summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-04-11Merge pull request #1953 from sever-sever/T4727-currChristian Breunig
T4727: Change and fix RADIUS rate-limit option for pptp
2023-04-11T4727: Change and fix RADIUS rate-limit option for pptpViacheslav Hletenko
Initially the option 'rate-limit' was implemented with the wrong place in the CLI: set vpn pptp remote-access authentication rate-limit <xxx> Expected under 'radius' section: set vpn pptp remote-access authentication radius rate-limit <xxx> Configuration for 'rate-limit' (Jinja2 template) never worked for pptp, fix it.
2023-04-11Merge pull request #1950 from sever-sever/T5152Christian Breunig
T5152: Get default hostname for telegraf from FQDN or hostname
2023-04-11T5152: Get default hostname for telegraf from FQDN or hostnameViacheslav Hletenko
Fix for Telegraf agent hostname isn't qualified Try to get hostname from FQDN and then from hostname Used for metrics You may have more than one machine with different domain names r1 domain-name foo.local, hostname myhost r2 domain-name bar.local, hostname myhost It helps to detect from which exectly host we get metric for InfluxDB2
2023-04-10Merge pull request #1936 from indrajitr/ddclient-opmodeChristian Breunig
dns: T5144: Improve dns dynamic status output
2023-04-10Merge pull request #1947 from sever-sever/T5148Christian Breunig
T5148: Add smoketest for plugin openvpn-otp OpenVPN
2023-04-10Merge pull request #1949 from sever-sever/T5065Christian Breunig
T5065: Add verify for firewall port-group and port
2023-04-10Merge pull request #1948 from chenxiaolong/T5151Christian Breunig
hostapd: T5151: Override ConditionFileNotEmpty
2023-04-10T5065: Add verify for firewall port-group and portViacheslav Hletenko
We cannot use both 'port' and 'port-group' for the same direction in one rule at the same time Otherwise it generates wrong rules that don't block anything set P_pgrp { type inet_service flags interval auto-merge elements = { 101-105 } } chain NAME_foo { tcp dport 22 tcp dport @P_pgrp counter drop comment "foo-10" counter return comment "foo default-action accept" }
2023-04-10hostapd: T5151: Override ConditionFileNotEmptyAndrew Gunnerson
Debian's `debian/2%2.10-12` update of the hostap packaging added a ConditionFileNotEmpty directive for `/etc/hostapd/<...>` paths, which doesn't match the `/run/hostapd/<...>` paths that VyOS uses. This commit updates the override file to use the proper VyOS paths. https://salsa.debian.org/debian/wpa/-/commit/d204ceb5a2dc33db888eb55b5fee542a1005e69c Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>
2023-04-10Merge pull request #1941 from sever-sever/T1237Viacheslav Hletenko
T1237: Failover route add checks for multiple targets
2023-04-10T5148: Add smoketest for plugin openvpn-otp OpenVPNViacheslav Hletenko
2023-04-10Merge pull request #1942 from sever-sever/T4770Daniil Baturin
T4770: Ability to get OpenVPN iface state and description for raw
2023-04-10Merge pull request #1946 from ichdasich/filtered_routesDaniil Baturin
T5078: Added filtered-routes BGP command
2023-04-10Merge pull request #1945 from sever-sever/T5148Daniil Baturin
T5148: Fix OpenVPN plugin dir variable
2023-04-10T5078: Added filtered-routes BGP commandTobias Fiebig
2023-04-10T5148: Fix OpenVPN plugin dir variableViacheslav Hletenko
Jinja2 template uses {{ plugin_dir }} that it gets from the interface-openvpn.py variable 'plugin_dir' but the correct var should be as part of 'openvpn' dictionary i.e. openvpn['plugin_dir']
2023-04-10T4770: Ability to get OpenVPN iface state and description for rawViacheslav Hletenko
2023-04-09Merge pull request #1944 from chenxiaolong/eapol_tls_1.0_regressionChristian Breunig
eapol: T5151: Allow TLSv1.0/1.1 for EAP-TLS
2023-04-09eapol: T5151: Allow TLSv1.0/1.1 for EAP-TLSAndrew Gunnerson
The Debian 12 upgrade in T5003 caused a regression for connecting to legacy networks that only support TLSv1.0/1.1 for EAP-TLS. Debian allows this by default in their wpa_supplicant package, but their `allow-tlsv1.patch` patch does not work properly with VyOS' newer wpa_supplicant package, which is based on the latest code in git. As a result, wpa_supplicant always respects the system-wide openssl crypto policy, disallowing TLSv1. The commit uses the documented way of allowing TLSv1, which takes precedence over the system crypto policy. Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>
2023-04-07openvpn: T5149: do not raise error in case of disabled interfaceJohn Estabrook
2023-04-07T1237: Failover route add checks for multiple targetsViacheslav Hletenko
There is only one target for checking ICMP/ARP Extend it for checking multiple targets set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '203.0.113.1' set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '203.0.113.11' The route will be installed only if all targets are 'alive'
2023-04-06container: T5147: ensure container network exists before VRF operationChristian Breunig
Networks are started only as soon as there is a consumer. If only a network is created in the first place, no need to assign it to a VRF as there's no consumer, yet.
2023-04-04Merge pull request #1937 from aapostoliuk/T5135-sagittaChristian Breunig
opennhrp: T5135: Rewritten opennhrp script using vyos.ipsec
2023-04-04Merge pull request #1938 from sever-sever/T5142Christian Breunig
T5142: Add audit tool to monitor security-relevant events
2023-04-04Merge pull request #1939 from sever-sever/T5145Christian Breunig
T5145: Add maximum number of all logins on system
2023-04-04T5145: Add maximum number of all logins on systemViacheslav Hletenko
maxsyslogins maximum number of all logins on system; user is not allowed to log-in if total number of all user logins is greater than specified number (this limit does not apply to user with uid=0) set system login max-login-session 2
2023-04-04T5142: Add audit tool to monitor security-relevant eventsViacheslav Hletenko
2023-04-04opennhrp: T5135: Rewritten opennhrp script using vyos.ipsecaapostoliuk
Rewritten opennhrp script using vyos.ipsec library
2023-04-03dns: T5144: Improve dns dynamic status outputIndrajit Raychaudhuri
Improve and fix the output of dynamic dns status to be compatible with new ddclient cache format. Additional details: - The status output is now formatted as a table with per-host dual-stack information in rows. Columns not having actual value present in the output will be kept empty. - The 'Last update' column is now formatted in Local time format instead of UTC.
2023-04-03Merge pull request #1932 from sever-sever/T5125Christian Breunig
T5125: Sflow op-mode add event_samples_suppressed option
2023-04-03Merge pull request #1934 from sever-sever/T5141Christian Breunig
T5141: Add numbers for dhclient-exit-hooks.d to enforce order
2023-04-03Merge pull request #1933 from sever-sever/T5139Christian Breunig
T5139: IPSec add IKE lifetime 0 for no rekeying
2023-04-03T5141: Add numbers for dhclient-exit-hooks.d to enforce orderViacheslav Hletenko
Add numbers for all dhclient-exit-hooks.d to enforce script order execution Also, move '99-run-user-hooks' to '98-run-user-hooks' due to vyatta-dhclient-hook bug and exit with 'exit 1' it is described in the https://vyos.dev/T4856, so we should move this hook to the end. Rename 'vyatta-dhclient-hook' to '99-vyatta-dhclient-hook'
2023-04-03T5139: IPSec add IKE lifetime 0 for no rekeyingViacheslav Hletenko
IKE lifetime should starting from 0 for disabling rekeying
2023-04-03T5125: Sflow op-mode add event_samples_suppressed optionViacheslav Hletenko
Add "Packet drops suppressed" option Rename "Samples drop events sent" to "Packet drops sent"
2023-04-02container: T5134: support binding container network to specific VRFChristian Breunig
Container networks now can be bound to a specific VRF instance. set vrf name <foo> table <xxx> set container network <name> vrf <foo>
2023-04-02xml: re-use generic-description.xml.i building block whenever possibleChristian Breunig
Remove redundant XML CLI node definitions for the common description node by referencing the common building block.
2023-04-01Merge pull request #1929 from sever-sever/T5125Christian Breunig
T5125: Extend op-mode show sflow add new metric
2023-04-01T5125: Extend op-mode show sflow add new metricViacheslav Hletenko
Add new metric, the number of packet-drop-events sent
2023-04-01container: T4959: bugfix credential validation on registriesChristian Breunig
Commit fe82d86d ("container: T4959: add registry authentication option") looked up the wrong config dict level when validating that both username and password need to be specified when registries are in use.
2023-04-01container: T5082: switch to netavark network stackChristian Breunig
We now support assigning discrete IPv6 addresses to a container.
2023-04-01container: T5047: bugfix TypeError: argument of type 'NoneType' is not iterableChristian Breunig
Commit 52e51ffb ("container: T5047: restart only containers that changed") started to iterate over a NoneType which is invalid. This happened when a network description was changed but no container was due for restart.
2023-04-01xml: include building block file name should end with .i and not .inChristian Breunig
2023-04-01isis: op-mode: T5132: bugfix VRF commands for route and neighborChristian Breunig
show isis vrf <name> neighbor|route did not call the vtysh wrapper but instead always called the commands for the default routing table.
2023-04-01Merge pull request #1926 from aapostoliuk/T5093-sagittaChristian Breunig
ipsec: T5093: Fixed 'reset vpn ipsec profile' command
2023-04-01xml: T5128: streamline help string for interface CLI node building blocksChristian Breunig
2023-04-01xml: allow-client: T5126: re-use new building block also for NTP serviceChristian Breunig
2023-03-31Merge pull request #1920 from jestabro/https-allow-clientViacheslav Hletenko
http-api: T5126: allow restricting client IP address
2023-03-31http-api: T5126: allow restricting client IP addressJohn Estabrook