Age | Commit message (Collapse) | Author |
|
firewall: T5080: Disable conntrack unless required by rules
|
|
|
|
|
|
firewall: T3509: Add support for IPv6 reverse path filtering
|
|
interface-name or interface-group
|
|
|
|
|
|
Fix for add IPv6 link-local address for container interfaces
set container network NET01 prefix '10.0.0.0/24'
set container network NET01 prefix '2001:db8:2222::/64'
% ip -6 addr show scope link dev pod-NET01
17: pod-NET01: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet6 fe80::d89c:dfff:fe1a:8689/64 scope link
|
|
Configuring "set system ip protocol ospf|bgp route-map foo" and commit it
installs the route-map into FRR. Removing the CLI configuration "delete system
ip protocol" does not remove the route-map from FRR - it stays active.
This commit adds the fix and appropriate smoketests extenstion.
|
|
system-ip: T5449: add TCP MSS probing options
|
|
wifi: T5491: allow white-/blacklisting station MAC addresses for security
|
|
T5472: nat redirect: allow redirection without defining redirected port
|
|
T5463: Container allow publish listen-addresses
|
|
This is a workaround for the priority inversion from T5492 ("CLI node priority
is not inversed on node deletion"). As this is a corner case bug that's only
triggered if an interface is removed from a VRF and also the VRF is removed in
one commit, priorities are not honored.
Thus we implement this workaround which stop the DHCP(v6) client processes on
the VRF associated interfaces to get out the DHCP RELEASE message before
interfaces are shut down.
|
|
Helper functions can and will be re-use din different code places.
|
|
|
|
Ability to publish multiple IP/IPv6 addresses for container
set container name c1 port web destination '80'
set container name c1 port web listen-address '192.0.2.1'
set container name c1 port web listen-address '2001:db8:1111::1'
set container name c1 port web source '8080'
--publish 192.0.2.1:8080:80/tcp --publish [2001:db8:1111::1]:8080:80/tcp
|
|
T5447: Initial support for MACsec static keys
|
|
T5478: remove config-trap configuration parser in firewall
|
|
|
|
|
|
|
|
|
|
Station MAC address-based authentication means:
* 'allow' accept all clients except the one on the deny list
* 'deny' accept only clients listed on the accept list
New CLI commands:
* set interfaces wireless wlan0 security station-address mode <accept|deny>
* set interfaces wireless wlan0 security station-address accept mac <mac>
* set interfaces wireless wlan0 security station-address deny mac <mac>
|
|
|
|
|
|
|
|
|
|
wireguard: T5409: Added 'set interfaces wireguard wgX threaded'
|
|
Using threaded as CLI node is a very deep term used by kernel threads. To make
this more understandable to users, rename the node to per-client-thread.
It's also not necessary to test if any one peer is configured and probing if
the option is set. There is a base test which requires at least one peer
to be configured.
|
|
|
|
dmbaturin/T5271-openvpn-peer-fingerprint-restrictions
T5271: allow OpenVPN peer-fingerprint to be used instead of a CA in site-to-site mode
|
|
|
|
in OpenVPN site-to-site mode
|
|
|
|
|
|
config
To reproduce:
set vrf name red table 2000
set vrf name red protocols ospf interface eth1 area 0
set vrf name red protocols ospf parameters router-id 1.1.1.1
set interfaces ethernet eth1 vrf red
commit
FRR now has an interface config
vyos@vyos# vtysh -c "show run" no-header | sed -n "/^interface eth1/,/!/p"
interface eth1
ip ospf area 0
ip ospf dead-interval 40
exit
Now delete the interface from the OSPF(v3) or ISIS process
delete vrf name red protocols ospf interface
commit
It's still there
vyos@vyos# vtysh -c "show run" no-header | sed -n "/^interface eth1/,/!/p"
interface eth1
ip ospf area 0
ip ospf dead-interval 40
exit
!
Issue was caused in the FRR vtysh representation of an interface. It used to
have a "vrf <name>" marker in earlier versions but FRR 8.5 and later no longer
have the marker. So "interface eth1 vrf red" became "interface eth1" in vtysh,
but our regex expected the "vrf" identifier when modifying FRR config.
|
|
T5160: Firewall refactor
|
|
|
|
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip.
|
|
|
|
scripts and src firewall
|
|
Move 'service zabbix-agent'
=> 'service monitoring zabbix-agent'
|
|
openvpn: T5270: do not require classic DH params in any mode
|
|
T5448: Add service zabbix-agent
|
|
Generate 'dh none' instead and let OpenVPN use ECDH
|
|
|
|
Add service zabbix-agent
set service zabbix-agent directory '/config/zabbix/'
set service zabbix-agent limits buffer-flush-interval '8'
set service zabbix-agent limits buffer-size '120'
set service zabbix-agent log debug-level 'warning'
set service zabbix-agent log size '1'
set service zabbix-agent server '192.0.2.5'
set service zabbix-agent server-active 192.0.2.5 port '10051'
set service zabbix-agent server-active 2001:db8::123
|
|
T5319: remove workarounds for incorrect defaults in config-mode scripts
|
|
T5014: nat: add source and destination nat options for configuring lo…
|