Age | Commit message (Collapse) | Author |
|
openvpn: T3214: fix server-ipv6 and nopool handling
|
|
T4502: firewall: Add software flow offload using flowtable
|
|
|
|
Add the ability to use the option all for remove-private-as.
Remove private ASNs in outbound updates.
all - Apply to all AS numbers
set protocols bgp neighbor <tag> address-family ipv4-unicast remove-private-as all
|
|
T3655: Fix NAT problem with VRF
|
|
Linux netfilter patch https://patchwork.ozlabs.org/project/netfilter-devel/patch/d0f84a97f9c86bec4d537536a26d0150873e640d.1439559328.git.daniel@iogearbox.net/
adds direction support for conntrack zones, which makes it possible to
do NAT with conflicting IP address/port tuples from multiple, isolated tenants on a host.
According to the description of the kernel patch:
> ... overlapping tuples can be made unique with the zone identifier in
original direction, where the NAT engine will then allocate a unique
tuple in the commonly shared default zone for the reply direction.
I did some basic tests in my lab and it worked fine to forward packets
from eth0 to pppoe0.
- eth0 192.168.1.1/24 in VRF red
- pppoe0 dynamic public IP from ISP VRF default
- set vrf name red protocols static route 0.0.0.0/0 interface pppoe0 vrf 'default'
- set protocols static route 192.168.1.0/24 interface eth0 vrf 'red'
`conntrack -L` shows something like:
```
tcp 6 113 ESTABLISHED src=192.168.1.2 dst=1.1.1.1 sport=58946 dport=80 zone-orig=250 packets=6 bytes=391 src=1.1.1.1 dst=<my-public-ip> sport=80 dport=58946 packets=4 bytes=602 [ASSURED] mark=0 helper=tns use=1
```
It would be much appreciated if someone could test this with more
complex VRF setup.
|
|
|
|
T5518: Add basic MLD support
|
|
The following commands will enable nftables flowtable offload on interfaces eth0 eth1:
```
set firewall global-options flow-offload software interface <name>
set firewall global-options flow-offload hardware interface <name>
```
Generated nftables rules:
```
table inet vyos_offload {
flowtable VYOS_FLOWTABLE_software {
hook ingress priority filter - 1; devices = { eth0, eth1, eth2, eth3 };
counter
}
chain VYOS_OFFLOAD_software {
type filter hook forward priority filter - 1; policy accept;
ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software
}
}
```
Use this option to count packets and bytes for each offloaded flow:
```
set system conntrack flow-accounting
```
To verify a connection is offloaded, run
```
cat /proc/net/nf_conntrack|grep OFFLOAD
```
This PR follows firewalld's implementation: https://github.com/firewalld/firewalld/blob/e748b97787d685d0ca93f58e8d4292e87d3f0da6/src/firewall/core/nftables.py#L590
A good introduction to nftables flowtable: https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath
|
|
T4072: add firewall bridge filtering.
|
|
Currently VyOS has `protocol igmp` option to enable IGMP querier and reports through FRR's pimd.
I would like to add support for IPv6 as well since FRR's IPv6 multicast functionality has significantly improved.
Enabling both MLD and IGMP on a VyOS router will allow us to turn on multicast snooping on layer-3 switches in dual-stack networks.
Example commands:
```
// Enable on interface eth0
set protocols pim6 interface eth0
// Explicitly join multicast group ff18::1234 on interface eth1
set protocols pim6 interface eth1 mld join ff18::1234
// Explicitly join source-specific multicast group ff38::5678 with source address 2001:db8::1 on interface eth1
set protocols pim6 interface eth1 mld join ff38::5678 source 2001:db8::1
```
|
|
forward chain and few matchers. Should be extended in the future.
|
|
conntrack: T4309: T4903: Refactor `system conntrack ignore`, add IPv6 support and firewall groups
|
|
interface: T5550: Interface source-validation priority over global value
|
|
T5480: Ability to disable SNMP for keepalived service VRRP
|
|
|
|
- Migrate IPv4 source-validation to nftables
- Interface source-validation value takes priority, fallback to global value
|
|
T5548: Fix load-balancing reverse-proxy timeouts
|
|
T2958: Fix path for leases to config directory
|
|
By default we enable `--snmp` for keepalived unit service
Add ability to disable it
set high-availability vrrp disable-snmp
|
|
The leases path should be in `/config` directory to save leases
between reboots.
The typo was in this commit c07055258b853de641d2a1353582800b24c514d2
Before this the idea was to get leases from `/run` directory only
for livecd images. But then we added `/config` directory for livecd.
PR was modified and incorrect variable directory `/run` was used.
Fix it.
|
|
By default haproxy uses timeouts in millisecond but we set timeouts
in seconds from CLI
Fix template to use 'seconds' units
|
|
T2958: Refactor DHCP-server systemd unit and lease
|
|
Render isc-dhcp-server systemd unit from configuration
|
|
add IPv6 support and firewall groups
|
|
The following command expects to join source-specific multicast group 239.1.2.3
on interface eth0, where the source address is 192.0.2.1.
set protocols igmp interface eth0 join 239.1.2.3 source 192.0.2.1
This command should generate FRR config:
interface eth0
ip igmp
ip igmp join 239.1.2.3 192.0.2.1
exit
However, there is a bug in the Jinja template where `if ifaces[iface].gr_join[group]`
is mostly evaluated as `false` because `iface` is a loop variable from another loop.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
wifi: T5491: allow white-/blacklisting station MAC addresses for security
|
|
Ability to configure host-name for zabbix-agent
set service monitoring zabbix-agent host-name 'r-vyos'
|
|
Station MAC address-based authentication means:
* 'allow' accept all clients except the one on the deny list
* 'deny' accept only clients listed on the accept list
New CLI commands:
* set interfaces wireless wlan0 security station-address mode <accept|deny>
* set interfaces wireless wlan0 security station-address accept mac <mac>
* set interfaces wireless wlan0 security station-address deny mac <mac>
|
|
This fixes a CLI typo added in commit 77ef9f800 ("T5466: L3VPN label allocation
mode").
|
|
This reverts commit 9afcea251bdc895ffd49cb11f455fd636fdf817b
A DHCP relese must also be originated from the VRF where the dhclient program is
running, else the RELEASE message can not be send through the interface towards
the DHCP server.
The reason it did not work in the past was because of https://vyos.dev/T5476
|
|
|
|
|
|
The condition is useless since OpenVPN simply switches to ECDH in all modes
when the classic DH prime is not specified
|
|
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip.
|
|
that contains fqnd and/or geo-ip in base chains. Fix mig script
|
|
|
|
scripts and src firewall
|
|
T5448: Add service zabbix-agent
|
|
|
|
Add service zabbix-agent
set service zabbix-agent directory '/config/zabbix/'
set service zabbix-agent limits buffer-flush-interval '8'
set service zabbix-agent limits buffer-size '120'
set service zabbix-agent log debug-level 'warning'
set service zabbix-agent log size '1'
set service zabbix-agent server '192.0.2.5'
set service zabbix-agent server-active 192.0.2.5 port '10051'
set service zabbix-agent server-active 2001:db8::123
|
|
Otherwise packet can be received in a VRF that was already deleted.
Image of the following CLI commands:
del interface ethernet eth0 address dhcp
del interface ethernet eth0 vrf red
del vrf name red
VRF could be deleted even if dhclient release was not yet completely
processed.
|
|
order to avoid empty value and problems when removing such parameters
|