Age | Commit message (Collapse) | Author |
|
fails (#3296)
|
|
T5169: Add PoC for generating CGNAT rules rfc6888
|
|
|
|
Add PoC for generating CGNAT rules
https://datatracker.ietf.org/doc/html/rfc6888
Not all requirements are implemented, but some of them.
Implemented:
REQ-2
```
A CGN MUST have a default "IP address pooling" behavior of "Paired"
CGN must use the same external IP
address mapping for all sessions associated with the same internal
IP address, be they TCP, UDP, ICMP, something else, or a mix of
different protocols.
```
REQ-3
```
The CGN function SHOULD NOT have any limitations on the size
or the contiguity of the external address pool
```
REQ-4
```
A CGN MUST support limiting the number of external ports (or,
equivalently, "identifiers" for ICMP) that are assigned per
subscriber
```
CLI:
```
set nat cgnat pool external ext1 external-port-range '1024-65535'
set nat cgnat pool external ext1 per-user-limit port '1000'
set nat cgnat pool external ext1 range 192.0.2.222/32
set nat cgnat pool internal int1 range '100.64.0.0/28'
set nat cgnat rule 10 source pool 'int1'
set nat cgnat rule 10 translation pool 'ext1'
```
|
|
|
|
ethernet: T5862: default MTU is not acceptable in some environments
|
|
login: T5875: fix corner case for KeyError: 'getpwuid(): uid not found: XXXX'
|
|
|
|
'upper'
Commit b30faa43c (container: T6208: rename "cap-add" CLI node to "capability")
added an AttributeError referencing an out of scope variable.
This has been fixed.
|
|
Commit 1b364428f ("login: T5875: restore home directory permissions only when
needed") added logic to chown the users home directory if it's UID changes.
This might happen when a user account is deleted and re-added to the system.
Under rar e circumstances it was possible that the implementation triggered
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
KeyError: 'getpwuid(): uid not found: XXXX'
This has been fixed by re-arranging the code path with an additional try/except
if the PW database information could not be retrieved leading to an implicit
chown() of the home directory to the user beeing added.
|
|
Containers have the ability to add Linux system capabilities to them, this is
done using the "set container name <name> cap-add" command.
The CLI node sounds off and rather should be "set container name <name>
capability" instead as we use and pass a capability to a container and not
add/invent new ones.
|
|
mac node
The problem was introduced in [1] but the config migrator part unfortunately
was added to the wrong version [2]. As IPoE config version 0 was only active
during the 1.3 development cycle and VyOS 1.3.0 was already released with config
version 1 we can safely drop the migrator 0-to-1 and move the code to 1-to-2 to
properly support upgrades from VyOS 1.3 -> 1.4 or newer.
1: https://github.com/vyos/vyos-1x/commit/05df2a5f021f0c7aab7c06db645d210858b6e98d#diff-08291bf77870abe3af8bbe3e8ce4bbf344fd0498b2c5c75a75aa7235d381c88eL168
2: https://github.com/vyos/vyos-1x/commit/05df2a5f021f0c7aab7c06db645d210858b6e98d#diff-b8bb58b75607d3653e74d82eff02442f9f3ab82698f160ba37858f7cdf6c79ccR44-R46
|
|
There are cloud environments available where the maximum supported ethernet
MTU is e.g. 1450 bytes, thus we clamp this to the adapters maximum MTU value
or 1500 bytes - whatever is lower.
|
|
bgp: T5943: BGP Peer-group members must be all internal or all external
|
|
T6068: dhcp-server: add command <set service dhcp-server high-availability mode>
|
|
|
|
mode> so user can define what type of ha use: active-active or active-passive
|
|
found using "git ls-files *.py | xargs pylint | grep W0611"
|
|
* Use interface_exists() outside of verify()
* Use verify_interface_exists() in verify() to drop common error message
|
|
configverify: T6198: add common helper for PKI certificate validation
|
|
The next evolutional step after adding get_config_dict(..., with_pki=True) is
to add a common verification function for the recurring task of validating SSL
certificate existance in e.g. EAPoL, OpenConnect, SSTP or HTTPS.
|
|
T6192: allow binding SSH to multiple VRF instances
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Currently VyOS only supports binding a service to one individual VRF. It might
become handy to have the services (initially it will be VRF, NTP and SNMP) be
bound to multiple VRFs.
Changed VRF from leafNode to multi leafNode with defaultValue: default - which
is the name of the default VRF.
|
|
|
|
system: T6193: invalid warning "is not a DHCP interface but uses DHCP name-server option"
|
|
T6178: Check that certificate exists during reverse-proxy commit
|
|
name-server option"
This fixes an invalid warning when using a DHCP VLAN interface to retrieve the
system nameserver to be used. VLAN CLI config is not properly expanded
leading to a false warning:
[ system name-server eth1.10 ]
WARNING: "eth1.10" is not a DHCP interface but uses DHCP name-server option!
|
|
|
|
dhcp-server: T4718: Listen-address is not commit if the ip address is on the interface with vrf
|
|
peer-group
changed exception condition
Improved route_reflector_client test
|
|
ipsec: T5606: T5871: Use multi node for CA certificates
|
|
T5872: ipsec remote access VPN: support dhcp-interface.
|
|
This changes behaviour from fetching CA chain in PKI, to the user manually setting CA certificates.
Prevents unwanted parent CAs existing in PKI from being auto-included as may not be desired/intended.
|
|
interface with vrf
|
|
|
|
dhcp-server high-availability>.
|
|
Users can not (FRR fails) commit the same network belonging to different OSPF
areas. Add verify() check to prevent this.
|
|
This is a leftover after commit 0e050cb35 (isis: T3417: drop artificial "domain"
node identifying the IS-IS process name). Drop all references to "process"
variable.
Specifying:
set protocols isis interface eth1
set protocols isis net '49.0001.1921.6825.5255.00'
set protocols isis redistribute ipv4 bgp
Triggered an exception
Traceback (most recent call last):
File "/usr/libexec/vyos/conf_mode/protocols_isis.py", line 309, in <module>
verify(c)
File "/usr/libexec/vyos/conf_mode/protocols_isis.py", line 158, in verify
f'"protocols isis {process} redistribute {afi} {proto}"!')
^^^^^^^
NameError: name 'process' is not defined
|
|
* Move global state-policy smoketest to it's own test, verify conntrack
|
|
|
|
conntrack: T4022: add RTSP conntrack helper
|
|
radvd: T6118: add nat64prefix support RFC8781
|
|
Add support for pref64 option, as defined in RFC8781. The prefix valid lifetime
must not be smaller than the "interface interval max" definition which defaults
to 600.
set service router-advert interface eth1 nat64prefix 64:ff9b::/96
|
|
|