summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-04-10Merge pull request #1949 from sever-sever/T5065Christian Breunig
T5065: Add verify for firewall port-group and port
2023-04-10Merge pull request #1948 from chenxiaolong/T5151Christian Breunig
hostapd: T5151: Override ConditionFileNotEmpty
2023-04-10T5065: Add verify for firewall port-group and portViacheslav Hletenko
We cannot use both 'port' and 'port-group' for the same direction in one rule at the same time Otherwise it generates wrong rules that don't block anything set P_pgrp { type inet_service flags interval auto-merge elements = { 101-105 } } chain NAME_foo { tcp dport 22 tcp dport @P_pgrp counter drop comment "foo-10" counter return comment "foo default-action accept" }
2023-04-10hostapd: T5151: Override ConditionFileNotEmptyAndrew Gunnerson
Debian's `debian/2%2.10-12` update of the hostap packaging added a ConditionFileNotEmpty directive for `/etc/hostapd/<...>` paths, which doesn't match the `/run/hostapd/<...>` paths that VyOS uses. This commit updates the override file to use the proper VyOS paths. https://salsa.debian.org/debian/wpa/-/commit/d204ceb5a2dc33db888eb55b5fee542a1005e69c Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>
2023-04-10Merge pull request #1941 from sever-sever/T1237Viacheslav Hletenko
T1237: Failover route add checks for multiple targets
2023-04-10Merge pull request #1942 from sever-sever/T4770Daniil Baturin
T4770: Ability to get OpenVPN iface state and description for raw
2023-04-10Merge pull request #1946 from ichdasich/filtered_routesDaniil Baturin
T5078: Added filtered-routes BGP command
2023-04-10Merge pull request #1945 from sever-sever/T5148Daniil Baturin
T5148: Fix OpenVPN plugin dir variable
2023-04-10T5078: Added filtered-routes BGP commandTobias Fiebig
2023-04-10T5148: Fix OpenVPN plugin dir variableViacheslav Hletenko
Jinja2 template uses {{ plugin_dir }} that it gets from the interface-openvpn.py variable 'plugin_dir' but the correct var should be as part of 'openvpn' dictionary i.e. openvpn['plugin_dir']
2023-04-10T4770: Ability to get OpenVPN iface state and description for rawViacheslav Hletenko
2023-04-09Merge pull request #1944 from chenxiaolong/eapol_tls_1.0_regressionChristian Breunig
eapol: T5151: Allow TLSv1.0/1.1 for EAP-TLS
2023-04-09eapol: T5151: Allow TLSv1.0/1.1 for EAP-TLSAndrew Gunnerson
The Debian 12 upgrade in T5003 caused a regression for connecting to legacy networks that only support TLSv1.0/1.1 for EAP-TLS. Debian allows this by default in their wpa_supplicant package, but their `allow-tlsv1.patch` patch does not work properly with VyOS' newer wpa_supplicant package, which is based on the latest code in git. As a result, wpa_supplicant always respects the system-wide openssl crypto policy, disallowing TLSv1. The commit uses the documented way of allowing TLSv1, which takes precedence over the system crypto policy. Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>
2023-04-07openvpn: T5149: do not raise error in case of disabled interfaceJohn Estabrook
2023-04-07T1237: Failover route add checks for multiple targetsViacheslav Hletenko
There is only one target for checking ICMP/ARP Extend it for checking multiple targets set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '203.0.113.1' set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '203.0.113.11' The route will be installed only if all targets are 'alive'
2023-04-06container: T5147: ensure container network exists before VRF operationChristian Breunig
Networks are started only as soon as there is a consumer. If only a network is created in the first place, no need to assign it to a VRF as there's no consumer, yet.
2023-04-04Merge pull request #1937 from aapostoliuk/T5135-sagittaChristian Breunig
opennhrp: T5135: Rewritten opennhrp script using vyos.ipsec
2023-04-04Merge pull request #1938 from sever-sever/T5142Christian Breunig
T5142: Add audit tool to monitor security-relevant events
2023-04-04Merge pull request #1939 from sever-sever/T5145Christian Breunig
T5145: Add maximum number of all logins on system
2023-04-04T5145: Add maximum number of all logins on systemViacheslav Hletenko
maxsyslogins maximum number of all logins on system; user is not allowed to log-in if total number of all user logins is greater than specified number (this limit does not apply to user with uid=0) set system login max-login-session 2
2023-04-04T5142: Add audit tool to monitor security-relevant eventsViacheslav Hletenko
2023-04-04opennhrp: T5135: Rewritten opennhrp script using vyos.ipsecaapostoliuk
Rewritten opennhrp script using vyos.ipsec library
2023-04-03Merge pull request #1932 from sever-sever/T5125Christian Breunig
T5125: Sflow op-mode add event_samples_suppressed option
2023-04-03Merge pull request #1934 from sever-sever/T5141Christian Breunig
T5141: Add numbers for dhclient-exit-hooks.d to enforce order
2023-04-03Merge pull request #1933 from sever-sever/T5139Christian Breunig
T5139: IPSec add IKE lifetime 0 for no rekeying
2023-04-03T5141: Add numbers for dhclient-exit-hooks.d to enforce orderViacheslav Hletenko
Add numbers for all dhclient-exit-hooks.d to enforce script order execution Also, move '99-run-user-hooks' to '98-run-user-hooks' due to vyatta-dhclient-hook bug and exit with 'exit 1' it is described in the https://vyos.dev/T4856, so we should move this hook to the end. Rename 'vyatta-dhclient-hook' to '99-vyatta-dhclient-hook'
2023-04-03T5139: IPSec add IKE lifetime 0 for no rekeyingViacheslav Hletenko
IKE lifetime should starting from 0 for disabling rekeying
2023-04-03T5125: Sflow op-mode add event_samples_suppressed optionViacheslav Hletenko
Add "Packet drops suppressed" option Rename "Samples drop events sent" to "Packet drops sent"
2023-04-02container: T5134: support binding container network to specific VRFChristian Breunig
Container networks now can be bound to a specific VRF instance. set vrf name <foo> table <xxx> set container network <name> vrf <foo>
2023-04-02xml: re-use generic-description.xml.i building block whenever possibleChristian Breunig
Remove redundant XML CLI node definitions for the common description node by referencing the common building block.
2023-04-01Merge pull request #1929 from sever-sever/T5125Christian Breunig
T5125: Extend op-mode show sflow add new metric
2023-04-01T5125: Extend op-mode show sflow add new metricViacheslav Hletenko
Add new metric, the number of packet-drop-events sent
2023-04-01container: T4959: bugfix credential validation on registriesChristian Breunig
Commit fe82d86d ("container: T4959: add registry authentication option") looked up the wrong config dict level when validating that both username and password need to be specified when registries are in use.
2023-04-01container: T5082: switch to netavark network stackChristian Breunig
We now support assigning discrete IPv6 addresses to a container.
2023-04-01container: T5047: bugfix TypeError: argument of type 'NoneType' is not iterableChristian Breunig
Commit 52e51ffb ("container: T5047: restart only containers that changed") started to iterate over a NoneType which is invalid. This happened when a network description was changed but no container was due for restart.
2023-04-01xml: include building block file name should end with .i and not .inChristian Breunig
2023-04-01isis: op-mode: T5132: bugfix VRF commands for route and neighborChristian Breunig
show isis vrf <name> neighbor|route did not call the vtysh wrapper but instead always called the commands for the default routing table.
2023-04-01Merge pull request #1926 from aapostoliuk/T5093-sagittaChristian Breunig
ipsec: T5093: Fixed 'reset vpn ipsec profile' command
2023-04-01xml: T5128: streamline help string for interface CLI node building blocksChristian Breunig
2023-04-01xml: allow-client: T5126: re-use new building block also for NTP serviceChristian Breunig
2023-03-31Merge pull request #1920 from jestabro/https-allow-clientViacheslav Hletenko
http-api: T5126: allow restricting client IP address
2023-03-31http-api: T5126: allow restricting client IP addressJohn Estabrook
2023-03-31Merge pull request #1922 from nicolas-fort/T5128Christian Breunig
T5128: Policy Route: allow wildcard on interface
2023-03-31Merge pull request #1927 from sever-sever/T5125Christian Breunig
T5125: Add op-mode for sFlow based on hsflowd
2023-03-31T5125: Add op-mode for sFlow based on hsflowdViacheslav Hletenko
Add op-mode for sFlow based on hsflowd "show sflow" Add machine readable format '--raw' and formatted output
2023-03-31T5128: Add contraint for firewall interface. Also update smoketest to ↵Nicolas Fort
include at least one wildcarded interface
2023-03-31T5128: Policy Route: allow wildcard on interfaceNicolas Fort
2023-03-31Merge pull request #1925 from sever-sever/T4173-smoketestViacheslav Hletenko
T4173: Fix smoketest for load-balancing wan
2023-03-31Merge pull request #1924 from fett0/T5131Christian Breunig
T5131: fix op-mode show isis segment-routing prefix-sids
2023-03-30 T5131: fix op-mode show isis segment-routing prefix-sidsfett0