diff options
Diffstat (limited to 'interface-definitions')
24 files changed, 398 insertions, 404 deletions
diff --git a/interface-definitions/containers.xml.in b/interface-definitions/containers.xml.in index 6fc53c105..124b1f65e 100644 --- a/interface-definitions/containers.xml.in +++ b/interface-definitions/containers.xml.in @@ -3,6 +3,7 @@ <node name="container" owner="${vyos_conf_scripts_dir}/containers.py"> <properties> <help>Container applications</help> + <priority>1280</priority> </properties> <children> <tagNode name="name"> diff --git a/interface-definitions/https.xml.in b/interface-definitions/https.xml.in index b613e30c1..b65a89b56 100644 --- a/interface-definitions/https.xml.in +++ b/interface-definitions/https.xml.in @@ -1,7 +1,7 @@ <?xml version="1.0"?> <!-- HTTPS configuration --> <interfaceDefinition> - <syntaxVersion component='https' version='2'></syntaxVersion> + <syntaxVersion component='https' version='3'></syntaxVersion> <node name="service"> <children> <node name="https" owner="${vyos_conf_scripts_dir}/https.py"> @@ -123,22 +123,7 @@ <help>TLS certificates</help> </properties> <children> - <node name="system-generated-certificate" owner="${vyos_conf_scripts_dir}/vyos_cert.py"> - <properties> - <help>Use an automatically generated self-signed certificate</help> - </properties> - <children> - <leafNode name="lifetime"> - <properties> - <help>Lifetime in days; default is 365</help> - <valueHelp> - <format>1-65535</format> - <description>Number of days</description> - </valueHelp> - </properties> - </leafNode> - </children> - </node> + #include <include/pki/certificate.xml.i> <node name="certbot" owner="${vyos_conf_scripts_dir}/le_cert.py"> <properties> <help>Request or apply a letsencrypt certificate for domain-name</help> diff --git a/interface-definitions/include/accel-ppp/radius-additions.xml.i b/interface-definitions/include/accel-ppp/radius-additions.xml.i index e65088c43..fdcff36bf 100644 --- a/interface-definitions/include/accel-ppp/radius-additions.xml.i +++ b/interface-definitions/include/accel-ppp/radius-additions.xml.i @@ -88,11 +88,7 @@ </properties> <defaultValue>3</defaultValue> </leafNode> - <leafNode name="nas-identifier"> - <properties> - <help>NAS-Identifier attribute sent to RADIUS</help> - </properties> - </leafNode> + #include <include/radius-nas-identifier.xml.i> <leafNode name="nas-ip-address"> <properties> <help>NAS-IP-Address attribute sent to RADIUS</help> diff --git a/interface-definitions/include/auth-local-users.xml.i b/interface-definitions/include/auth-local-users.xml.i new file mode 100644 index 000000000..8ef09554e --- /dev/null +++ b/interface-definitions/include/auth-local-users.xml.i @@ -0,0 +1,22 @@ +<!-- include start from auth-local-users.xml.i --> +<node name="local-users"> + <properties> + <help>Local user authentication</help> + </properties> + <children> + <tagNode name="username"> + <properties> + <help>Username used for authentication</help> + </properties> + <children> + #include <include/generic-disable-node.xml.i> + <leafNode name="password"> + <properties> + <help>Password used for authentication</help> + </properties> + </leafNode> + </children> + </tagNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/bgp/afi-l2vpn-common.xml.i b/interface-definitions/include/bgp/afi-l2vpn-common.xml.i index 1673f25a5..aaa69e6c8 100644 --- a/interface-definitions/include/bgp/afi-l2vpn-common.xml.i +++ b/interface-definitions/include/bgp/afi-l2vpn-common.xml.i @@ -11,17 +11,6 @@ <valueless/> </properties> </leafNode> -<leafNode name="rd"> - <properties> - <help>Route Distinguisher</help> - <valueHelp> - <format>txt</format> - <description>Route Distinguisher, (x.x.x.x:yyy|xxxx:yyyy)</description> - </valueHelp> - <constraint> - <regex>^((25[0-5]|2[0-4][0-9]|[1][0-9][0-9]|[1-9][0-9]|[0-9]?)(\.(25[0-5]|2[0-4][0-9]|[1][0-9][0-9]|[1-9][0-9]|[0-9]?)){3}|[0-9]{1,10}):[0-9]{1,5}$</regex> - </constraint> - </properties> -</leafNode> +#include <include/bgp/route-distinguisher.xml.i> #include <include/bgp/route-target.xml.i> <!-- include end --> diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i index 37fc7259f..552e85aa4 100644 --- a/interface-definitions/include/bgp/protocol-common-config.xml.i +++ b/interface-definitions/include/bgp/protocol-common-config.xml.i @@ -372,18 +372,7 @@ </constraint> </properties> <children> - <leafNode name="rd"> - <properties> - <help>Route Distinguisher</help> - <valueHelp> - <format>txt</format> - <description>Route Distinguisher, asn:xxx</description> - </valueHelp> - <constraint> - <regex>^[0-9]{1,10}:[0-9]{1,5}$</regex> - </constraint> - </properties> - </leafNode> + #include <include/bgp/route-distinguisher.xml.i> <leafNode name="label"> <properties> <help>MPLS label value assigned to route</help> @@ -772,18 +761,7 @@ </constraint> </properties> <children> - <leafNode name="rd"> - <properties> - <help>Route Distinguisher</help> - <valueHelp> - <format>txt</format> - <description>Route Distinguisher, asn:xxx</description> - </valueHelp> - <constraint> - <regex>^[0-9]{1,10}:[0-9]{1,5}$</regex> - </constraint> - </properties> - </leafNode> + #include <include/bgp/route-distinguisher.xml.i> <leafNode name="label"> <properties> <help>MPLS label value assigned to route</help> @@ -1038,6 +1016,12 @@ </leafNode> #include <include/bgp/remote-as.xml.i> #include <include/bgp/neighbor-shutdown.xml.i> + <leafNode name="solo"> + <properties> + <help>Do not send back prefixes learned from the neighbor</help> + <valueless/> + </properties> + </leafNode> <leafNode name="strict-capability-match"> <properties> <help>Enable strict capability negotiation</help> diff --git a/interface-definitions/include/bgp/route-distinguisher.xml.i b/interface-definitions/include/bgp/route-distinguisher.xml.i new file mode 100644 index 000000000..fdfbe7076 --- /dev/null +++ b/interface-definitions/include/bgp/route-distinguisher.xml.i @@ -0,0 +1,14 @@ +<!-- include start from bgp/route-distinguisher.xml.i --> +<leafNode name="rd"> + <properties> + <help>Route Distinguisher</help> + <valueHelp> + <format>txt</format> + <description>Route Distinguisher, (x.x.x.x:yyy|xxxx:yyyy)</description> + </valueHelp> + <constraint> + <regex>^((25[0-5]|2[0-4][0-9]|[1][0-9][0-9]|[1-9][0-9]|[0-9]?)(\.(25[0-5]|2[0-4][0-9]|[1][0-9][0-9]|[1-9][0-9]|[0-9]?)){3}|[0-9]{1,10}):[0-9]{1,5}$</regex> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/dhcp-interface.xml.i b/interface-definitions/include/dhcp-interface.xml.i new file mode 100644 index 000000000..939b45f15 --- /dev/null +++ b/interface-definitions/include/dhcp-interface.xml.i @@ -0,0 +1,15 @@ + <leafNode name="dhcp-interface"> + <properties> + <help>DHCP interface supplying next-hop IP address</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + <valueHelp> + <format>txt</format> + <description>DHCP interface name</description> + </valueHelp> + <constraint> + <validator name="interface-name"/> + </constraint> + </properties> + </leafNode> diff --git a/interface-definitions/include/interface/interface-eapol.xml.i b/interface-definitions/include/interface/interface-eapol.xml.i index 92b7a3f35..270ec5b13 100644 --- a/interface-definitions/include/interface/interface-eapol.xml.i +++ b/interface-definitions/include/interface/interface-eapol.xml.i @@ -4,9 +4,8 @@ <help>Extensible Authentication Protocol over Local Area Network</help> </properties> <children> - #include <include/certificate.xml.i> - #include <include/certificate-ca.xml.i> - #include <include/certificate-key.xml.i> + #include <include/pki/ca-certificate.xml.i> + #include <include/pki/certificate-key.xml.i> </children> </node> <!-- include end --> diff --git a/interface-definitions/include/ipsec/authentication-pre-shared-secret.xml.i b/interface-definitions/include/ipsec/authentication-pre-shared-secret.xml.i new file mode 100644 index 000000000..af2669335 --- /dev/null +++ b/interface-definitions/include/ipsec/authentication-pre-shared-secret.xml.i @@ -0,0 +1,11 @@ +<!-- include start from ipsec/authentication-pre-shared-secret.xml.i --> +<leafNode name="pre-shared-secret"> + <properties> + <help>Pre-shared secret key</help> + <valueHelp> + <format>txt</format> + <description>Pre-shared secret key</description> + </valueHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/isis/protocol-common-config.xml.i b/interface-definitions/include/isis/protocol-common-config.xml.i index 831d12694..af5a21f49 100644 --- a/interface-definitions/include/isis/protocol-common-config.xml.i +++ b/interface-definitions/include/isis/protocol-common-config.xml.i @@ -492,6 +492,61 @@ </node> </children> </node> + <node name="ipv6"> + <properties> + <help>Redistribute IPv6 routes</help> + </properties> + <children> + <node name="bgp"> + <properties> + <help>Redistribute BGP routes into IS-IS</help> + </properties> + <children> + #include <include/isis/redistribute-ipv6.xml.i> + </children> + </node> + <node name="connected"> + <properties> + <help>Redistribute connected routes into IS-IS</help> + </properties> + <children> + #include <include/isis/redistribute-ipv6.xml.i> + </children> + </node> + <node name="kernel"> + <properties> + <help>Redistribute kernel routes into IS-IS</help> + </properties> + <children> + #include <include/isis/redistribute-ipv6.xml.i> + </children> + </node> + <node name="ospf6"> + <properties> + <help>Redistribute OSPFv3 routes into IS-IS</help> + </properties> + <children> + #include <include/isis/redistribute-ipv6.xml.i> + </children> + </node> + <node name="ripng"> + <properties> + <help>Redistribute RIPng routes into IS-IS</help> + </properties> + <children> + #include <include/isis/redistribute-ipv6.xml.i> + </children> + </node> + <node name="static"> + <properties> + <help>Redistribute static routes into IS-IS</help> + </properties> + <children> + #include <include/isis/redistribute-ipv6.xml.i> + </children> + </node> + </children> + </node> </children> </node> <leafNode name="set-attached-bit"> @@ -711,4 +766,4 @@ </children> </tagNode> #include <include/route-map.xml.i> -<!-- include end --> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/isis/redistribute-ipv6.xml.i b/interface-definitions/include/isis/redistribute-ipv6.xml.i new file mode 100644 index 000000000..7e679e38a --- /dev/null +++ b/interface-definitions/include/isis/redistribute-ipv6.xml.i @@ -0,0 +1,42 @@ +<!-- include start from isis/redistribute-ipv6.xml.i --> +<node name="level-1"> + <properties> + <help>Redistribute into level-1</help> + </properties> + <children> + <leafNode name="metric"> + <properties> + <help>Metric for redistributed routes</help> + <valueHelp> + <format>u32:0-16777215</format> + <description>ISIS default metric</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-16777215"/> + </constraint> + </properties> + </leafNode> + #include <include/route-map.xml.i> + </children> +</node> +<node name="level-2"> + <properties> + <help>Redistribute into level-2</help> + </properties> + <children> + <leafNode name="metric"> + <properties> + <help>Metric for redistributed routes</help> + <valueHelp> + <format>u32:0-16777215</format> + <description>ISIS default metric</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-16777215"/> + </constraint> + </properties> + </leafNode> + #include <include/route-map.xml.i> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/radius-nas-identifier.xml.i b/interface-definitions/include/radius-nas-identifier.xml.i new file mode 100644 index 000000000..8e6933cc0 --- /dev/null +++ b/interface-definitions/include/radius-nas-identifier.xml.i @@ -0,0 +1,7 @@ +<!-- include start from radius-nas-identifier.xml.i --> +<leafNode name="nas-identifier"> + <properties> + <help>NAS-Identifier attribute sent to RADIUS</help> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/static/static-route.xml.i b/interface-definitions/include/static/static-route.xml.i index 254ea3163..21babc015 100644 --- a/interface-definitions/include/static/static-route.xml.i +++ b/interface-definitions/include/static/static-route.xml.i @@ -31,21 +31,7 @@ </leafNode> </children> </node> - <leafNode name="dhcp-interface"> - <properties> - <help>DHCP interface supplying next-hop IP address</help> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces.py</script> - </completionHelp> - <valueHelp> - <format>txt</format> - <description>DHCP interface name</description> - </valueHelp> - <constraint> - <validator name="interface-name"/> - </constraint> - </properties> - </leafNode> + #include <include/dhcp-interface.xml.i> <tagNode name="interface"> <properties> <help>Next-hop IPv4 router interface</help> diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index 681290570..7ff08ac86 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -637,16 +637,12 @@ </leafNode> </children> </node> - <leafNode name="shared-secret-key-file"> + <leafNode name="shared-secret-key"> <properties> - <help>File containing the secret key shared with remote end of tunnel</help> - <valueHelp> - <format>filename</format> - <description>File in /config/auth directory</description> - </valueHelp> - <constraint> - <validator name="file-exists" argument="--directory /config/auth"/> - </constraint> + <help>Secret key shared with remote end of tunnel</help> + <completionHelp> + <path>pki openvpn shared-secret</path> + </completionHelp> </properties> </leafNode> <node name="tls"> @@ -654,55 +650,30 @@ <help>Transport Layer Security (TLS) options</help> </properties> <children> - <leafNode name="auth-file"> - <properties> - <help>File containing tls static key for tls-auth</help> - <valueHelp> - <format>filename</format> - <description>File in /config/auth directory</description> - </valueHelp> - <constraint> - <validator name="file-exists" argument="--directory /config/auth"/> - </constraint> - </properties> - </leafNode> - #include <include/certificate.xml.i> - #include <include/certificate-ca.xml.i> - <leafNode name="crl-file"> + <leafNode name="auth-key"> <properties> - <help>File containing certificate revocation list (CRL) for this host</help> - <valueHelp> - <format>filename</format> - <description>File in /config/auth directory</description> - </valueHelp> - <constraint> - <validator name="file-exists" argument="--directory /config/auth"/> - </constraint> + <help>TLS shared secret key for tls-auth</help> + <completionHelp> + <path>pki openvpn shared-secret</path> + </completionHelp> </properties> </leafNode> - <leafNode name="dh-file"> + #include <include/pki/certificate.xml.i> + #include <include/pki/ca-certificate.xml.i> + <leafNode name="dh-params"> <properties> - <help>File containing Diffie Hellman parameters (server only)</help> - <valueHelp> - <format>filename</format> - <description>File in /config/auth directory</description> - </valueHelp> - <constraint> - <validator name="file-exists" argument="--directory /config/auth"/> - </constraint> + <help>Diffie Hellman parameters (server only)</help> + <completionHelp> + <path>pki dh</path> + </completionHelp> </properties> </leafNode> - #include <include/certificate-key.xml.i> - <leafNode name="crypt-file"> + <leafNode name="crypt-key"> <properties> - <help>File containing encryption key to authenticate control channel</help> - <valueHelp> - <format>filename</format> - <description>File in /config/auth directory</description> - </valueHelp> - <constraint> - <validator name="file-exists" argument="--directory /config/auth"/> - </constraint> + <help>Static key to use to authenticate control channel</help> + <completionHelp> + <path>pki openvpn shared-secret</path> + </completionHelp> </properties> </leafNode> <leafNode name="tls-version-min"> diff --git a/interface-definitions/interfaces-tunnel.xml.in b/interface-definitions/interfaces-tunnel.xml.in index 56f8ea79c..b994bdafc 100644 --- a/interface-definitions/interfaces-tunnel.xml.in +++ b/interface-definitions/interfaces-tunnel.xml.in @@ -29,14 +29,7 @@ #include <include/interface/interface-ipv6-options.xml.i> #include <include/source-address-ipv4-ipv6.xml.i> #include <include/interface/tunnel-remote.xml.i> - <leafNode name="source-interface"> - <properties> - <help>Physical Interface used for underlaying traffic</help> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces.py</script> - </completionHelp> - </properties> - </leafNode> + #include <include/source-interface.xml.i> <leafNode name="6rd-prefix"> <properties> <help>6rd network prefix</help> @@ -61,21 +54,7 @@ </constraint> </properties> </leafNode> - <leafNode name="dhcp-interface"> - <properties> - <help>dhcp interface</help> - <valueHelp> - <format>interface</format> - <description>DHCP interface that supplies the local IP address for this tunnel</description> - </valueHelp> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces.py</script> - </completionHelp> - <constraint> - <regex>^(en|eth|br|bond|gnv|vxlan|wg|tun)[0-9]+$</regex> - </constraint> - </properties> - </leafNode> + #include <include/dhcp-interface.xml.i> <leafNode name="encapsulation"> <properties> <help>Encapsulation of this tunnel interface</help> diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in index 7a286eaf2..56d01dfb6 100644 --- a/interface-definitions/interfaces-vxlan.xml.in +++ b/interface-definitions/interfaces-vxlan.xml.in @@ -92,6 +92,7 @@ #include <include/source-address-ipv4-ipv6.xml.i> #include <include/source-interface.xml.i> #include <include/interface/tunnel-remote.xml.i> + #include <include/interface/interface-vrf.xml.i> #include <include/vni.xml.i> </children> </tagNode> diff --git a/interface-definitions/interfaces-wireguard.xml.in b/interface-definitions/interfaces-wireguard.xml.in index 378251fed..773bde09c 100644 --- a/interface-definitions/interfaces-wireguard.xml.in +++ b/interface-definitions/interfaces-wireguard.xml.in @@ -42,12 +42,12 @@ </leafNode> <leafNode name="private-key"> <properties> - <help>Private key to use on that interface</help> - <completionHelp> - <script>${vyos_op_scripts_dir}/wireguard.py --listkdir</script> - </completionHelp> + <help>Base64 encoded private key</help> + <constraint> + <regex>[0-9a-zA-Z\+/]{43}=$</regex> + </constraint> + <constraintErrorMessage>Key is not valid 44-character (32-bytes) base64</constraintErrorMessage> </properties> - <defaultValue>default</defaultValue> </leafNode> <tagNode name="peer"> <properties> @@ -59,7 +59,7 @@ </properties> <children> #include <include/generic-disable-node.xml.i> - <leafNode name="pubkey"> + <leafNode name="public-key"> <properties> <help>base64 encoded public key</help> <constraint> diff --git a/interface-definitions/snmp.xml.in b/interface-definitions/snmp.xml.in index f57103eac..2654449a1 100644 --- a/interface-definitions/snmp.xml.in +++ b/interface-definitions/snmp.xml.in @@ -129,6 +129,26 @@ <constraintErrorMessage>Location is limited to 255 characters or less</constraintErrorMessage> </properties> </leafNode> + <leafNode name="oid-enable"> + <properties> + <help>Enable specific oids</help> + <valueHelp> + <format>txt</format> + <description>Enable specific oids</description> + </valueHelp> + <valueHelp> + <format>route-table</format> + <description>Enable route table oids (ipCidrRouteTable inetCidrRouteTable)</description> + </valueHelp> + <completionHelp> + <list>route-table</list> + </completionHelp> + <constraint> + <regex>^(route-table)$</regex> + </constraint> + <constraintErrorMessage>Oid must be 'route-table'</constraintErrorMessage> + </properties> + </leafNode> <leafNode name="smux-peer"> <properties> <help>Register a subtree for SMUX-based processing</help> diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 147f351f2..b28c86ae6 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -11,18 +11,6 @@ <priority>901</priority> </properties> <children> - <leafNode name="auto-update"> - <properties> - <help>Set auto-update interval for IPsec daemon</help> - <valueHelp> - <format>u32:30-65535</format> - <description>Auto-update interval (s)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 30-65535"/> - </constraint> - </properties> - </leafNode> <leafNode name="disable-uniqreqids"> <properties> <help>Option to disable requirement for unique IDs in the Security Database</help> @@ -52,6 +40,7 @@ <regex>^(disable|enable)$</regex> </constraint> </properties> + <defaultValue>disable</defaultValue> </leafNode> <leafNode name="lifetime"> <properties> @@ -394,7 +383,6 @@ </properties> <children> <leafNode name="dh-group"> - <defaultValue>2</defaultValue> <properties> <help>dh-grouphelp</help> <completionHelp> @@ -492,6 +480,7 @@ <regex>^(1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)$</regex> </constraint> </properties> + <defaultValue>2</defaultValue> </leafNode> #include <include/vpn-ipsec-encryption.xml.i> #include <include/vpn-ipsec-hash.xml.i> @@ -509,22 +498,15 @@ <help>Sets to include an additional secrets file for strongSwan. Use an absolute path to specify the included file.</help> </properties> </leafNode> - <node name="ipsec-interfaces"> + <leafNode name="interface"> <properties> - <help>Interface to use for VPN [REQUIRED]</help> + <help>Onterface used for IPsec communication</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + <multi/> </properties> - <children> - <leafNode name="interface"> - <properties> - <help>IPsec interface [REQUIRED]</help> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces.py</script> - </completionHelp> - <multi/> - </properties> - </leafNode> - </children> - </node> + </leafNode> <node name="log"> <properties> <help>IPsec logging</help> @@ -648,37 +630,6 @@ <valueless/> </properties> </leafNode> - <node name="remote-access"> - <properties> - <help>remote-access global options</help> - </properties> - <children> - <node name="dhcp-pool"> - <properties> - <help>DHCP pool options for remote-access</help> - </properties> - <children> - <leafNode name="interface"> - <properties> - <help>Interface with DHCP server to use</help> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces.py</script> - </completionHelp> - </properties> - </leafNode> - <leafNode name="server"> - <properties> - <help>DHCP server address</help> - <valueHelp> - <format>ipv4</format> - <description>IPv4 address of the DHCP server</description> - </valueHelp> - </properties> - </leafNode> - </children> - </node> - </children> - </node> </children> </node> <tagNode name="profile"> @@ -704,15 +655,7 @@ </valueHelp> </properties> </leafNode> - <leafNode name="pre-shared-secret"> - <properties> - <help>Pre-shared secret key</help> - <valueHelp> - <format>txt</format> - <description>Pre-shared secret key</description> - </valueHelp> - </properties> - </leafNode> + #include <include/ipsec/authentication-pre-shared-secret.xml.i> </children> </node> <node name="bind"> @@ -739,102 +682,161 @@ #include <include/ipsec/ike-group.xml.i> </children> </tagNode> - <tagNode name="remote-access"> + <node name="remote-access"> <properties> - <help>Remote access IKEv2 VPN </help> + <help>IKEv2 remote access VPN</help> </properties> <children> - <node name="authentication"> + <tagNode name="connection"> <properties> - <help>Authentication for remote access</help> + <help>IKEv2 VPN connection name</help> </properties> <children> - #include <include/ipsec/authentication-id.xml.i> - #include <include/ipsec/authentication-x509.xml.i> - <leafNode name="client-mode"> + <node name="authentication"> <properties> - <help>Client authentication mode</help> - <completionHelp> - <list>eap-tls eap-mschapv2</list> - </completionHelp> - <valueHelp> - <format>eap-tls</format> - <description>EAP-TLS</description> - </valueHelp> + <help>Authentication for remote access</help> + </properties> + <children> + #include <include/ipsec/authentication-id.xml.i> + #include <include/ipsec/authentication-x509.xml.i> + <leafNode name="client-mode"> + <properties> + <help>Client authentication mode</help> + <completionHelp> + <list>eap-tls eap-mschapv2 eap-radius</list> + </completionHelp> + <valueHelp> + <format>eap-tls</format> + <description>Client uses EAP-TLS authentication</description> + </valueHelp> + <valueHelp> + <format>eap-mschapv2</format> + <description>Client uses EAP-MSCHAPv2 authentication</description> + </valueHelp> + <valueHelp> + <format>eap-radius</format> + <description>Client uses EAP-RADIUS authentication</description> + </valueHelp> + <constraint> + <regex>^(eap-tls|eap-mschapv2|eap-radius)$</regex> + </constraint> + </properties> + <defaultValue>eap-mschapv2</defaultValue> + </leafNode> + #include <include/auth-local-users.xml.i> + <leafNode name="server-mode"> + <properties> + <help>Server authentication mode</help> + <completionHelp> + <list>pre-shared-secret x509</list> + </completionHelp> + <valueHelp> + <format>pre-shared-secret</format> + <description>pre-shared-secret_description</description> + </valueHelp> + <valueHelp> + <format>x509</format> + <description>x509_description</description> + </valueHelp> + <constraint> + <regex>^(pre-shared-secret|x509)$</regex> + </constraint> + </properties> + <defaultValue>x509</defaultValue> + </leafNode> + #include <include/ipsec/authentication-pre-shared-secret.xml.i> + </children> + </node> + #include <include/generic-description.xml.i> + #include <include/generic-disable-node.xml.i> + #include <include/ipsec/esp-group.xml.i> + #include <include/ipsec/ike-group.xml.i> + #include <include/ipsec/local-address.xml.i> + #include <include/ipsec/local-traffic-selector.xml.i> + <leafNode name="timeout"> + <properties> + <help>Timeout to close connection if no data is transmitted</help> <valueHelp> - <format>eap-mschapv2</format> - <description>EAP-MSCHAPv2</description> + <format>u32:10-86400</format> + <description>Timeout in seconds (default 28800)</description> </valueHelp> <constraint> - <regex>^(eap-tls|eap-mschapv2)$</regex> + <validator name="numeric" argument="--range 10-86400"/> </constraint> </properties> - <defaultValue>eap-mschapv2</defaultValue> + <defaultValue>28800</defaultValue> </leafNode> - <node name="local-users"> + <leafNode name="pool"> <properties> - <help>Local user authentication for PPPoE server</help> + <help>Pool name used for IP address assignments</help> + <completionHelp> + <path>vpn ipsec remote-access pool</path> + <list>dhcp</list> + </completionHelp> + <valueHelp> + <format>txt</format> + <description>Pool name</description> + </valueHelp> + <multi/> </properties> - <children> - <tagNode name="username"> - <properties> - <help>User name for authentication</help> - </properties> - <children> - #include <include/generic-disable-node.xml.i> - <leafNode name="password"> - <properties> - <help>Password for authentication</help> - </properties> - </leafNode> - </children> - </tagNode> - </children> - </node> - <leafNode name="server-mode"> + </leafNode> + <leafNode name="unique"> <properties> - <help>Server authentication mode</help> + <help>Connection uniqueness policy to enforce</help> <completionHelp> - <list>pre-shared-secret x509</list> + <list>never keep replace</list> </completionHelp> <valueHelp> - <format>pre-shared-secret</format> - <description>pre-shared-secret_description</description> + <format>never</format> + <description>Never enforce connection uniqueness policy</description> </valueHelp> <valueHelp> - <format>x509</format> - <description>x509_description</description> + <format>keep</format> + <description>Rejects new connection attempts if the same user already has an active connection</description> + </valueHelp> + <valueHelp> + <format>replace</format> + <description>Delete any existing connection if a new one for the same user gets established</description> </valueHelp> <constraint> - <regex>^(pre-shared-secret|x509)$</regex> + <regex>^(never|keep|replace)$</regex> </constraint> </properties> - <defaultValue>x509</defaultValue> </leafNode> - <leafNode name="pre-shared-secret"> + </children> + </tagNode> + <node name="dhcp"> + <properties> + <help>DHCP pool options for remote-access</help> + </properties> + <children> + <leafNode name="interface"> + <properties> + <help>Interface with DHCP server to use</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + </properties> + </leafNode> + <leafNode name="server"> <properties> - <help>Pre-shared-secret used for server authentication</help> + <help>DHCP server address</help> + <valueHelp> + <format>ipv4</format> + <description>DHCP server IPv4 address</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> </properties> </leafNode> </children> </node> - #include <include/generic-description.xml.i> - #include <include/generic-disable-node.xml.i> - #include <include/ipsec/esp-group.xml.i> - #include <include/ipsec/ike-group.xml.i> - #include <include/ipsec/local-address.xml.i> - #include <include/ipsec/local-traffic-selector.xml.i> - <node name="pool"> + <tagNode name="pool"> <properties> <help>IP address pool for remote-access users</help> </properties> <children> - <leafNode name="dhcp-enable"> - <properties> - <help>Enable DHCP pool for clients on this connection</help> - <valueless/> - </properties> - </leafNode> <leafNode name="exclude"> <properties> <help>Local IPv4 or IPv6 pool prefix exclusions</help> @@ -873,22 +875,20 @@ <!-- Include Accel-PPP definition here, maybe time for a rename? --> #include <include/accel-ppp/name-server.xml.i> </children> + </tagNode> + #include <include/radius-server-ipv4.xml.i> + <node name="radius"> + <children> + #include <include/radius-nas-identifier.xml.i> + <tagNode name="server"> + <children> + #include <include/accel-ppp/radius-additions-disable-accounting.xml.i> + </children> + </tagNode> + </children> </node> - <leafNode name="timeout"> - <properties> - <help>Timeout to close connection if no data is transmitted</help> - <valueHelp> - <format>u32:10-86400</format> - <description>Timeout in seconds (default 28800)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 10-86400"/> - </constraint> - </properties> - <defaultValue>28800</defaultValue> - </leafNode> </children> - </tagNode> + </node> <node name="site-to-site"> <properties> <help>Site-to-site VPN</help> @@ -947,15 +947,7 @@ </constraint> </properties> </leafNode> - <leafNode name="pre-shared-secret"> - <properties> - <help>Pre-shared secret key</help> - <valueHelp> - <format>txt</format> - <description>Pre-shared secret key</description> - </valueHelp> - </properties> - </leafNode> + #include <include/ipsec/authentication-pre-shared-secret.xml.i> <leafNode name="remote-id"> <properties> <help>ID for remote authentication</help> @@ -1001,14 +993,7 @@ </properties> </leafNode> #include <include/generic-description.xml.i> - <leafNode name="dhcp-interface"> - <properties> - <help>DHCP interface to listen on</help> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces.py</script> - </completionHelp> - </properties> - </leafNode> + #include <include/dhcp-interface.xml.i> <leafNode name="force-encapsulation"> <properties> <help>Force UDP Encapsulation for ESP Payloads</help> diff --git a/interface-definitions/vpn_l2tp.xml.in b/interface-definitions/vpn_l2tp.xml.in index 4fbf3fa44..cf31af70f 100644 --- a/interface-definitions/vpn_l2tp.xml.in +++ b/interface-definitions/vpn_l2tp.xml.in @@ -70,51 +70,8 @@ </completionHelp> </properties> </leafNode> - <leafNode name="pre-shared-secret"> - <properties> - <help>Pre-shared secret for IPsec</help> - </properties> - </leafNode> - <node name="x509"> - <properties> - <help>X.509 certificate</help> - </properties> - <children> - #include <include/certificate-ca.xml.i> - <leafNode name="crl-file"> - <properties> - <help>File containing the X.509 Certificate Revocation List (CRL)</help> - <valueHelp> - <format>txt</format> - <description>File in /config/auth</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="server-cert-file"> - <properties> - <help>File containing the X.509 certificate for the remote access VPN server (this host)</help> - <valueHelp> - <format>txt</format> - <description>File in /config/auth</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="server-key-file"> - <properties> - <help>File containing the private key for the X.509 certificate for the remote access VPN server (this host)</help> - <valueHelp> - <format>txt</format> - <description>File in /config/auth</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="server-key-password"> - <properties> - <help>Password that protects the private key</help> - </properties> - </leafNode> - </children> - </node> + #include <include/ipsec/authentication-pre-shared-secret.xml.i> + #include <include/ipsec/authentication-x509.xml.i> </children> </node> <leafNode name="ike-lifetime"> @@ -128,6 +85,7 @@ <validator name="numeric" argument="--range 30-86400"/> </constraint> </properties> + <defaultValue>3600</defaultValue> </leafNode> <leafNode name="lifetime"> <properties> @@ -140,7 +98,10 @@ <validator name="numeric" argument="--range 30-86400"/> </constraint> </properties> + <defaultValue>3600</defaultValue> </leafNode> + #include <include/ipsec/esp-group.xml.i> + #include <include/ipsec/ike-group.xml.i> </children> </node> #include <include/accel-ppp/wins-server.xml.i> @@ -159,11 +120,7 @@ <help>Description for L2TP remote-access settings</help> </properties> </leafNode> - <leafNode name="dhcp-interface"> - <properties> - <help>DHCP interface to listen on</help> - </properties> - </leafNode> + #include <include/dhcp-interface.xml.i> <leafNode name="idle"> <properties> <help>PPP idle timeout</help> @@ -248,11 +205,7 @@ <help>Maximum number of tries to send Access-Request/Accounting-Request queries</help> </properties> </leafNode> - <leafNode name="nas-identifier"> - <properties> - <help>Value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests.</help> - </properties> - </leafNode> + #include <include/radius-nas-identifier.xml.i> <node name="dae-server"> <properties> <help>IPv4 address and port to bind Dynamic Authorization Extension server (DM/CoA)</help> diff --git a/interface-definitions/vpn_openconnect.xml.in b/interface-definitions/vpn_openconnect.xml.in index 1a9d39a12..a33ff67ea 100644 --- a/interface-definitions/vpn_openconnect.xml.in +++ b/interface-definitions/vpn_openconnect.xml.in @@ -32,26 +32,7 @@ </completionHelp> </properties> </leafNode> - <node name="local-users"> - <properties> - <help>Local user authentication for SSL VPN server</help> - </properties> - <children> - <tagNode name="username"> - <properties> - <help>User name for authentication</help> - </properties> - <children> - #include <include/generic-disable-node.xml.i> - <leafNode name="password"> - <properties> - <help>Password for authentication</help> - </properties> - </leafNode> - </children> - </tagNode> - </children> - </node> + #include <include/auth-local-users.xml.i> #include <include/radius-server-ipv4.xml.i> <node name="radius"> <children> @@ -75,7 +56,7 @@ </node> <node name="listen-ports"> <properties> - <help>SSL Certificate, SSL Key and CA (/config/auth)</help> + <help>Specify custom ports to use for client connections</help> </properties> <children> <leafNode name="tcp"> @@ -108,12 +89,11 @@ </node> <node name="ssl"> <properties> - <help>SSL Certificate, SSL Key and CA (/config/auth)</help> + <help>SSL Certificate, SSL Key and CA</help> </properties> <children> - #include <include/certificate.xml.i> - #include <include/certificate-ca.xml.i> - #include <include/certificate-key.xml.i> + #include <include/pki/ca-certificate.xml.i> + #include <include/pki/certificate-key.xml.i> </children> </node> <node name="network-settings"> diff --git a/interface-definitions/vpn_sstp.xml.in b/interface-definitions/vpn_sstp.xml.in index c09603028..3576bac90 100644 --- a/interface-definitions/vpn_sstp.xml.in +++ b/interface-definitions/vpn_sstp.xml.in @@ -50,12 +50,11 @@ </node> <node name="ssl"> <properties> - <help>SSL Certificate, SSL Key and CA (/config/user-data/sstp)</help> + <help>SSL Certificate, SSL Key and CA</help> </properties> <children> - #include <include/certificate.xml.i> - #include <include/certificate-ca.xml.i> - #include <include/certificate-key.xml.i> + #include <include/pki/ca-certificate.xml.i> + #include <include/pki/certificate.xml.i> </children> </node> </children> diff --git a/interface-definitions/vrf.xml.in b/interface-definitions/vrf.xml.in index 426884a11..9d513945c 100644 --- a/interface-definitions/vrf.xml.in +++ b/interface-definitions/vrf.xml.in @@ -19,7 +19,7 @@ <constraint> <validator name="vrf-name"/> </constraint> - <constraintErrorMessage>VRF instance name must be 15 characters or less and can not\nbe named as regular network interfaces.\n</constraintErrorMessage> + <constraintErrorMessage>VRF instance name must be 15 characters or less and can not\nbe named as regular network interfaces.\nA name must starts from a letter.\n</constraintErrorMessage> <valueHelp> <format>txt</format> <description>VRF instance name</description> @@ -76,13 +76,13 @@ <properties> <help>Routing table associated with this instance</help> <valueHelp> - <format>100-2147483647</format> + <format>100-65535</format> <description>Routing table ID</description> </valueHelp> <constraint> - <validator name="numeric" argument="--range 100-2147483647"/> + <validator name="numeric" argument="--range 100-65535"/> </constraint> - <constraintErrorMessage>VRF routing table must be in range from 100 to 2147483647</constraintErrorMessage> + <constraintErrorMessage>VRF routing table must be in range from 100 to 65535</constraintErrorMessage> </properties> </leafNode> #include <include/vni.xml.i> |