| Age | Commit message (Collapse) | Author |
|---|
|
firewall and in policy route
|
|
* firewall:
firewall: T4651: re-implement packet-length CLI option to use <multi/>
firewall: T3568: improve default-action help string
firewall: T3568: add XML include block for eq,gt,lt options
smoketest: firewall: add re-usable variables when running testcases
Firewall: T4651: Change proposed cli from ip-length to packet-length
Firewall: T4651: Add options to match packet size on firewall rules.
|
|
|
|
Fixes several bugs around bonding member interface states not matching
the committed configuration, including:
- Disabled removed interfaces coming back up
- Newly added disabled interfaces not staying down
- Newly added interfaces not showing up in the bond
|
|
* 'T4651' of https://github.com/nicolas-fort/vyos-1x:
Firewall: T4651: Change proposed cli from ip-length to packet-length
Firewall: T4651: Add options to match packet size on firewall rules.
|
|
|
|
This extends the implementation of commit 0cc7e0a49094 ("firewall: T4655: Fix
default action 'drop' for the firewall") in a way that we can now also use the
XML <defaultValue> node under "firewall name" and "firewall ipv6-name". This
is a much cleaner approach which also adds the default value automatically to
the CLIs completion helper ("?").
|
|
opmode: T4657: fixed opmode with return type hints
|
|
firewall: T4655: Fix default action 'drop' for the firewall
|
|
This commit excludes `return` from `typing.get_type_hints()` output,
which allows generate argparse arguments for function properly.
|
|
Commit 31169fa8a763e ("vyos.ifconfig: T3619: only set offloading options if
supported by NIC") added the new implementation which handles NIC offloading.
Unfortunately every single implementation was copied from "gro" which resulted
in a change to gro for each offloading option - thus options like lro, sg, tso
had no effect at all.
It all comes down to copy/paste errors ... one way or another.
|
|
For some reason after firewall rewriting we are having default
action 'accept' for 1.4 and default action 'drop' for 1.3
Fix this issue, set default action 'drop'
|
|
|
|
is set
Adds a sysctl parameter to ignore the default router obtained from router
advertisements when pppoe no-default-route is set.
|
|
ipsec: T4594: Rewrite op-mode 'show vpn ipsec sa' to the new format
|
|
Sometimes we are only interested in the parent interfaces without any VLAN
subinterfaces. Extend the API with a vlan argument that defaults to True to
keep the current behavior in place.
|
|
firewall: T4622: Add TCP MSS option
|
|
A macsec interface requires a dedicated source interface, it can not be
shared with another macsec or a pseudo-ethernet interface.
set interfaces macsec macsec10 address '192.168.2.1/30'
set interfaces macsec macsec10 security cipher 'gcm-aes-256'
set interfaces macsec macsec10 security encrypt
set interfaces macsec macsec10 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4232e44b7fda6f8e2d88a07bf78a7aff4'
set interfaces macsec macsec10 security mka ckn '09924585a6f3010208cf5222ef24c821405b0e34f4b4f63b1f0ced474b9bb6e6'
set interfaces macsec macsec10 source-interface 'eth1'
commit
set interfaces pseudo-ethernet peth0 source-interface eth1
commit
Reuslts in
FileNotFoundError: [Errno 2] failed to run command: ip link add peth0 link eth1 type macvlan mode private
returned:
exit code: 2
noteworthy:
cmd 'ip link add peth0 link eth1 type macvlan mode private'
returned (out):
returned (err):
RTNETLINK answers: Device or resource busy
[[interfaces pseudo-ethernet peth0]] failed
Commit failed
|
|
|
|
The VLAN aware bridge was forwarding traffic between member ports, but traffic
destined torwards the CPU was dropped. This resulted in a gateway not reachable
or DHCP leases that could not be handed out.
Tested via:
VyOS
set interfaces bridge br0 enable-vlan
set interfaces bridge br0 member interface eth1 allowed-vlan '10'
set interfaces bridge br0 member interface eth1 allowed-vlan '20'
set interfaces bridge br0 member interface eth1 allowed-vlan '30'
set interfaces bridge br0 member interface eth1 allowed-vlan '40'
set interfaces bridge br0 member interface eth1 native-vlan '40'
set interfaces bridge br0 member interface eth2 allowed-vlan '30'
set interfaces bridge br0 member interface eth2 allowed-vlan '20'
set interfaces bridge br0 member interface eth2 allowed-vlan '10'
set interfaces bridge br0 member interface eth2 allowed-vlan '40'
set interfaces bridge br0 vif 10 address '10.0.10.1/24'
set interfaces bridge br0 vif 20 address '10.0.20.1/24'
set interfaces bridge br0 vif 30 address '10.0.30.1/24'
set interfaces bridge br0 vif 40 address '10.0.40.1/24'
Arista vEOS
vlan 10,20,30,40
interface Ethernet1
switchport trunk allowed vlan 10,20,30,40
interface Vlan10
ip address 10.0.10.2/24
interface Vlan20
ip address 10.0.20.2/24
interface Vlan30
ip address 10.0.30.2/24
interface Vlan40
ip address 10.0.40.2/24
interface Ethernet1
switchport trunk allowed vlan 10,20,30,40
switchport mode trunk
spanning-tree portfast
Cisco vIOS
interface GigabitEthernet0/0
ip address 10.0.40.3 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 10.0.10.3 255.255.255.0
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 10.0.20.3 255.255.255.0
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 10.0.30.3 255.255.255.0
!
|
|
We check listen port before commit service if is port available and
not bounded, but when we start openconnect our own port starts be
bounded by "ocserv-main" process and next commit will be fail as
port is already bound
To fix it, extend check if port already bonded and it is not our
self process "ocserv-main"
|
|
Ability to drop|accept packets based on TCP MSS size
set firewall name <tag> rule <tag> tcp mss '501-1460'
|
|
T2719: add an exception hierarchy for op mode errors
|
|
|
|
Convert multiple types of data to types usable in CLI
For example 'vici' returns values in bytestring/bytes and we can
decode them all at once
|
|
on error
|
|
We should not print the entire dictionary - we only need the bridge interface
name:
Bug:
Cannot assign address to interface "eth1" as it is a member of bridge
"{'br0': {'allowed_vlan': ['5-50', '101'], 'native_vlan': '101'}}"!
Fixed:
Cannot assign address to interface "eth1" as it is a member of bridge
"br0"!
|
|
Ability to get MTU from DHCP-server and don't touch it per
any interface change if interface 'dhcp-options mtu' is
configured
|
|
... otherwise functionality like bridge VLANs will loose configuration
on membe rinterface update (e.g. description)
|
|
|
|
Interface() base class already takes care about VLAN creation/removal of
newly added or no longer required interfaces. No need to code this logic again.
|
|
This reverts commit fdeae251431cb747e8f60d96269b4365b7401807.
|
|
It is useful to have both a return code and output of the command
Add a new wrapper "rc_cmd" that returns both
% rc_cmd('uname')
(0, 'Linux')
% rc_cmd('ip link show dev fake')
(1, 'Device "fake" does not exist.')
|
|
|
|
|
|
T2719: prototype of an op mode command runner based on type hints and introspection
|
|
|
|
|
|
Signed-off-by: Daniil Baturin <daniil@vyos.io>
|
|
|
|
When removing a VRF from an ethernet interface and adding the interface to a
bond in the same commit led to an OSError: [Errno 16] Device or resource busy!
|
|
This extends commit 39157912 ("vyos.configdict(): T4228: is_member() must use
the "real" hardware interface") and returns the config dict of the used member
interfaces.
|
|
It makes no sense to enslave an interface to a bond or a bridge device if it is
bound to a given VRF. If VRFs should be used - the encapuslating/master
interface should be part of the VRF.
Error out if the member interface is part of a VRF.
|
|
|
|
Commit 39157912 ("vyos.configdict(): T4228: is_member() must use the "real"
hardware interface") added a bugfix on calling is_member() to retrieve the real
physical information about an interface. It did not include a code path to also
split up VLAN interfaces.
This has been fixed.
|
|
Linux Kernel supports to specify the MII link monitoring frequency in
milliseconds. This determines how often the link state of each slave is
inspected for link failures. A value of zero disables MII link monitoring.
A value of 100 is a good starting point.
The default value is 100.
set interfaces bonding bond0 mii-mon-interval <n>
|
|
When is_member() is inspecting the bridge/Bond member interfaces it must work
with the real interface (e.g. eth1) under the "ethernet" node and not work on
the "member interface eth1" CLI tree, that makes no sense at all.
|
|
|
|
The code path for changing the interval is never executed.
|
|
Directed broadcast is described in rfc1812#section-5.3.5.2 and rfc2644.
By default Linux kernel doesn't forward directed broadcast
packets unless both of `/proc/sys/net/ipv4/conf/all/bc_forwarding`
and `/proc/sys/net/ipv4/conf/$iface/bc_forwarding` are set to 1.
|
