Age | Commit message (Collapse) | Author |
|
The following command expects to join source-specific multicast group 239.1.2.3
on interface eth0, where the source address is 192.0.2.1.
set protocols igmp interface eth0 join 239.1.2.3 source 192.0.2.1
This command should generate FRR config:
interface eth0
ip igmp
ip igmp join 239.1.2.3 192.0.2.1
exit
However, there is a bug in the Jinja template where `if ifaces[iface].gr_join[group]`
is mostly evaluated as `false` because `iface` is a loop variable from another loop.
|
|
T5536: Fix show dhcp client leases
|
|
|
|
Fix helpers was moved to vyos.utils package
Fix empty new address from the lease file causes
OSError: illegal IP address string passed to inet_pton
|
|
T5531: Containers add label option
|
|
eapol: T4782: Support multiple CA chains
|
|
Ability to set labels for container
set container name c1 allow-host-networks
set container name c1 image 'busybox'
set container name c1 label mypods value 'My label for containers'
|
|
|
|
specified (correct ::/0 for ipv6). Also, add columns for inbound and outbound interfaces
|
|
correct reference in source/destination column
|
|
|
|
firewall: T5080: Disable conntrack unless required by rules
|
|
|
|
|
|
firewall: T3509: Add support for IPv6 reverse path filtering
|
|
interface-name or interface-group
|
|
|
|
|
|
save-config: T4292: rewrite vyatta-save-config.pl to Python
|
|
Fix for add IPv6 link-local address for container interfaces
set container network NET01 prefix '10.0.0.0/24'
set container network NET01 prefix '2001:db8:2222::/64'
% ip -6 addr show scope link dev pod-NET01
17: pod-NET01: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet6 fe80::d89c:dfff:fe1a:8689/64 scope link
|
|
Configuring "set system ip protocol ospf|bgp route-map foo" and commit it
installs the route-map into FRR. Removing the CLI configuration "delete system
ip protocol" does not remove the route-map from FRR - it stays active.
This commit adds the fix and appropriate smoketests extenstion.
|
|
|
|
system-ip: T5449: add TCP MSS probing options
|
|
wifi: T5491: allow white-/blacklisting station MAC addresses for security
|
|
T5472: nat redirect: allow redirection without defining redirected port
|
|
T5463: Container allow publish listen-addresses
|
|
This is a workaround for the priority inversion from T5492 ("CLI node priority
is not inversed on node deletion"). As this is a corner case bug that's only
triggered if an interface is removed from a VRF and also the VRF is removed in
one commit, priorities are not honored.
Thus we implement this workaround which stop the DHCP(v6) client processes on
the VRF associated interfaces to get out the DHCP RELEASE message before
interfaces are shut down.
|
|
Helper functions can and will be re-use din different code places.
|
|
|
|
Ability to publish multiple IP/IPv6 addresses for container
set container name c1 port web destination '80'
set container name c1 port web listen-address '192.0.2.1'
set container name c1 port web listen-address '2001:db8:1111::1'
set container name c1 port web source '8080'
--publish 192.0.2.1:8080:80/tcp --publish [2001:db8:1111::1]:8080:80/tcp
|
|
T5447: Initial support for MACsec static keys
|
|
T5478: remove config-trap configuration parser in firewall
|
|
|
|
|
|
|
|
|
|
|
|
Station MAC address-based authentication means:
* 'allow' accept all clients except the one on the deny list
* 'deny' accept only clients listed on the accept list
New CLI commands:
* set interfaces wireless wlan0 security station-address mode <accept|deny>
* set interfaces wireless wlan0 security station-address accept mac <mac>
* set interfaces wireless wlan0 security station-address deny mac <mac>
|
|
|
|
|
|
|
|
|
|
wireguard: T5409: Added 'set interfaces wireguard wgX threaded'
|
|
Using threaded as CLI node is a very deep term used by kernel threads. To make
this more understandable to users, rename the node to per-client-thread.
It's also not necessary to test if any one peer is configured and probing if
the option is set. There is a base test which requires at least one peer
to be configured.
|
|
|
|
netplug: T5476: rewrite dhclient helper from Perl -> Python
|
|
dmbaturin/T5271-openvpn-peer-fingerprint-restrictions
T5271: allow OpenVPN peer-fingerprint to be used instead of a CA in site-to-site mode
|
|
There are two hooks called for bridge, ethernet and bond interfaces if the
link-state changes up -> down or down -> up.
The helpers are:
* /etc/netplug/linkdown.d/dhclient
* /etc/netplug/linkup.d/dhclient
As those helpers use Linux actions to start/restart the dhclient process in
Perl it's time to rewrite it. First goal is to get rid of all Perl code and the
second is that we now have a Proper Python library. Instead of checking if the
process is running the then restarting it without even systemd noticing
(yeah we might get two processes beeing alive) we should:
* Add a Python helper that can be used for both up and down (see man 8 netplugd
FILES section)
* Query the VyOS CLI config if the interface in question has DHCP(v6)
configured and is not disabled
* Add IPv6 DHCPv6 support
MAN page: https://linux.die.net/man/8/netplugd
|
|
|
|
in OpenVPN site-to-site mode
|