Age | Commit message (Collapse) | Author |
|
... otherwise functionality like bridge VLANs will loose configuration
on membe rinterface update (e.g. description)
|
|
|
|
Interface() base class already takes care about VLAN creation/removal of
newly added or no longer required interfaces. No need to code this logic again.
|
|
This reverts commit fdeae251431cb747e8f60d96269b4365b7401807.
|
|
It is useful to have both a return code and output of the command
Add a new wrapper "rc_cmd" that returns both
% rc_cmd('uname')
(0, 'Linux')
% rc_cmd('ip link show dev fake')
(1, 'Device "fake" does not exist.')
|
|
|
|
|
|
T2719: prototype of an op mode command runner based on type hints and introspection
|
|
|
|
|
|
Signed-off-by: Daniil Baturin <daniil@vyos.io>
|
|
|
|
When removing a VRF from an ethernet interface and adding the interface to a
bond in the same commit led to an OSError: [Errno 16] Device or resource busy!
|
|
This extends commit 39157912 ("vyos.configdict(): T4228: is_member() must use
the "real" hardware interface") and returns the config dict of the used member
interfaces.
|
|
It makes no sense to enslave an interface to a bond or a bridge device if it is
bound to a given VRF. If VRFs should be used - the encapuslating/master
interface should be part of the VRF.
Error out if the member interface is part of a VRF.
|
|
|
|
Commit 39157912 ("vyos.configdict(): T4228: is_member() must use the "real"
hardware interface") added a bugfix on calling is_member() to retrieve the real
physical information about an interface. It did not include a code path to also
split up VLAN interfaces.
This has been fixed.
|
|
Linux Kernel supports to specify the MII link monitoring frequency in
milliseconds. This determines how often the link state of each slave is
inspected for link failures. A value of zero disables MII link monitoring.
A value of 100 is a good starting point.
The default value is 100.
set interfaces bonding bond0 mii-mon-interval <n>
|
|
When is_member() is inspecting the bridge/Bond member interfaces it must work
with the real interface (e.g. eth1) under the "ethernet" node and not work on
the "member interface eth1" CLI tree, that makes no sense at all.
|
|
|
|
The code path for changing the interval is never executed.
|
|
Directed broadcast is described in rfc1812#section-5.3.5.2 and rfc2644.
By default Linux kernel doesn't forward directed broadcast
packets unless both of `/proc/sys/net/ipv4/conf/all/bc_forwarding`
and `/proc/sys/net/ipv4/conf/$iface/bc_forwarding` are set to 1.
|
|
Since Python as of 3.9 doesn't give us an option to look up
argument's default value by its name,
this implementation requires that all boolean options
must default to false.
|
|
|
|
openvpn: T4485: Accept multiple tls ca-certificate values
|
|
Interface should receive an auto generated link-local IPv6 address as we do
with all VyOS interfaces by default.
|
|
* Also determines and maps to correct CA for migrated CRL
|
|
This PR adds an config option to enable/disable IGMP/MLD snooping.
```
set interfaces bridge brN igmp snooping
```
|
|
|
|
Error introduced by commit 85d6c8f7c ("vyos.configdict: T4391: enable
get_interface_dict() ti be used with ConfigTreeQuery()"). Reason was the
still in use relative path on calls to node_changed(), these got
replaced with absolute config paths and the new implementation if
is_node_changed().
|
|
Commit a2ab95ff68b ("pppoe: T4384: replace default-route CLI option with common
CLI nodes already present for DHCP") had an issue as the PPPoE interface options
and also DHCP interface options did not honor the no-default-route option.
This has been fixed.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* Refactor nftables clean-up code
* Adds policy route test for using firewall groups
|
|
|
|
firewall: T478: Add support for nesting groups
|
|
|
|
|
|
Firewall: T3907: add log-level options in firewall
|
|
firewall: T970: Add firewall group domain-group
|
|
based on type hints and introspection
|
|
|
|
|
|
|
|
|
|
Domain group allows to filter addresses by domain main
Resolved addresses as elements are stored to named "nft set"
that used in the nftables rules
Also added a dynamic "resolver" systemd daemon
vyos-domain-group-resolve.service which starts python script
for the domain-group addresses resolving by timeout 300 sec
set firewall group domain-group DOMAINS address 'example.com'
set firewall group domain-group DOMAINS address 'example.org'
set firewall name FOO rule 10 action 'drop'
set firewall name FOO rule 10 source group domain-group 'DOMAINS'
set interfaces ethernet eth0 firewall local name 'FOO'
nft list table ip filter
table ip filter {
set DOMAINS {
type ipv4_addr
flags interval
elements = { 192.0.2.1, 192.0.2.85,
203.0.113.55, 203.0.113.58 }
}
chain NAME_FOO {
ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10"
counter packets 0 bytes 0 return comment "FOO default-action accept"
}
}
|