Age | Commit message (Collapse) | Author |
|
specified, in order to ensure same behavior as in Equuleus
|
|
T5722: Failover route add option onlink
|
|
T6242: load-balancing reverse-proxy: Ability for ssl backends to not verify server certificates
|
|
server certificates
|
|
pki: T6241: Fix dependency updates on PKI changes
|
|
onlink pretend that the nexthop is directly attached to this link,
even if it does not match any interface prefix.
Useful when gateway not in the same interface network
set interfaces ethernet eth0 vif 10 address '10.20.30.1/32'
set protocols static route 10.20.30.0/32 interface eth0.10
set protocols failover route 192.0.2.11/32 next-hop 10.20.30.0 onlink
```
vyos@r4# sudo ip route add 192.0.2.111/32 via 10.20.30.0 dev eth0.10 metric 1 proto failover
Error: Nexthop has invalid gateway.
[edit]
vyos@r4#
[edit]
vyos@r4# sudo ip route add 192.0.2.111/32 via 10.20.30.0 dev eth0.10 onlink metric 1 proto failover
[edit]
vyos@r4#
```
|
|
T5535: firewall: migrate command <set system ip disable-directed-broadcast> to firewall global-optinos
|
|
|
|
T5734: OpenVPN check PKI DH name exists if DH configured
|
|
to firewall global-optinos
|
|
Check if DH is configured for OpenVPN but does not exist in the
PKI section
```
set pki dh dh-correct parameters 'xxxx'
set interfaces openvpn vtun10 tls dh-params 'dh-fake'
File "/usr/libexec/vyos/conf_mode/interfaces_openvpn.py", line 208, in verify_pki
pki_dh = pki['dh'][tls['dh_params']]
~~~~~~~~~^^^^^^^^^^^^^^^^^^
KeyError: 'dh-fake'
```
|
|
qos: T6035: QoS policy shaper queue-type random-detect requires limit avpkt
|
|
T6100: Added NAT migration from IP/Netmask to Network/Netmask
|
|
T5872: fix ipsec dhclient hook uses "exit" instead of "return"
|
|
|
|
T6235: Git update actions-label-merge-conflict version
|
|
Update `actions-label-merge-conflict` due to `Node.js 16 actions are deprecated.`
|
|
Added params for configuration red on the shaper policy
|
|
fails (#3296)
|
|
Added NAT migration from IP/Netmask to Network/Netmask.
In 1.3 allowed using IP/Netmask in Nat rules.
In 1.4 and 1.5 it is prohibited. Allowed Network/Netmask.
|
|
T5871: ipsec remote access VPN: specify "cacerts" for client auth
|
|
|
|
T6222: VRRP show prefix for long rfc3768-compatibility interfaces allow prefix vrrp
|
|
firewall: T6216: replace plus symbols (allowed by IPset but not NFT) in group names with underscores
|
|
T5169: Add PoC for generating CGNAT rules rfc6888
|
|
T6214: T6213: change constraint <alpha-numeric-hyphen-underscore-dot.xml.i>
|
|
errors when using character <+> in 1.3 in firewall groups and custom firewall chains.
|
|
If we use rfc3768-compatibility with long interface names like
eth1.100.200 it converts the VRRP interface name name
to `<interface>v<VRID><IP version>`
For example `eth2.100.200v10v4`
The limit for interface name is 15 symbols and it causes that
interface name is ignoring by keepalived
VMAC interface name 'eth2.100.200v10v4' too long or invalid characters - ignoring
And it uses the default prefix `vrrp` for such cases.
It works fine, but such interfaces are not displayed in the op-mode
Allow prefix `vrrp` for the op-mode for `show interfaces`
|
|
container: T6218: fix host IPv6 link-local address for VRF networks
|
|
|
|
in order to not allow string starting with dot character; use such constraint in firewall group definitions.
|
|
|
|
Add PoC for generating CGNAT rules
https://datatracker.ietf.org/doc/html/rfc6888
Not all requirements are implemented, but some of them.
Implemented:
REQ-2
```
A CGN MUST have a default "IP address pooling" behavior of "Paired"
CGN must use the same external IP
address mapping for all sessions associated with the same internal
IP address, be they TCP, UDP, ICMP, something else, or a mix of
different protocols.
```
REQ-3
```
The CGN function SHOULD NOT have any limitations on the size
or the contiguity of the external address pool
```
REQ-4
```
A CGN MUST support limiting the number of external ports (or,
equivalently, "identifiers" for ICMP) that are assigned per
subscriber
```
CLI:
```
set nat cgnat pool external ext1 external-port-range '1024-65535'
set nat cgnat pool external ext1 per-user-limit port '1000'
set nat cgnat pool external ext1 range 192.0.2.222/32
set nat cgnat pool internal int1 range '100.64.0.0/28'
set nat cgnat rule 10 source pool 'int1'
set nat cgnat rule 10 translation pool 'ext1'
```
|
|
T6199: add missing build dependency
|
|
|
|
T5858: Fix op-mode format for show conntrack statistics
|
|
|
|
T6207: restore ability to copy config.boot.default on image install
|
|
|
|
|
|
kea: T3316: T6163: Ensure correct permissions on lease files
|
|
|
|
ethernet: T5862: default MTU is not acceptable in some environments
|
|
login: T5875: fix corner case for KeyError: 'getpwuid(): uid not found: XXXX'
|
|
|
|
container: T6208: fix AttributeError: 'ConfigDict' object has no attribute 'upper'
|
|
'upper'
Commit b30faa43c (container: T6208: rename "cap-add" CLI node to "capability")
added an AttributeError referencing an out of scope variable.
This has been fixed.
|
|
Commit a5ccc06c0 ("ipoe: T6205: error in migration script logic while renaming
mac-address to mac node") added a conditional path into the config which could
result in the migrated config not beeing written if precondition was not met.
|
|
container: T6208: rename "cap-add" CLI node to "capability"
|
|
Commit 1b364428f ("login: T5875: restore home directory permissions only when
needed") added logic to chown the users home directory if it's UID changes.
This might happen when a user account is deleted and re-added to the system.
Under rar e circumstances it was possible that the implementation triggered
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
KeyError: 'getpwuid(): uid not found: XXXX'
This has been fixed by re-arranging the code path with an additional try/except
if the PW database information could not be retrieved leading to an implicit
chown() of the home directory to the user beeing added.
|