summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2022-05-29eigrp: T2473: add XML definitionssever-sever
2022-05-29Merge branch 'T4449' of https://github.com/nicolas-fort/vyos-1x into currentChristian Poessinger
* 'T4449' of https://github.com/nicolas-fort/vyos-1x: Policy: T4449: Extend matching options for route-map ip nexthop
2022-05-28rip: T4448: add support to set protocol version on an interface levelChristian Poessinger
2022-05-28xml: rip: T4448: rename include files to match schemaChristian Poessinger
2022-05-28firewall: T970: Add firewall group domain-groupViacheslav Hletenko
Domain group allows to filter addresses by domain main Resolved addresses as elements are stored to named "nft set" that used in the nftables rules Also added a dynamic "resolver" systemd daemon vyos-domain-group-resolve.service which starts python script for the domain-group addresses resolving by timeout 300 sec set firewall group domain-group DOMAINS address 'example.com' set firewall group domain-group DOMAINS address 'example.org' set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 source group domain-group 'DOMAINS' set interfaces ethernet eth0 firewall local name 'FOO' nft list table ip filter table ip filter { set DOMAINS { type ipv4_addr flags interval elements = { 192.0.2.1, 192.0.2.85, 203.0.113.55, 203.0.113.58 } } chain NAME_FOO { ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10" counter packets 0 bytes 0 return comment "FOO default-action accept" } }
2022-05-28Policy: T4449: Extend matching options for route-map ip nexthopNicolas Fort
2022-05-28smoketest: rip: T4448: improve class startup timeChristian Poessinger
2022-05-28rip: T4448: add support for explicit version selectionChristian Poessinger
2022-05-27dhcp6: pd: T4447: bugfix sla-id limits (must be greater then 128Christian Poessinger
The sla-id parameter of DHCPv6 prefix delegations is limited to 128. While this is enough to use all /64 subnets of a /57 prefix, with a /56 prefix that is no longer sufficient. Increased sla-id length tp 64535 so one could delegate an entire /48.
2022-05-26http-api: T3412: remove unneeded packagesJohn Estabrook
2022-05-26sstp: T4444. Port number changing supportgoodNETnick
2022-05-25Merge pull request #1333 from sever-sever/T4442John Estabrook
http-api: T4442: Add action reset
2022-05-26http-api: T4442: Add action resetViacheslav Hletenko
Add action 'reset' (op-mode) for HTTP-API http://localhost/reset curl --unix-socket /run/api.sock -X POST -Fkey=mykey \ -Fdata='{"op": "reset", "path": ["ip", "bgp", "192.0.2.14"]}' \ http://localhost/reset
2022-05-25Merge pull request #1331 from jestabro/configtest-errorsJohn Estabrook
configtest: T4382: errors exposed by revision of load-config
2022-05-25configtest: T4382: no migration to 'bgp local-as' under vrfJohn Estabrook
The migration script bgp/0-to-1 did not address 'protocols bgp ASN' -> 'protocols bgp local-as ASN' under a vrf. Move to configs.no-load for review on extending/adding a migration script.
2022-05-25configtest: T4382: missing block in migration script vrf/0-to-1John Estabrook
The config vrf-basic reveals a missing block in the migration script vrf/0-to-1, moving 'next-hop-vrf' to 'vrf'. As this only exists in Sagitta, modify script 0-to-1. Also, fix the 'system nt' typo seen in vrf-ospf.
2022-05-25configtest: T4382: missing 'ipv4-options' in 'interfaces openvpn'John Estabrook
As a result of the firewall/5-to-6 migration script, 'firewall options interface vtun0 adjust-mss' is moved to: 'interfaces openvpn vtun0 ip adjust-mss 1380' however, interfaces-openvpn.xml.in is missing the include file ipv4-options.xml.i. Add missing include file.
2022-05-25configtest: T4382: inconsistent ipsec component versionJohn Estabrook
The pki-ipsec sagitta-era config contains 'vpn ipsec ipsec-interfaces interface eth0' with ipsec component version ipsec@6, however, this construction is successfully moved by migration script ipsec/5-to-6. Consequently, this must have been an error in translation of the config file. Note that this is unrelated to the corrected error regarding an empty 'ipsec-interfaces' node. Move config to configs.no-load for review.
2022-05-25configtest: T4382: bgp_small_as has a nonsensical entryJohn Estabrook
bgp_small_as contains set commands such as: 'protocols static route 10.0.0.0/8 MY-NAS distance 254' which would appear to have no meaning, in any VyOS version. Move to config.no-load for analysis.
2022-05-25configtest: T4382: 'nat ... log' takes no 'enable' argumentJohn Estabrook
The component version in bgp-dmvpn-spoke is nat@5, however, 4-to-5 removes the boolean argument. It is confirmed that the migration script works correctly, hence, it must be a typo in translation; remove argument 'enable'.
2022-05-25configtest: T4382: system@20 cannot have 'user level' (16-to-17)John Estabrook
The config file isis-small has system@20, but 'user level' which was migrated in system/16-to-17; remove the line in the config, as there is no problem with the migration script in question.
2022-05-25configtest: T4382: remove typoJohn Estabrook
This is a typo in vrf-ospf: 'system nt' on the line before 'system ntp'.
2022-05-25configtest: T4382: bgp migration scripts need to follow quagga scriptsJohn Estabrook
The configs bgp_bfd_communities and bgp_big_as_cloud reveal a counterexample to the independence of component migration scripts: quagga migration scripts must precede those of bgp; explicitly reorder from lexical order.
2022-05-25configtest: T4382: fix missing delete of 'ipsec-interfaces' nodeJohn Estabrook
Migration of bgp-azure-ipsec-gateway and bgp_dmvpn_hub reveals that migration script ipsec/5-to-6 leaves the empty node 'ipsec-interfaces' after moving the interface; fix the migration script, as it is not yet in 1.3.
2022-05-25Merge pull request #1319 from goodNETnick/ocserv_sh_otp_keyViacheslav Hletenko
ocserv: T4420: show configured 2FA OTP key
2022-05-25Merge pull request #1088 from zdc/T4020-sagittaDaniil Baturin
FRR: T4020: Added CLI options for FRR daemons
2022-05-21smoketest: flow-accounting: T4437: adjust smoketest to new generated config ↵Christian Poessinger
syntax
2022-05-21flow-accounting: T4099: "source-address" must exist locallyChristian Poessinger
2022-05-21xml: flow-accounting: T4437: fix node helpChristian Poessinger
2022-05-21xml: nhrp: fix CLI descriptionChristian Poessinger
2022-05-21nhrp: T4353: use ".service" suffix on systemd nameChristian Poessinger
2022-05-21op-mode: T4390: add nhrp and flow-accounting loggingChristian Poessinger
2022-05-21flow-accounting: T4437: also install rule to IPv6 VYOS_CT_PREROUTING_HOOKChristian Poessinger
2022-05-21flow-accounting: T4437: bugfix IPv6 flow collector addressChristian Poessinger
2022-05-20Merge pull request #1317 from sever-sever/T4418Christian Poessinger
monitoring: T4418: Add output plugin azure-data-explorer
2022-05-20monitoring: T4418: Add output plugin azure-data-explorerViacheslav Hletenko
Add output telegraf Plugin Azure Data Explorer set service monitoring telegraf azure-data-explorer authentication client-id 'x' set service monitoring telegraf azure-data-explorer authentication client-secret 'x' set service monitoring telegraf azure-data-explorer authentication tenant-id 'x' set service monitoring telegraf azure-data-explorer database 'x' set service monitoring telegraf azure-data-explorer group-metrics 'single-table' set service monitoring telegraf azure-data-explorer url 'http://localhost.loc'
2022-05-19ipsec: T2816: add completion help for IP addresses to local-address nodeChristian Poessinger
2022-05-19dmvpn: nhrp: T4434: secret length can not exceed 8 charactersChristian Poessinger
2022-05-19Merge pull request #1329 from dmbaturin/T4432John Estabrook
T4432: display load averages normalized for the number of CPU cores
2022-05-19T4432: display load averages normalized for the number of CPU coresDaniil Baturin
2022-05-16Merge pull request #1290 from sever-sever/T4373Christian Poessinger
ppppoe-server: T4373: Add option multiplier for correct shaping
2022-05-16pppoe-server: T4373: Add option multiplier for correct shapingViacheslav Hletenko
Multiplier option is required by some vendors for correct shaping For RADIUS based rate-limits edit service pppoe-server set authentication radius rate-limit multiplier '0.001'
2022-05-16ocserv: T4420: show configured 2FA OTP keygoodNETnick
2022-05-13smoketest: add sshguard allow-from caseChristian Poessinger
2022-05-13sshguard: T4408: rename whitelist-address -> allow-fromChristian Poessinger
We do not only allow individual host addresses but also prefixes.
2022-05-13Debian: T4408: add missing sshguard dependencyChristian Poessinger
2022-05-13Merge pull request #1320 from sever-sever/T4408Christian Poessinger
sshguard: T4408: Add service ssh dynamic-protection
2022-05-12sshguard: T4408: Add service ssh dynamic-protectionViacheslav Hletenko
Sshguard protects hosts from brute-force attacks Can inspect logs and block "bad" addresses by threshold Auto-generate rules for nftables When service stopped all generated rules are deleted nft "type filter hook input priority filter - 10" set service ssh dynamic-protection set service ssh dynamic-protection block-time 120 set service ssh dynamic-protection detect-time 1800 set service ssh dynamic-protection threshold 30 set service ssh dynamic-protection whitelist-address 192.0.2.1
2022-05-12vrrp: T4417: bugfix service startup priorityChristian Poessinger
2022-05-12conntrack: T3535: use "reload-or-restart" from systemdChristian Poessinger