Age | Commit message (Collapse) | Author |
|
T5496: multiple fixes for op-mode command <show firewall>
|
|
easy to read, and we get uniform output for both families, and will look the same when working with inet family in the future. Fix output of geo-ip matchers. Fix output for default-action rules: display N/A for counters in base chains, since they are not available.Change from N/A to N/D for empty groups, and for groups which found no reference in config
|
|
T5533: Fix VRRP IPv6 group enters in FAULT state
|
|
Checks if an IPv6 address on a specific network interface is
in the tentative state. IPv6 tentative addresses are not fully configured
and are undergoing Duplicate Address Detection (DAD) to ensure they are
unique on the network.
inet6 2001:db8::3/125 scope global tentative
It tentative state the group enters in FAULT state. Fix it
|
|
The following command expects to join source-specific multicast group 239.1.2.3
on interface eth0, where the source address is 192.0.2.1.
set protocols igmp interface eth0 join 239.1.2.3 source 192.0.2.1
This command should generate FRR config:
interface eth0
ip igmp
ip igmp join 239.1.2.3 192.0.2.1
exit
However, there is a bug in the Jinja template where `if ifaces[iface].gr_join[group]`
is mostly evaluated as `false` because `iface` is a loop variable from another loop.
|
|
T5536: Fix show dhcp client leases
|
|
|
|
Fix helpers was moved to vyos.utils package
Fix empty new address from the lease file causes
OSError: illegal IP address string passed to inet_pton
|
|
T5531: Containers add label option
|
|
eapol: T4782: Support multiple CA chains
|
|
Ability to set labels for container
set container name c1 allow-host-networks
set container name c1 image 'busybox'
set container name c1 label mypods value 'My label for containers'
|
|
|
|
|
|
specified (correct ::/0 for ipv6). Also, add columns for inbound and outbound interfaces
|
|
correct reference in source/destination column
|
|
|
|
firewall: T5080: Disable conntrack unless required by rules
|
|
|
|
|
|
firewall: T3509: Add support for IPv6 reverse path filtering
|
|
interface-name or interface-group
|
|
|
|
|
|
save-config: T4292: rewrite vyatta-save-config.pl to Python
|
|
Fix for add IPv6 link-local address for container interfaces
set container network NET01 prefix '10.0.0.0/24'
set container network NET01 prefix '2001:db8:2222::/64'
% ip -6 addr show scope link dev pod-NET01
17: pod-NET01: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet6 fe80::d89c:dfff:fe1a:8689/64 scope link
|
|
Configuring "set system ip protocol ospf|bgp route-map foo" and commit it
installs the route-map into FRR. Removing the CLI configuration "delete system
ip protocol" does not remove the route-map from FRR - it stays active.
This commit adds the fix and appropriate smoketests extenstion.
|
|
|
|
system-ip: T5449: add TCP MSS probing options
|
|
wifi: T5491: allow white-/blacklisting station MAC addresses for security
|
|
T5472: nat redirect: allow redirection without defining redirected port
|
|
T5463: Container allow publish listen-addresses
|
|
This is a workaround for the priority inversion from T5492 ("CLI node priority
is not inversed on node deletion"). As this is a corner case bug that's only
triggered if an interface is removed from a VRF and also the VRF is removed in
one commit, priorities are not honored.
Thus we implement this workaround which stop the DHCP(v6) client processes on
the VRF associated interfaces to get out the DHCP RELEASE message before
interfaces are shut down.
|
|
Helper functions can and will be re-use din different code places.
|
|
|
|
Ability to publish multiple IP/IPv6 addresses for container
set container name c1 port web destination '80'
set container name c1 port web listen-address '192.0.2.1'
set container name c1 port web listen-address '2001:db8:1111::1'
set container name c1 port web source '8080'
--publish 192.0.2.1:8080:80/tcp --publish [2001:db8:1111::1]:8080:80/tcp
|
|
T5447: Initial support for MACsec static keys
|
|
T5478: remove config-trap configuration parser in firewall
|
|
|
|
|
|
|
|
|
|
|
|
Station MAC address-based authentication means:
* 'allow' accept all clients except the one on the deny list
* 'deny' accept only clients listed on the accept list
New CLI commands:
* set interfaces wireless wlan0 security station-address mode <accept|deny>
* set interfaces wireless wlan0 security station-address accept mac <mac>
* set interfaces wireless wlan0 security station-address deny mac <mac>
|
|
|
|
|
|
|
|
|
|
wireguard: T5409: Added 'set interfaces wireguard wgX threaded'
|
|
Using threaded as CLI node is a very deep term used by kernel threads. To make
this more understandable to users, rename the node to per-client-thread.
It's also not necessary to test if any one peer is configured and probing if
the option is set. There is a base test which requires at least one peer
to be configured.
|
|
|