VyOS command definitions, scripts, and utilities (mirror of https://github.com/marekm72/vyos-1x.git) https://git.amelek.net/marekm72/vyos-1x.git/atom?h=1.4.0-epa1 2024-01-01T08:25:32+00:00 2024-01-01T08:25:32+00:00 Christian Breunig christian@breunig.cc 2023-12-30T22:25:20+00:00 urn:sha1:c9eaafd9f808aba8d29be73054e11d37577e539a We will use _ as CLI level divider. The XML definition filename and also the Python helper should match the CLI node. Example: set interfaces ethernet -> interfaces_ethernet.xml.in set interfaces bond -> interfaces_bond.xml.in set service dhcp-server -> service_dhcp-server-xml.in (cherry picked from commit 4ef110fd2c501b718344c72d495ad7e16d2bd465) 2022-10-17T12:15:22+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2022-10-17T12:15:22+00:00 urn:sha1:85f04237160a6ea98eea4ec58f1ccab9f6bfc31a Ability to configure SSH-server HostKeyAlgorithms. Specifies the host key signature algorithms that the server offers. Can accept multiple values. 2022-10-10T12:52:54+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2022-09-27T16:06:52+00:00 urn:sha1:b9de775a5b4f017f9d164a127d93f55ce9053756 Ability to configure SSH RekeyLimit data (in Megabytes) and time (in Minutes) set service ssh rekey data 1024 set service ssh rekey time 60 2022-05-13T16:43:09+00:00 Christian Poessinger christian@poessinger.com 2022-05-13T16:43:07+00:00 urn:sha1:37a08888d103556326ecd13e4738301ac901c861 We do not only allow individual host addresses but also prefixes. 2022-05-12T17:27:38+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2022-05-10T15:14:19+00:00 urn:sha1:2e81f9e057f598a9a9e5c2d617e3d0818005d850 Sshguard protects hosts from brute-force attacks Can inspect logs and block "bad" addresses by threshold Auto-generate rules for nftables When service stopped all generated rules are deleted nft "type filter hook input priority filter - 10" set service ssh dynamic-protection set service ssh dynamic-protection block-time 120 set service ssh dynamic-protection detect-time 1800 set service ssh dynamic-protection threshold 30 set service ssh dynamic-protection whitelist-address 192.0.2.1 2022-02-28T13:28:55+00:00 Christian Poessinger christian@poessinger.com 2022-02-28T13:28:55+00:00 urn:sha1:61fa1c95164e4222e79b078b1a796f41397e0ee3 After hardning the regex validator to be preceeded with ^ and ending with $ it was no longer possible to have a comma separated list as SSH ciphers. The migrations cript is altered to migrate the previous comma separated list to individual multi node entries - cipher and key-exchange always had been multinodes - so this just re-arranges some values and does not break CLI compatibility 2022-02-24T21:47:12+00:00 Christian Poessinger christian@poessinger.com 2022-02-24T21:47:12+00:00 urn:sha1:a68c9238111c6caee78bb28f8054b8f0cfa0e374 Since introducing the XML <defaultValue> node it was common, but redundant, practice to also add a help string indicating which value would be used as default if the node is unset. This makes no sense b/c it's duplicated code/value/characters and prone to error. The node.def scripts should be extended to automatically render the appropriate default value into the CLI help string. For e.g. SSH the current PoC renders: $ cat templates-cfg/service/ssh/port/node.def multi: type: txt help: Port for SSH service (default: 22) val_help: u32:1-65535; Numeric IP port ... Not all subsystems are already migrated to get_config_dict() and make use of the defaults() call - those subsystems need to be migrated, first before the new default is added to the CLI help. 2021-08-29T12:48:53+00:00 Christian Poessinger christian@poessinger.com 2021-08-29T12:29:19+00:00 urn:sha1:794f193d11c8c1b5fed78f4e40280480446ab593 2021-08-20T15:17:58+00:00 Christian Poessinger christian@poessinger.com 2021-08-19T11:07:18+00:00 urn:sha1:0a8a0188033d6b27c521f082fdddae9873dd5d3d 2021-06-10T19:35:07+00:00 Christian Poessinger christian@poessinger.com 2021-06-10T19:35:07+00:00 urn:sha1:556e03922f78f8e258c6d6630ad47569be376e11