Age | Commit message (Collapse) | Author |
|
T5497: op-mode: Add generate firewall rule-resequence
|
|
Add op-mode command `generate firewall rule-resequence`
Generates output with new sequences for firewall rules
set firewall ipv4 input filter rule 1 action 'accept'
set firewall ipv4 input filter rule 1 description 'Allow loopback'
$ generate firewall rule-resequence start 10 step 10
set firewall ipv4 input filter rule 10 action 'accept'
set firewall ipv4 input filter rule 10 description 'Allow loopback'
|
|
smoketest: T5607: support getting SCSI device by drive-id
|
|
Add ability to SYNPROXY connections
It is useful to protect against TCP SYN flood attacks and port-scanners
set firewall global-options syn-cookies 'enable'
set firewall ipv4 input filter rule 10 action 'synproxy'
set firewall ipv4 input filter rule 10 destination port '22'
set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1'
set firewall ipv4 input filter rule 10 protocol 'tcp'
set firewall ipv4 input filter rule 10 synproxy tcp mss '1460'
set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
|
|
user can use VRF, and negated VRF, and configuration wonn't be broken after reboot.
|
|
|
|
|
|
T5602: Reverse-proxy add option backup for backend server
|
|
|
|
|
|
|
|
openvpn: T5269: add a deprecation warning for shared-secret
|
|
|
|
A `backup` server can be defined to take over in the case of all other
backends failing
set load-balancing reverse-proxy backend <tag> server <tag> address '192.0.2.3'
set load-balancing reverse-proxy backend <tag> server <tag> port '8883'
set load-balancing reverse-proxy backend <tag> server <tag> backup
|
|
conntrack: firewall: T4502: Update conntrack check for new flowtable CLI
|
|
Also updates flowtable smoketest to verify conntrack enabled
|
|
init: T5239: configure system hostname prior to FRR startup
|
|
On first boot after an upgrade /etc/hostname and FRR configuration is not
populated. FRR determines the system hostname once during startup and does not
repect changes of the hostname CLI value.
Thus after an upgrade of VyOS FRR started with a hostname of debian that was
propagated to peers.
The commit retrieves the hostname from the CLI and presets this before FRR is
initially started.
|
|
After sources analysis, we found the next possible return statuses for PAM
modules:
1. pam_tacplus
Auth:
- PAM_AUTH_ERR
- PAM_AUTHINFO_UNAVAIL
- PAM_AUTHTOK_ERR
- PAM_BUF_ERR
- PAM_CRED_INSUFFICIENT
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_USER_UNKNOWN
Account:
- PAM_AUTH_ERR
- PAM_AUTHINFO_UNAVAIL
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_USER_UNKNOWN
Session:
- PAM_AUTHINFO_UNAVAIL
- PAM_SESSION_ERR
- PAM_SUCCESS
- PAM_USER_UNKNOWN
2. pam_radius_auth
Auth:
- PAM_ABORT
- PAM_AUTH_ERR
- PAM_AUTHINFO_UNAVAIL
- PAM_AUTHTOK_ERR
- PAM_BAD_ITEM
- PAM_BUF_ERR
- PAM_CONV_AGAIN
- PAM_CONV_ERR
- PAM_IGNORE
- PAM_NO_MODULE_DATA
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_SYSTEM_ERR
- PAM_USER_UNKNOWN
Account:
- PAM_SUCCESS
Session:
- PAM_ABORT
- PAM_AUTHINFO_UNAVAIL
- PAM_BAD_ITEM
- PAM_BUF_ERR
- PAM_CONV_AGAIN
- PAM_CONV_ERR
- PAM_IGNORE
- PAM_NO_MODULE_DATA
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_SYSTEM_ERR
- PAM_USER_UNKNOWN
PAM configurations were replaced with tuned versions to take this into account.
|
|
bgp: T5596: add new features from FRR 9
|
|
isis: T5597: add new features from FRR 9
|
|
firewall: T4502: Update to flowtable CLI
|
|
A commit that removes `firewall bridge` will delete the table and not re-create it. Therefore any further firewall commit will fail trying to delete the non-existent bridge table. This commit ensures the table is always present (even if empty) to ensure successful commit.
|
|
supports HW flowtable offload
- Add required offload setting for interfaces + flowtable offload (hw-tc-offload)
- Verification of interface support for hardware offloaded flowtables
|
|
`set firewall flowtable <name> interface <ifname>`
`set firewall flowtable <name> offload [software|hardware]`
`set firewall [ipv4|ipv6] forward filter rule N action offload`
`set firewall [ipv4|ipv6] forward filter rule N offload-target <name>`
|
|
|
|
|
|
* Add support for IS-IS advertise-high-metrics
set protocols isis advertise-high-metrics
* Add support for IS-IS advertise-passive-only
set protocols isis advertise-passive-only
|
|
* Add BGP Software Version capability (draft-abraitis-bgp-version-capability)
set protocols bgp neighbor 192.0.2.1 capability software-version
* Add BGP neighbor path-attribute treat-as-withdraw command
set protocols bgp neighbor 192.0.2.1 path-attribute treat-as-withdraw
|
|
T5590: firewall log rule: fix order which rule are processed
|
|
conntrack: T5571: Refactor conntrack using vyos.configdep
|
|
- Moves MSS node out of `tcp-flags.xml.i` and into `tcp-mss.xml.i`
- Update smoketest to verify TCP flag matching
|
|
should be added at the end of the rule, after all matchers and befora action. Also change 2 lines in policy_route smoketest, which suddenly wasn't working as expected
|
|
ddclient: T5573: Fix smoketest for updated ddclient config
|
|
GitHub: Add smoketest result menu
|
|
T5594: vrrp: extend function is_ipv6_tentative
|
|
address, and not only global ipv6 address. This allows to configure ipv6 link local address on vrrp hello-source-address parameter.
|
|
Add the `Smoketest result` option to the default PR template
|
|
|
|
ddclient: T5573: Update config generation aligning with caching fixes
|
|
|
|
/usr/libexec/vyos/conf_mode/nat.py:21: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
from distutils.version import LooseVersion
|
|
firewall, nat, nat66
|
|
T5586: Disable by default SNMP for Keeplived VRRP service
|
|
T5261: Add AWS load-balancing tunnel handler
|
|
T4502: Fix syntax error introduced by #2062
|
|
AgentX does not work stable. From time to time we see the system
service crashing/degrading if something is wrong with SNMP from
util net-snmp.
We should disable it by default and enable it only if configured.
set high-availability vrrp snmp
|
|
When rebasing https://github.com/vyos/vyos-1x/pull/2062, some additional
lines are mistakenly included.
https://github.com/vyos/vyos-1x/commit/45cfd569119b66abd2f0dfb954042b57921881bd
has removed the extra `}`, but the `{{ group_tmpl.groups(group, True)
}}` line needs to be removed as well.
|
|
ddclient: T5585: Fix file access mode for dynamic dns configuration
|
|
After commit 976f82785 ("T5575: ARP/NDP table-size isnt set properly") the
system bootup process got interrupted as both system-ip.py and system-ipv6.py
tried to talk to FRR which was yet not started.
This has been fixed by using a conditional path to only execute when FRR service
has been enabled. This is safe to do as the initial commit call will has FRR
service running and the path will be executed.
|