| Age | Commit message (Collapse) | Author |
|---|
|
OPENVPN: T6555: add server-bridge options in mode server
|
|
T5873: T6619: remove unused imports
|
|
* Only matching flags and fields used by modern RFC2890 "extended GRE" -
this is backwards-compatible, but does not match all possible flags.
* There are no nftables helpers for the GRE key field, which is critical
to match individual tunnel sessions (more detail in the forum post)
* nft expression syntax is not flexible enough for multiple field
matches in a single rule and the key offset changes depending on flags.
* Thus, clumsy compromise in requiring an explicit match on the "checksum"
flag if a key is present, so we know where key will be. In most cases,
nobody uses the checksum, but assuming it to be off or automatically
adding a "not checksum" match unless told otherwise would be confusing
* The automatic "flags key" check when specifying a key doesn't have similar
validation, I added it first and it makes sense. I would still like
to find a workaround to the "checksum" offset problem.
* If we could add 2 rules from 1 config definition, we could match
both cases with appropriate offsets, but this would break existing
FW generation logic, logging, etc.
* Added a "test_gre_match" smoketest
|
|
T4072: firewall extend bridge firewall
|
|
|
|
|
|
T6632: add missing standard functions to config scripts
|
|
T6629: call check_kmod within a standard config function
|
|
|
|
In the PR https://github.com/vyos/vyos-1x/pull/3823 the ncp-ciphers
were replaced with `data-ciphers`
fix template for "generate openvpn client-config"
|
|
|
|
|
|
|
|
Move the remaining calls to check_kmod within a standard function,
with placement determined by the needs of the config script.
|
|
nat64: T6627: call check_kmod within standard config function
|
|
Functions called from config scripts outside of the standard functions
get_config/verify/generate/apply will not be called when run under
configd. Move as appropriate for the general config script structure and
the specific script requirements.
|
|
prerouting chain; re introduce <set vrf> in policy; change global options for passing traffic to IPvX firewall; update smoketest
|
|
console: T3334: remove unused directories imported from vyos.defaults
|
|
enabling/disabling sending traffic from bridge layer to ipvX layer
|
|
wrong. Use nft -c option to check temporary file, and use output provided by nftables to parse the error if possible, or print it as it is if it's an unknown error
|
|
T5873: ipsec remote access VPN: support VTI interfaces.
|
|
|
|
T6617: T6618: vpn ipsec remote-access: fix profile generators
|
|
|
|
Removed unused pprint module
|
|
T6486: T6379: Rewrite generate openvpn client-config
|
|
system: op-mode: T3334: allow delayed getty restart when configuring serial ports
|
|
ports
* Created op-mode command "restart serial console"
* Relocated service control to vyos.utils.serial helpers, used by conf- and
op-mode serial console handling
* Checking for logged-in serial sessions that may be affected by getty reconfig
* Warning the user when changes are committed and serial sessions are active,
otherwise restart services as normal. No prompts issued during commit,
all config gen/commit steps still occur except for the service restarts
(everything remains consistent)
* To apply committed changes, user will need to run "restart serial console"
to complete the process or reboot the whole router
* Added additional flags and target filtering for generic use of helpers.
|
|
vrf: T6603: conntrack ct_iface_map must only contain one entry for iifname/oifname
|
|
|
|
Commit 452068ce78 ("interfaces: T6592: moving an interface between VRF instances
failed") added a similar but more detailed implementation of get_vrf_table_id()
that was added in commit adeac78ed of this PR. Move to the common available
implementation.
|
|
* PBR can only target table IDs up to 200 and the previous PR to extend the
range was rejected
* PBR with this PR can now also target VRFs directly by name, working around
targeting problems for VRF table IDs outside the overlapping 100-200 range
* Validation ensures rules can't target both a table ID and a VRF name
(internally they are handled the same)
* Added a simple accessor (get_vrf_table_id) for runtime mapping a VRF name
to table ID, based on vyos.ifconfig.interface._set_vrf_ct_zone().
It does not replace that usage, as it deliberately does not handle non-VRF
interface lookups (would fail with a KeyError).
* Added route table ID lookup dict, global route table and VRF table defs
to vyos.defaults. Table ID references have been updated in code touched
by this PR.
* Added a simple smoketest to validate 'set vrf' usage in PBR rules
|
|
and return an empty list in that case
(handy for migration scripts and the like)
|
|
T6362: Create conntrack logger daemon
|
|
OpenVPN CLI-option: T6571: rename ncp-ciphers with data-ciphers
|
|
This patch on #3616 will only attempt to fix ipsec matches in rules if the
firewall config tree passed to migrate_chain() has rules attached.
|
|
Strongswan does not initiate session after termination via vici.
Added an CHILD SAs initialization on the initiator side
of the tunnel.
|
|
(#3616)
* Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for
fw rules
* Add ipsec match-ipsec-out and match-none-out
* Change all the points where the match-ipsec.xml.i include was used
before, making sure the new includes (match-ipsec-in/out.xml.i) are
used appropriately. There were a handful of spots where match-ipsec.xml.i
had snuck back in for output hooked chains already
(the common-rule-* includes)
* Add the -out generators to rendered templates
* Heavy modification to firewall config validators:
* I needed to check for ipsec-in matches no matter how deeply nested
under an output-hook chain(via jump-target) - this always generates
an error.
* Ended up retrofitting the jump-targets validator from root chains
and for named custom chains. It checks for recursive loops and improper
IPsec matches.
* Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation"
smoketests
|
|
|
|
|
|
|
|
iifname/oifname
When any of the following features NAT, NAT66 or Firewall is enabled, for every
VRF on the CLI we install one rule into nftables for conntrack:
chain vrf_zones_ct_in {
type filter hook prerouting priority raw; policy accept;
counter packets 3113 bytes 32227 ct original zone set iifname map @ct_iface_map
counter packets 8550 bytes 80739 ct original zone set iifname map @ct_iface_map
counter packets 5644 bytes 67697 ct original zone set iifname map @ct_iface_map
}
This is superfluous.
|
|
|
|
|
|
|
|
vrf: T6602: verify supplied VRF name on all interface types
|
|
op_mode: T6596: pppoe operation command failed
|
|
system_option: T5552: Apply IPv4 and IPv6 options after reapplying sysctls by TuneD
|
|
|
|
Only some (e.g. ethernet or wireguard) interfaces validate if the supplied VRF
actually exists. If this is not validated, one can pass an invalid VRF to the
system which generates an OSError exception.
To reproduce
set interfaces vxlan vxlan1 vni 1000
set interfaces vxlan vxlan1 remote 1.2.3.4
set interfaces vxlan vxlan1 vrf smoketest
results in
OSError: [Errno 255] failed to run command: ip link set dev vxlan1 master smoketest_mgmt
This commit adds the missing verify_vrf() call to the missing interface types
and an appropriate smoketest for all interfaces supporting VRF assignment.
|
