| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
By default SSTP bind port '443' and this port can be used by
another service like 'service https' or 'vpn openconnect'
Check if port bound to another service
|
|
A macsec interface requires a dedicated source interface, it can not be
shared with another macsec or a pseudo-ethernet interface.
set interfaces macsec macsec10 address '192.168.2.1/30'
set interfaces macsec macsec10 security cipher 'gcm-aes-256'
set interfaces macsec macsec10 security encrypt
set interfaces macsec macsec10 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4232e44b7fda6f8e2d88a07bf78a7aff4'
set interfaces macsec macsec10 security mka ckn '09924585a6f3010208cf5222ef24c821405b0e34f4b4f63b1f0ced474b9bb6e6'
set interfaces macsec macsec10 source-interface 'eth1'
commit
set interfaces pseudo-ethernet peth0 source-interface eth1
commit
Reuslts in
FileNotFoundError: [Errno 2] failed to run command: ip link add peth0 link eth1 type macvlan mode private
returned:
exit code: 2
noteworthy:
cmd 'ip link add peth0 link eth1 type macvlan mode private'
returned (out):
returned (err):
RTNETLINK answers: Device or resource busy
[[interfaces pseudo-ethernet peth0]] failed
Commit failed
|
|
|
|
If Nginx address/port is already binded to another service
(for exampmle openconnect default port 443)
https api cannot start and we don't see any error in the output.
Add this check before applying service/commit
|
|
We check listen port before commit service if is port available and
not bounded, but when we start openconnect our own port starts be
bounded by "ocserv-main" process and next commit will be fail as
port is already bound
To fix it, extend check if port already bonded and it is not our
self process "ocserv-main"
|
|
When MACsec was bound to an ethernet interface and the underlaying
source-interface got changed (even description only) this terminated the
MACsec session running on top of it.
The root cause is when EAPoL was implemented in commit d59354e52a8a7f we
re-used the same systemd unit which is responsible for MACsec. That indeed lead
to the fact that wpa_supplicant was always stopped when anything happened on
the underlaying source-interface that was not related to EAPoL.
|
|
upnp: T4613: Verify listen key in dictionary
|
|
There is no check if 'listen' is exist in the dictionary, fix it
Fix odd ValueHelp format
|
|
|
|
nat66: T4598: Add exclude options in nat66
|
|
|
|
Check if openconnect listen port is available and not used by
another service
|
|
|
|
* https://github.com/Cheeze-It/vyos-1x:
bgp: T4257: Changing BGP "local-as" to "system-as"
|
|
|
|
After commit 85d6c8f7c62 ("vyos.configdict: T4391: enable get_interface_dict()
to be used with ConfigTreeQuery()") we also need to use the full path when
working with Config() as previous calls to get_interface_dict() no longer change
the level of Config().
|
|
|
|
Allows preferred lifetime for prefix advertisements to equal the
configured valid lifetime as per RFC 4861.
|
|
bgp: T4257: Changing BGP "local-as" to "system-as"
This change is to change the global BGP name for the node "local-as" to "system-as"
This is needed so that there's less ambiguity with the local-as feature per neighbor.
bgp: T4257: Changing BGP "local-as" to "system-as"
bgp: T4257: Changing BGP "local-as" to "system-as"
This change is to change the global BGP name for the node "local-as" to "system-as"
This is needed so that there's less ambiguity with the local-as feature per neighbor.
|
|
|
|
lb-wan: T4518: Add XML for conf mode load-balancing wan
|
|
vxlan: T4570: Verify MTU for remote address if source not defined
|
|
Signed-off-by: Date Huang <tjjh89017@hotmail.com>
|
|
In some cases `source_address` can be not defined in the conf
So we should to check list of `remote` vxlanX addresses
If remote address is IPv6 - add overhead +20 bytes to default
overhead 50. I.e. +70 bytes for IPv6
|
|
|
|
|
|
hosts/networks that should be ignored.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Commit 6cffe2aa82 ("bgp: T4490: Add informational message for peer withour AFI")
only checked if an address-family is configured under the neighbor statement.
This is not enough as the AFI can also be specified via a peer-group.
Add a new verify_afi() helper that checks both the neighbor and the assigned
peer-group.
|
|
|
|
|
|
It makes no sense to enslave an interface to a bond or a bridge device if it is
bound to a given VRF. If VRFs should be used - the encapuslating/master
interface should be part of the VRF.
Error out if the member interface is part of a VRF.
|
|
VRF names: "add, all, broadcast, default, delete, dev, get, inet,
mtu, link, type, vrf" are reserved and cannot be used for vrf name
|
|
When is_member() is inspecting the bridge/Bond member interfaces it must work
with the real interface (e.g. eth1) under the "ethernet" node and not work on
the "member interface eth1" CLI tree, that makes no sense at all.
|
|
disable-directed-broadcast-forwarding"
|
|
Directed broadcast is described in rfc1812#section-5.3.5.2 and rfc2644.
By default Linux kernel doesn't forward directed broadcast
packets unless both of `/proc/sys/net/ipv4/conf/all/bc_forwarding`
and `/proc/sys/net/ipv4/conf/$iface/bc_forwarding` are set to 1.
|
|
Add XML for configuration mode "load-balancing wan" for the future
rewriting this to Python
Remove node from Makefile as Python code is not yet completed
|
|
As we have specific configuration for each plugin:
set service monitoring telegraf xxx
- azure-data-explorer
- prometheus-client
- splunk
We should to move configuration that related to influxdb under
influxdb node
Replace:
set service monitoring telegraf
- authentication xxx
- bucket xxx
- port xxx
- url
To:
set service monitoring telegraf influxdb xxx
|
|
|
|
After discussion with @zsdc this was decided the better long term fix
* Removes hourly logrotate cron in favour of systemd timer override
|
|
dns: T4509: Add dns64-prefix option
|
|
rfc6147: DNS Extensions for Network Address Translation
from IPv6 Clients to IPv4 Servers
set service dns forwarding dns64-prefix 2001:db8:aabb::/96
|
