Age | Commit message (Collapse) | Author |
|
* Add support for ECN and CWR flags
|
|
This reverts commit 29efbf51efea559773f61703f11a77a8aee6de36.
|
|
This reverts commit 391ce22b76190309f81e048ebffab778b0fdee1d.
|
|
|
|
|
|
op-mode: T4179: Add op-mode CLI show virtual-server
|
|
firewall: T4178: Use lowercase for TCP flags and add an validator
|
|
|
|
Adds support for `ip -6 rule` policy based routing.
Also, extends the existing ipv4 implemenation with a
`destination` key, which is translated as
`ip rule add to x.x.x.x/x` rules.
https://phabricator.vyos.net/T4151
|
|
|
|
There is a situation when service keepalived is active but
there a no any "vrrp" configuration. In that case "show vrrp"
hangs up because it expect data from keepalived daemon which
can't get
Check if "vrrp" exists in configuration and only then check if pid
is active
|
|
Add URL, token and bucket hidind data when is used function
"strip-private"
|
|
Telegraf ethtool input filter expected ethX interfaces and not
other interfaces like vlans/tunnels/dummy
Add "interface_include" option to telegraf template.
|
|
Rewrite and improve the custom input filter telegraf script
"show_interfaces_input_filter.py" to more readable and clear format
Fix bug when it failed with configured tunnel "tunX" interfaces
|
|
|
|
|
|
firewall: validators: T4174: Correct upper port range boundary
|
|
policy: T2199: Update op-mode syntax to `route6`
|
|
|
|
|
|
firewall: policy: T4131: T4144: T4159: T4164: Fix reported firewall issues, policy-route refactor
|
|
After the a1aaf4fb9c0e4111670ef3dd491796fa35a2311f commit, only single
(latest) CHILD_SA for each connection can be displayed in the
`show vpn ipsec sa` output. This commit backs the proper behavior for
the command and adds a little optimization to the formatter to make it
easier.
|
|
* Migrates all policy route references from `ipv6-route` to `route6`
* Update test config `dialup-router-medium-vpn` to test migration of `ipv6-route` to `route6`
|
|
Migrating 1.2.8 -> 1.4-rolling-202201110811
vyos-router[970]: Waiting for NICs to settle down: settled in 0sec..
vyos-router[1085]: Started watchfrr.
vyos-router[970]: Mounting VyOS Config...done.
vyos-router[970]: Starting VyOS router: migrate
vyos-router[1490]: Traceback (most recent call last):
vyos-router[1490]: File "/opt/vyatta/etc/config-migrate/migrate/interfaces/5-to-6", line 112, in <module>
vyos-router[1490]: for if_type in config.list_nodes(['interfaces']):
vyos-router[1490]: File "/usr/lib/python3/dist-packages/vyos/configtree.py", line 236, in list_nodes
vyos-router[1490]: raise ConfigTreeError("Path [{}] doesn't exist".format(path_str))
vyos-router[1490]: vyos.configtree.ConfigTreeError: Path [b'interfaces'] doesn't exist
vyos-router[1455]: Migration script error: /opt/vyatta/etc/config-migrate/migrate/interfaces/5-to-6: Command
'['/opt/vyatta/etc/config-migrate/migrate/interfaces/5-to-6', '/opt/vyatta/etc/config/config.boot']'
returned non-zero exit status 1..
vyos-router[970]: configure.
vyos-config[979]: Configuration success
|
|
|
|
is changed
|
|
items sorted and one per line
|
|
|
|
file for group definitions.
|
|
In order to have a consistent looking CLI we should rename this CLI node.
There is:
* access-list and access-list6 (policy)
* prefix-list and prefix-list6 (policy)
* route and route6 (static routes)
|
|
The bug was partially fixed with this commit:
https://github.com/vyos/vyos-1x/commit/358f0b481d8620cad4954e3fe418054b9a8c3ecd
The earlier commit introduced a startup retry (up to 10 times) to allow the OS
to settle before the container is started. However, it only applies if
host networking is NOT used. This change applies the same for containers
where host networking is employed.
Since the retry portion of the code (written in the earlier commit) is now
referenced twice, it has been moved to its own function.
|
|
Before installing a new conntrack policy into the OS Kernel, the new policy
should be verified by nftables if it can be loaded at all or if it will fail
to load. There is no need to load a "bad" configuration if we can pre-test it.
|
|
Before installing a new conntrack policy into the OS Kernel, the new policy
should be verified by nftables if it can be loaded at all or if it will fail
to load. There is no need to load a "bad" configuration if we can pre-test it.
|
|
|
|
firewall: validators: T4148: Improve validators and firewall validator usage
|
|
|
|
|
|
|
|
|
|
|
|
zone-policy chains
* Prevent firewall names from using the reserved VZONE prefix
|
|
zone-policy: T4135: Raise error when using an invalid "from" zone.
|
|
|
|
firewall: zone-policy: T2199: T4130: Fixes for firewall, state-policy and zone-policy
|
|
zone-policy
|
|
keepalived: T4109: Add high-availability virtual-server
|
|
Add new feature, high-availability virtual-server
Change XML, python and templates
Move vrrp to root node 'high-availability' as all logic are
handler by root node 'high-availability'
|
|
firewall: T4130: Fix firewall state-policy errors
|
|
Also fixes:
* Issue with multiple state-policy rules being created on firewall updates
* Prevents interface rules being inserted before state-policy
|
|
|