| Age | Commit message (Collapse) | Author |
|---|
|
ocserv: T4597: Fix check bounded port by service itself
|
|
We check listen port before commit service if is port available and
not bounded, but when we start openconnect our own port starts be
bounded by "ocserv-main" process and next commit will be fail as
port is already bound
To fix it, extend check if port already bonded and it is not our
self process "ocserv-main"
|
|
UPnP: T4211: T4620 Fix upnp template
|
|
When MACsec was bound to an ethernet interface and the underlaying
source-interface got changed (even description only) this terminated the
MACsec session running on top of it.
The root cause is when EAPoL was implemented in commit d59354e52a8a7f we
re-used the same systemd unit which is responsible for MACsec. That indeed lead
to the fact that wpa_supplicant was always stopped when anything happened on
the underlaying source-interface that was not related to EAPoL.
|
|
From the doc miniupnpd
IP/mask format must be nnn.nnn.nnn.nnn/nn
Comment out invalid option "anchor"
|
|
Address @sever-sever's suggestion to refactor how groupconfig is
defined, parsed, and set (with his proposed conditional string
appending Py-sugar). Use the disable-mobike refactor as template
for XML simplification.
Testing:
None yet
|
|
Ability to drop|accept packets based on TCP MSS size
set firewall name <tag> rule <tag> tcp mss '501-1460'
|
|
Enterprise RADIUS configurations often utilize group selectors for
authentication and attribute distribution for connecting clients.
Ocserv implements this functionality via the `select-group` config
file attribute, repeating for multiple groups. When a user selects
their membership group and the request is passed to the RADIUS
server, ocserv will match the returned Class attribute against the
value selected by the user. This functionality also works for local
group membership resolution, although VyOS currently doesn't have
group membership configuration for this.
Expose the tunnel-all-dns option in the ocserv config file allowing
users who deploy default routes to select split-dns and those who
do not to enable full DNS tunneling.
Testing:
Smoketests & build
Configured groups in openconnect profile and verified existence
in /run/ocserv/ocserv.conf
Configured forced dns tunneling and verified presence of setting
in /run/ocserv/ocserv.conf
|
|
From ocserv documentation:
```
If the groupconfig option is set, then config-per-user will be
overriden, and all configuration will be read from radius. That
also includes the Acct-Interim-Interval, and Session-Timeout
values.
```
Implement yes/no configuration and parameter handling during jinja
rendering.
Fix bug wherein openconnect-server configuration requires creation
of local user accounts even when RADIUS authentication is used.
Testing:
Set the groupconfig=yes param and observed change in generated
/run/ocserv/ocserv.conf.
Removed the local users via `delete vpn openconnect
authentication local-users` and observed commit & service operation
|
|
Ability to set static NAT (one-to-one) in one rule
set nat static rule 10 destination address '203.0.113.0/24'
set nat static rule 10 inbound-interface 'eth0'
set nat static rule 10 translation address '192.0.2.0/24'
It will be enough for PREROUTING and POSTROUTING rules
Use a separate table 'vyos_static_nat' as SRC/DST rules and
STATIC rules can have the same rule number
|
|
upnp: T4613: Verify listen key in dictionary
|
|
T4619: Replacing instead of adding a static arp entry
|
|
|
|
There is no check if 'listen' is exist in the dictionary, fix it
Fix odd ValueHelp format
|
|
|
|
ocserv: T4596: Rewrite show openconnect sessions op-mode
|
|
|
|
dhcp-relay: T4601: restart dhcp relay-agent
|
|
The command "restart dhcp relay-agent" doesn't restart "isc-dhcp-relay" service.
|
|
set vpn openconnect network-settings split-dns <domain>
|
|
|
|
|
|
container: T4609: Fix restart container
|
|
Add 2 dashes for arg "name"
|
|
dmvpn: T4595: Fix dpd profile options
|
|
l2tp: T4603: Add RADIUS nas-ip-address option
|
|
Fix template for configuration DMVPN IKE profile
dead-peer-detection delay and dead-peer-detecion timeout options
|
|
Add l2tp authentication radius nas-ip-address option
which will be sent in NAS-IP-Address Radius attribute
|
|
nat66: T4598: Add exclude options in nat66
|
|
and nat-rule.xml.i
|
|
Rewrite "show openconnect-server sessions" to vyos.opmode format
Ability to get raw and formatted output
Ability to get data via API
|
|
ocserv: T4597: Check bind port before openconnect commit
|
|
|
|
Check if openconnect listen port is available and not used by
another service
|
|
T2719: add an exception hierarchy for op mode errors
|
|
|
|
* https://github.com/Cheeze-It/vyos-1x:
bgp: T4257: Changing BGP "local-as" to "system-as"
|
|
|
|
AES-GCM-256
|
|
|
|
nat66: T4586: Add SNAT destination prefix and DNAT address
|
|
Rewrite op-mode "show vpn ipsec sa" to new format
Use vyos.opmode format
Ability to get raw and formatted output
|
|
Add overwritten script 'ipsec.py' to 'op-mode-standardized.json'
|
|
Convert multiple types of data to types usable in CLI
For example 'vici' returns values in bytestring/bytes and we can
decode them all at once
|
|
|
|
on error
|
|
|
|
T4480: webproxy: Add safe-ports and ssl-safe-ports for acl squid config
|
|
Ability to configure SNAT destination prefix and
DNAT source address
Add option "!" - not address/prefix for NAT66
|
|
Add IPV6 exclude validators:
- ipv6-address-exclude
- ipv6-prefix-exclude
Will use in nat66 source/destination
|
