| Age | Commit message (Collapse) | Author |
|---|
|
Changing the public key of a peer (updating the key material) left the old
WireGuard peer in place, as the key removal command used the new key.
WireGuard only supports peer removal based on the configured public-key, by
deleting the entire interface this is the shortcut instead of parsing out all
peers and removing them one by one.
Peer reconfiguration will always come with a short downtime while the WireGuard
interface is recreated.
|
|
After commit cc7ba8824 ('vxlan: T5699: migrate "external" CLI know to
"parameters external"') We also need to adjust the testcase for ARP/ND
suppression.
|
|
T1797: Delete VPP from vyos-1x as it is implemented in addon
|
|
Fix commit 51abbc0f1b2 ("T5681: Firewall,Nat and Nat66: simplified and
standarize interface matcher (valid for interfaces and groups) in firewal, nat
and nat66") that added a migrator but did not bump the version number.
|
|
This extends commit 6248b2ae1 ("T5558: smoketest: fix nat definitions on
dialup-router-medium-vpn") that missed out eth1 interface.
|
|
vxlan: T5668: add CLI knob to enable ARP/ND suppression
|
|
vxlan: T5699: migrate "external" CLI know to "parameters external"
|
|
As we have a bunch of options under "paramteres" already and "external" is
clearly one of them it should be migrated under that node as well.
|
|
In order to minimize the flooding of ARP and ND messages in the VXLAN network,
EVPN includes provisions [1] that allow participating VTEPs to suppress such
messages in case they know the MAC-IP binding and can reply on behalf of the
remote host. In Linux, the above is implemented in the bridge driver using a
per-port option called "neigh_suppress" that was added in kernel version 4.15.
[1] https://www.rfc-editor.org/rfc/rfc7432#section-10
|
|
T5558: smoketest: fix nat definitions on dialup-router-medium-vpn.
|
|
|
|
T5513: firewall: update op-mode command show firewall.
|
|
logfile
|
|
Try to have as few calls to sudo in the op-mode scripts as possible. The XML
definitions can deal with it.
|
|
This makes the code more easy to maintain in the future if everyone uses the
same structure when calling journalctl.
|
|
T5661: Add show show ssh dynamic-protection attacker and show log ssh…
|
|
default actions and extend references for firewall groups
|
|
T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher
|
|
T5683: Fix reverse-proxy PKI filenames mismatch
|
|
(valid for interfaces and groups) in firewal, nat and nat66.
|
|
The current named for certificates are hardcoded in generated config to:
- ca.pem
- cert.pem.key
- cert.pem
It cause a generated config certificates and certificates itself
are different (test-cert-1.pem and ca.pem)
bind :::8080 v4v6 ssl crt /run/haproxy/test-cert-1.pem
/run/haproxy/ca.pem
It is a bug of initial impelemtation. Fix required correct names
from PKI certificates
|
|
T5643: nat: add interface-groups to nat. Use same cli structure for i…
|
|
T5675: Use addr_prefix instead of addr in NAT66 source rule prefix parsing
|
|
T5677: show lldp neighbors shows empty platform if descr not in lldpctl output
|
|
|
|
|
|
T5299: Add missed option ceiling for QoS shaper
|
|
vxlan: T5671: change port to IANA assigned default port
|
|
|
|
Add missed option `ceil` for QoS class 'trafficshaper'
|
|
scripts: T5672: remove the conf mode node.def importer
|
|
|
|
dynamic-protection
|
|
|
|
T5667: BGP label-unicast enable ecmp
|
|
T5642: op-cmd: correction of generated file name
|
|
Currently VyOS VXLAN implementation uses the Linux assigned port 8472 that
predates the IANA assignment. As Most other vendors use the IANA assigned port,
follow this guideline and use the new default port 4789.
Existing configuration not defining an explicit port number will be migrated
to the old default port number of 8472, keeping existing configurations work!
|
|
|
|
|
|
bridge: T5670: add missing constraint on "member interface" node
|
|
T5541: firewall zone: re add firewall zone-base firewall
|
|
cluster: T2897: add a migration script for converting cluster to VRRP
|
|
T5637: add new rule at the end of base chains for default-actions and log capabilities
|
|
We have had a mix of both string and list arguments to conf.exists(),
stremaline this to only make use of list calls.
|
|
One could specify a bridge member of VXLAN1 interface, but it is not possible
to create a VXLAN interface with the name of VXLAN1 - prohibited by VXLAN
interface name validator.
Add missing interface-name validator code
|
|
|
|
T4913: migrate wireless scripts to new op-mode style
|
|
pmacct: T5232: Fixed socket parameters for trigger-packets
|
|
This fixes sending packets to uacctd using a socket.
|
|
|
