Age | Commit message (Collapse) | Author |
|
T5533: Fix VRRP IPv6 group enters in FAULT state
|
|
Checks if an IPv6 address on a specific network interface is
in the tentative state. IPv6 tentative addresses are not fully configured
and are undergoing Duplicate Address Detection (DAD) to ensure they are
unique on the network.
inet6 2001:db8::3/125 scope global tentative
It tentative state the group enters in FAULT state. Fix it
|
|
The following command expects to join source-specific multicast group 239.1.2.3
on interface eth0, where the source address is 192.0.2.1.
set protocols igmp interface eth0 join 239.1.2.3 source 192.0.2.1
This command should generate FRR config:
interface eth0
ip igmp
ip igmp join 239.1.2.3 192.0.2.1
exit
However, there is a bug in the Jinja template where `if ifaces[iface].gr_join[group]`
is mostly evaluated as `false` because `iface` is a loop variable from another loop.
|
|
T5531: Containers add label option
|
|
Ability to set labels for container
set container name c1 allow-host-networks
set container name c1 image 'busybox'
set container name c1 label mypods value 'My label for containers'
|
|
|
|
firewall: T5080: Disable conntrack unless required by rules
|
|
|
|
|
|
firewall: T3509: Add support for IPv6 reverse path filtering
|
|
interface-name or interface-group
|
|
|
|
|
|
Fix for add IPv6 link-local address for container interfaces
set container network NET01 prefix '10.0.0.0/24'
set container network NET01 prefix '2001:db8:2222::/64'
% ip -6 addr show scope link dev pod-NET01
17: pod-NET01: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet6 fe80::d89c:dfff:fe1a:8689/64 scope link
|
|
Configuring "set system ip protocol ospf|bgp route-map foo" and commit it
installs the route-map into FRR. Removing the CLI configuration "delete system
ip protocol" does not remove the route-map from FRR - it stays active.
This commit adds the fix and appropriate smoketests extenstion.
|
|
system-ip: T5449: add TCP MSS probing options
|
|
wifi: T5491: allow white-/blacklisting station MAC addresses for security
|
|
T5472: nat redirect: allow redirection without defining redirected port
|
|
T5463: Container allow publish listen-addresses
|
|
This is a workaround for the priority inversion from T5492 ("CLI node priority
is not inversed on node deletion"). As this is a corner case bug that's only
triggered if an interface is removed from a VRF and also the VRF is removed in
one commit, priorities are not honored.
Thus we implement this workaround which stop the DHCP(v6) client processes on
the VRF associated interfaces to get out the DHCP RELEASE message before
interfaces are shut down.
|
|
Helper functions can and will be re-use din different code places.
|
|
|
|
Ability to publish multiple IP/IPv6 addresses for container
set container name c1 port web destination '80'
set container name c1 port web listen-address '192.0.2.1'
set container name c1 port web listen-address '2001:db8:1111::1'
set container name c1 port web source '8080'
--publish 192.0.2.1:8080:80/tcp --publish [2001:db8:1111::1]:8080:80/tcp
|
|
T5447: Initial support for MACsec static keys
|
|
T5478: remove config-trap configuration parser in firewall
|
|
|
|
|
|
|
|
|
|
Station MAC address-based authentication means:
* 'allow' accept all clients except the one on the deny list
* 'deny' accept only clients listed on the accept list
New CLI commands:
* set interfaces wireless wlan0 security station-address mode <accept|deny>
* set interfaces wireless wlan0 security station-address accept mac <mac>
* set interfaces wireless wlan0 security station-address deny mac <mac>
|
|
|
|
|
|
|
|
|
|
wireguard: T5409: Added 'set interfaces wireguard wgX threaded'
|
|
Using threaded as CLI node is a very deep term used by kernel threads. To make
this more understandable to users, rename the node to per-client-thread.
It's also not necessary to test if any one peer is configured and probing if
the option is set. There is a base test which requires at least one peer
to be configured.
|
|
|
|
dmbaturin/T5271-openvpn-peer-fingerprint-restrictions
T5271: allow OpenVPN peer-fingerprint to be used instead of a CA in site-to-site mode
|
|
|
|
in OpenVPN site-to-site mode
|
|
|
|
|
|
config
To reproduce:
set vrf name red table 2000
set vrf name red protocols ospf interface eth1 area 0
set vrf name red protocols ospf parameters router-id 1.1.1.1
set interfaces ethernet eth1 vrf red
commit
FRR now has an interface config
vyos@vyos# vtysh -c "show run" no-header | sed -n "/^interface eth1/,/!/p"
interface eth1
ip ospf area 0
ip ospf dead-interval 40
exit
Now delete the interface from the OSPF(v3) or ISIS process
delete vrf name red protocols ospf interface
commit
It's still there
vyos@vyos# vtysh -c "show run" no-header | sed -n "/^interface eth1/,/!/p"
interface eth1
ip ospf area 0
ip ospf dead-interval 40
exit
!
Issue was caused in the FRR vtysh representation of an interface. It used to
have a "vrf <name>" marker in earlier versions but FRR 8.5 and later no longer
have the marker. So "interface eth1 vrf red" became "interface eth1" in vtysh,
but our regex expected the "vrf" identifier when modifying FRR config.
|
|
T5160: Firewall refactor
|
|
|
|
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip.
|
|
|
|
scripts and src firewall
|
|
Move 'service zabbix-agent'
=> 'service monitoring zabbix-agent'
|
|
openvpn: T5270: do not require classic DH params in any mode
|