removed the local users via `delete vpn openconnect
authentication local-users` and observed commit & service operation
|
|
Ability to set static NAT (one-to-one) in one rule
set nat static rule 10 destination address '203.0.113.0/24'
set nat static rule 10 inbound-interface 'eth0'
set nat static rule 10 translation address '192.0.2.0/24'
It will be enough for PREROUTING and POSTROUTING rules
Use a separate table 'vyos_static_nat' as SRC/DST rules and
STATIC rules can have the same rule number
|
|
upnp: T4613: Verify listen key in dictionary
|
|
There is no check if 'listen' is exist in the dictionary, fix it
Fix odd ValueHelp format
|
|
|
|
ocserv: T4596: Rewrite show openconnect sessions op-mode
|
|
The command "restart dhcp relay-agent" doesn't restart "isc-dhcp-relay" service.
|
|
nat66: T4598: Add exclude options in nat66
|
|
Rewrite "show openconnect-server sessions" to vyos.opmode format
Ability to get raw and formatted output
Ability to get data via API
|
|
|
|
Check if openconnect listen port is available and not used by
another service
|
|
T2719: add an exception hierarchy for op mode errors
|
|
|
|
* https://github.com/Cheeze-It/vyos-1x:
bgp: T4257: Changing BGP "local-as" to "system-as"
|
|
|
|
nat66: T4586: Add SNAT destination prefix and DNAT address
|
|
Rewrite op-mode "show vpn ipsec sa" to new format
Use vyos.opmode format
Ability to get raw and formatted output
|
|
|
|
Add IPV6 exclude validators:
- ipv6-address-exclude
- ipv6-prefix-exclude
Will use in nat66 source/destination
|
|
Add option restart to `containers.py`
|
|
Rewrite op-mode:
- show container
- show container network
- show container image
to the new vyos.opmode format
|
|
|
|
|
|
|
|
After commit 85d6c8f7c62 ("vyos.configdict: T4391: enable get_interface_dict()
to be used with ConfigTreeQuery()") we also need to use the full path when
working with Config() as previous calls to get_interface_dict() no longer change
the level of Config().
|
|
|
|
|
|
Check list of VRF's, check key 'ifname' is configured
If not configured, return message "VRF is not configured"
|
|
dns-forwarding: T4578: Rewrite show dns forwarding
|
|
Allows preferred lifetime for prefix advertisements to equal the
configured valid lifetime as per RFC 4861.
|
|
|
|
bgp: T4257: Changing BGP "local-as" to "system-as"
This change is to change the global BGP name for the node "local-as" to "system-as"
This is needed so that there's less ambiguity with the local-as feature per neighbor.
bgp: T4257: Changing BGP "local-as" to "system-as"
bgp: T4257: Changing BGP "local-as" to "system-as"
This change is to change the global BGP name for the node "local-as" to "system-as"
This is needed so that there's less ambiguity with the local-as feature per neighbor.
|
|
|
|
Rewrite op-mode "show dns forwarding statistics" to new format
Use vyos.opmode format
|