Age | Commit message (Collapse) | Author |
|
* Only matching flags and fields used by modern RFC2890 "extended GRE" -
this is backwards-compatible, but does not match all possible flags.
* There are no nftables helpers for the GRE key field, which is critical
to match individual tunnel sessions (more detail in the forum post)
* nft expression syntax is not flexible enough for multiple field
matches in a single rule and the key offset changes depending on flags.
* Thus, clumsy compromise in requiring an explicit match on the "checksum"
flag if a key is present, so we know where key will be. In most cases,
nobody uses the checksum, but assuming it to be off or automatically
adding a "not checksum" match unless told otherwise would be confusing
* The automatic "flags key" check when specifying a key doesn't have similar
validation, I added it first and it makes sense. I would still like
to find a workaround to the "checksum" offset problem.
* If we could add 2 rules from 1 config definition, we could match
both cases with appropriate offsets, but this would break existing
FW generation logic, logging, etc.
* Added a "test_gre_match" smoketest
|
|
T4072: firewall extend bridge firewall
|
|
T6632: add missing standard functions to config scripts
|
|
T6629: call check_kmod within a standard config function
|
|
|
|
In the PR https://github.com/vyos/vyos-1x/pull/3823 the ncp-ciphers
were replaced with `data-ciphers`
fix template for "generate openvpn client-config"
|
|
|
|
Move the remaining calls to check_kmod within a standard function,
with placement determined by the needs of the config script.
|
|
nat64: T6627: call check_kmod within standard config function
|
|
Functions called from config scripts outside of the standard functions
get_config/verify/generate/apply will not be called when run under
configd. Move as appropriate for the general config script structure and
the specific script requirements.
|
|
prerouting chain; re introduce <set vrf> in policy; change global options for passing traffic to IPvX firewall; update smoketest
|
|
console: T3334: remove unused directories imported from vyos.defaults
|
|
|
|
enabling/disabling sending traffic from bridge layer to ipvX layer
|
|
wrong. Use nft -c option to check temporary file, and use output provided by nftables to parse the error if possible, or print it as it is if it's an unknown error
|
|
new chains, priorities, and firewall groups
|
|
T5873: ipsec remote access VPN: support VTI interfaces.
|
|
|
|
T6617: T6618: vpn ipsec remote-access: fix profile generators
|
|
T5657: Add VRF support for zabbix-agent
|
|
To start the service under VRF requires starting under User=root
otherwise it had issues with cgroups
|
|
Removed unused pprint module
|
|
GitHub: T6560: action must be run on forked repo
|
|
T6486: T6379: Rewrite generate openvpn client-config
|
|
system: op-mode: T3334: allow delayed getty restart when configuring serial ports
|
|
Make it more obvious for the user aber the severity of his action.
|
|
ports
* Created op-mode command "restart serial console"
* Relocated service control to vyos.utils.serial helpers, used by conf- and
op-mode serial console handling
* Checking for logged-in serial sessions that may be affected by getty reconfig
* Warning the user when changes are committed and serial sessions are active,
otherwise restart services as normal. No prompts issued during commit,
all config gen/commit steps still occur except for the service restarts
(everything remains consistent)
* To apply committed changes, user will need to run "restart serial console"
to complete the process or reboot the whole router
* Added additional flags and target filtering for generic use of helpers.
|
|
|
|
vrf: T6603: conntrack ct_iface_map must only contain one entry for iifname/oifname
|
|
|
|
pbr: T6430: Allow forwarding into VRFs by name as well as route table IDs
|
|
Commit 452068ce78 ("interfaces: T6592: moving an interface between VRF instances
failed") added a similar but more detailed implementation of get_vrf_table_id()
that was added in commit adeac78ed of this PR. Move to the common available
implementation.
|
|
* PBR can only target table IDs up to 200 and the previous PR to extend the
range was rejected
* PBR with this PR can now also target VRFs directly by name, working around
targeting problems for VRF table IDs outside the overlapping 100-200 range
* Validation ensures rules can't target both a table ID and a VRF name
(internally they are handled the same)
* Added a simple accessor (get_vrf_table_id) for runtime mapping a VRF name
to table ID, based on vyos.ifconfig.interface._set_vrf_ct_zone().
It does not replace that usage, as it deliberately does not handle non-VRF
interface lookups (would fail with a KeyError).
* Added route table ID lookup dict, global route table and VRF table defs
to vyos.defaults. Table ID references have been updated in code touched
by this PR.
* Added a simple smoketest to validate 'set vrf' usage in PBR rules
|
|
n order to properly build and test the code that is to be "merged in",
we need to run this action on the source branch of the PR (pull_request) and
not the target branch of the PR (pull_request_target)
|
|
vyos.configtree: T6620: allow list_nodes() to work on non-existent paths
|
|
and return an empty list in that case
(handy for migration scripts and the like)
|
|
T6362: Create conntrack logger daemon
|
|
OpenVPN CLI-option: T6571: rename ncp-ciphers with data-ciphers
|
|
firewall: T4694: incomplete node checks in migration script
|
|
This patch on #3616 will only attempt to fix ipsec matches in rules if the
firewall config tree passed to migrate_chain() has rules attached.
|
|
T6349: Fix typo in file name
|
|
|
|
smoketest: T6592: remove unused "import os"
|
|
smoketest: T6614: initial support for op-mode command testing
|
|
smoketest: T5705: use locally connected remote syslog servers
|
|
Strongswan does not initiate session after termination via vici.
Added an CHILD SAs initialization on the initiator side
of the tunnel.
|
|
(#3616)
* Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for
fw rules
* Add ipsec match-ipsec-out and match-none-out
* Change all the points where the match-ipsec.xml.i include was used
before, making sure the new includes (match-ipsec-in/out.xml.i) are
used appropriately. There were a handful of spots where match-ipsec.xml.i
had snuck back in for output hooked chains already
(the common-rule-* includes)
* Add the -out generators to rendered templates
* Heavy modification to firewall config validators:
* I needed to check for ipsec-in matches no matter how deeply nested
under an output-hook chain(via jump-target) - this always generates
an error.
* Ended up retrofitting the jump-targets validator from root chains
and for named custom chains. It checks for recursive loops and improper
IPsec matches.
* Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation"
smoketests
|
|
As there has been no route to the configured syslog servers, smoketests produced:
rsyslogd: omfwd: socket 8: error 101 sending via udp: Network is unreachable
Rather use some fake syslog servers from 127.0.0.0/8 which are directly
connected and we do not need to look up a route, which will suppress the above
error message.
|
|
|
|
op_mode: T5744: PKI import OpenVPN shared key includess unexpected BEGIN and END
|