VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git) https://git.amelek.net/vyos/vyos-1x.git/atom?h=T6674-circ-trigger 2023-08-02T09:12:23+00:00 2023-08-02T09:12:23+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2023-08-02T09:12:23+00:00 urn:sha1:d1923b7b58795f0d9635ae0e8df110f591881bdf The script's name is always provided as the first argument sys.argv[0] Expected length for argv is 2 (script itself + config file) Change: 'if (len(argv) < 1)' to 'if len(argv) < 2' 2022-05-25T16:42:44+00:00 John Estabrook jestabro@vyos.io 2022-05-25T15:21:25+00:00 urn:sha1:d8ce60dd846792fec76af92151d470a4169f163d The config vrf-basic reveals a missing block in the migration script vrf/0-to-1, moving 'next-hop-vrf' to 'vrf'. As this only exists in Sagitta, modify script 0-to-1. Also, fix the 'system nt' typo seen in vrf-ospf. 2021-07-17T19:36:39+00:00 zsdc taras@vyos.io 2021-07-12T19:59:48+00:00 urn:sha1:22791e26f444766dc9f9e1729b72893208f58079 Currently, all VRFs share the same connection tracking table, which can lead to problems: - traffic leaks to a wrong VRF - improper NAT rules handling when multiple VRFs contain the same IP networks - stateful firewall rules issues The commit implements connection tracking zones support. Each VRF utilizes its own zone, so connections will never mix up. It also adds some restrictions to VRF names and assigned table numbers, because of nftables and conntrack requirements: - VRF name should always start from a letter (interfaces that start from numbers are not supported in nftables rules) - table number must be in the 100-65535 range because conntrack supports only 65535 zones 2021-07-12T16:38:41+00:00 Christian Poessinger christian@poessinger.com 2021-07-12T16:38:14+00:00 urn:sha1:73e58b7d000c92608b263f2f52b60d21d741db04 Previously during migration if one had used interface routes, the VRF based ones got not migrated. The following "old" VyOS 1.3 configuration did not get migrated: set protocols static interface-route 10.20.0.0/24 next-hop-interface eth2 next-hop-vrf 'blue' set protocols static interface-route 10.30.0.0/24 next-hop-interface br10 next-hop-vrf 'red' set protocols vrf blue static interface-route 10.0.0.0/24 next-hop-interface eth1 next-hop-vrf 'default' set protocols vrf red static interface-route 10.0.0.0/24 next-hop-interface eth1 next-hop-vrf 'default' set vrf name blue table '3000' set vrf name mgmt table '1000' set vrf name red table '2000' It must get migrated to: set protocols static route 10.20.0.0/24 interface eth2 vrf 'blue' set protocols static route 10.30.0.0/24 interface br10 vrf 'red' set vrf name blue protocols static route 10.0.0.0/24 interface eth1 vrf 'default' set vrf name blue table '3000' set vrf name mgmt table '1000' set vrf name red protocols static route 10.0.0.0/24 interface eth1 vrf 'default' set vrf name red table '2000' 2021-03-14T13:46:01+00:00 Christian Poessinger christian@poessinger.com 2021-03-13T20:08:38+00:00 urn:sha1:548d9057e3ed66852bb2be62fe770c265712b4f3 Instead of having the dynamic routing protocols OSPF and BGP residing under the "protocols vrf <name> [ospf|bgp]" nodes, rather move them directly under the "vrf name <name> protocols [ospf|bgp]" node. Now all VRF related parts are placed under the same root node. This eases the verify steps tremendously, as we do not need to check wheter a VRF eists or not, it will always exist as we operate under a child node. 2021-02-05T21:42:29+00:00 Christian Poessinger christian@poessinger.com 2021-02-03T23:00:41+00:00 urn:sha1:3dd78cddfe90851cb7a6891add8a0973d23da292