Age | Commit message (Collapse) | Author |
|
wifi: T5491: allow white-/blacklisting station MAC addresses for security
|
|
T5448: Add configuration host-name for zabbix-agent
|
|
T5472: nat redirect: allow redirection without defining redirected port
|
|
T5463: Container allow publish listen-addresses
|
|
|
|
This is a workaround for the priority inversion from T5492 ("CLI node priority
is not inversed on node deletion"). As this is a corner case bug that's only
triggered if an interface is removed from a VRF and also the VRF is removed in
one commit, priorities are not honored.
Thus we implement this workaround which stop the DHCP(v6) client processes on
the VRF associated interfaces to get out the DHCP RELEASE message before
interfaces are shut down.
|
|
Helper functions can and will be re-use din different code places.
|
|
T5450: allow inverted matcher for interface and interface-group
|
|
|
|
Ability to publish multiple IP/IPv6 addresses for container
set container name c1 port web destination '80'
set container name c1 port web listen-address '192.0.2.1'
set container name c1 port web listen-address '2001:db8:1111::1'
set container name c1 port web source '8080'
--publish 192.0.2.1:8080:80/tcp --publish [2001:db8:1111::1]:8080:80/tcp
|
|
firewall cli
|
|
Ability to configure host-name for zabbix-agent
set service monitoring zabbix-agent host-name 'r-vyos'
|
|
T5447: Initial support for MACsec static keys
|
|
T5478: remove config-trap configuration parser in firewall
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Station MAC address-based authentication means:
* 'allow' accept all clients except the one on the deny list
* 'deny' accept only clients listed on the accept list
New CLI commands:
* set interfaces wireless wlan0 security station-address mode <accept|deny>
* set interfaces wireless wlan0 security station-address accept mac <mac>
* set interfaces wireless wlan0 security station-address deny mac <mac>
|
|
|
|
This fixes a CLI typo added in commit 77ef9f800 ("T5466: L3VPN label allocation
mode").
|
|
|
|
|
|
Commit 77ef9f800 ("T5466: L3VPN label allocation mode") added support for a new
CLI node that is added "label vpn export allocation-mode per-nexthop" to FRRs
running configuration. Unfortunately the smoketest contained a trailing
whitespace and the above mentioned line could not be evaluated to true.
|
|
his extends commit b9655365b ("login: T5490: add stricter validation for
home-directory path") by adding a dot to the REGEX allow list.
This was previously allowed and covered in out smoketests which failed.
|
|
|
|
|
|
wireguard: T5409: Added 'set interfaces wireguard wgX threaded'
|
|
Provides a per-device control to enable/disable the threaded mode for all the
napi instances of the given network device, without the need for a device
up/down.
|
|
Using threaded as CLI node is a very deep term used by kernel threads. To make
this more understandable to users, rename the node to per-client-thread.
It's also not necessary to test if any one peer is configured and probing if
the option is set. There is a base test which requires at least one peer
to be configured.
|
|
T5488: Set correct priority -300 for conntrack entries
|
|
|
|
|
|
For conntrack ignore priority must be less then -200
|
|
|
|
This reverts commit 9afcea251bdc895ffd49cb11f455fd636fdf817b
A DHCP relese must also be originated from the VRF where the dhclient program is
running, else the RELEASE message can not be send through the interface towards
the DHCP server.
The reason it did not work in the past was because of https://vyos.dev/T5476
|
|
T5466: L3VPN label allocation mode
|
|
|
|
netplug: T5476: rewrite dhclient helper from Perl -> Python
|
|
dmbaturin/T5271-openvpn-peer-fingerprint-restrictions
T5271: allow OpenVPN peer-fingerprint to be used instead of a CA in site-to-site mode
|
|
There are two hooks called for bridge, ethernet and bond interfaces if the
link-state changes up -> down or down -> up.
The helpers are:
* /etc/netplug/linkdown.d/dhclient
* /etc/netplug/linkup.d/dhclient
As those helpers use Linux actions to start/restart the dhclient process in
Perl it's time to rewrite it. First goal is to get rid of all Perl code and the
second is that we now have a Proper Python library. Instead of checking if the
process is running the then restarting it without even systemd noticing
(yeah we might get two processes beeing alive) we should:
* Add a Python helper that can be used for both up and down (see man 8 netplugd
FILES section)
* Query the VyOS CLI config if the interface in question has DHCP(v6)
configured and is not disabled
* Add IPv6 DHCPv6 support
MAN page: https://linux.die.net/man/8/netplugd
|
|
|
|
|
|
in OpenVPN site-to-site mode
|
|
|
|
The condition is useless since OpenVPN simply switches to ECDH in all modes
when the classic DH prime is not specified
|