Age | Commit message (Collapse) | Author |
|
We cannot use both 'port' and 'port-group' for the same direction
in one rule at the same time
Otherwise it generates wrong rules that don't block anything
set P_pgrp {
type inet_service
flags interval
auto-merge
elements = { 101-105 }
}
chain NAME_foo {
tcp dport 22 tcp dport @P_pgrp counter drop comment "foo-10"
counter return comment "foo default-action accept"
}
|
|
T1237: Failover route add checks for multiple targets
|
|
T4770: Ability to get OpenVPN iface state and description for raw
|
|
T5078: Added filtered-routes BGP command
|
|
T5148: Fix OpenVPN plugin dir variable
|
|
|
|
Jinja2 template uses {{ plugin_dir }} that it gets from the
interface-openvpn.py variable 'plugin_dir' but the correct var
should be as part of 'openvpn' dictionary i.e. openvpn['plugin_dir']
|
|
|
|
eapol: T5151: Allow TLSv1.0/1.1 for EAP-TLS
|
|
The Debian 12 upgrade in T5003 caused a regression for connecting to
legacy networks that only support TLSv1.0/1.1 for EAP-TLS. Debian allows
this by default in their wpa_supplicant package, but their
`allow-tlsv1.patch` patch does not work properly with VyOS' newer
wpa_supplicant package, which is based on the latest code in git. As a
result, wpa_supplicant always respects the system-wide openssl crypto
policy, disallowing TLSv1. The commit uses the documented way of
allowing TLSv1, which takes precedence over the system crypto policy.
Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>
|
|
|
|
There is only one target for checking ICMP/ARP
Extend it for checking multiple targets
set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '203.0.113.1'
set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '203.0.113.11'
The route will be installed only if all targets are 'alive'
|
|
Networks are started only as soon as there is a consumer. If only a network is
created in the first place, no need to assign it to a VRF as there's no
consumer, yet.
|
|
opennhrp: T5135: Rewritten opennhrp script using vyos.ipsec
|
|
T5142: Add audit tool to monitor security-relevant events
|
|
T5145: Add maximum number of all logins on system
|
|
maxsyslogins
maximum number of all logins on system; user is not
allowed to log-in if total number of all user logins is
greater than specified number (this limit does not apply
to user with uid=0)
set system login max-login-session 2
|
|
|
|
Rewritten opennhrp script using vyos.ipsec library
|
|
T5125: Sflow op-mode add event_samples_suppressed option
|
|
T5141: Add numbers for dhclient-exit-hooks.d to enforce order
|
|
T5139: IPSec add IKE lifetime 0 for no rekeying
|
|
Add numbers for all dhclient-exit-hooks.d to enforce script order execution
Also, move '99-run-user-hooks' to '98-run-user-hooks' due to
vyatta-dhclient-hook bug and exit with 'exit 1' it is
described in the https://vyos.dev/T4856, so we should move this hook
to the end. Rename 'vyatta-dhclient-hook' to '99-vyatta-dhclient-hook'
|
|
IKE lifetime should starting from 0 for disabling rekeying
|
|
Add "Packet drops suppressed" option
Rename "Samples drop events sent" to "Packet drops sent"
|
|
Container networks now can be bound to a specific VRF instance.
set vrf name <foo> table <xxx>
set container network <name> vrf <foo>
|
|
Remove redundant XML CLI node definitions for the common description node by
referencing the common building block.
|
|
T5125: Extend op-mode show sflow add new metric
|
|
Add new metric, the number of packet-drop-events sent
|
|
Commit fe82d86d ("container: T4959: add registry authentication option") looked
up the wrong config dict level when validating that both username and password
need to be specified when registries are in use.
|
|
We now support assigning discrete IPv6 addresses to a container.
|
|
Commit 52e51ffb ("container: T5047: restart only containers that changed")
started to iterate over a NoneType which is invalid. This happened when a
network description was changed but no container was due for restart.
|
|
|
|
show isis vrf <name> neighbor|route
did not call the vtysh wrapper but instead always called the commands
for the default routing table.
|
|
ipsec: T5093: Fixed 'reset vpn ipsec profile' command
|
|
|
|
|
|
http-api: T5126: allow restricting client IP address
|
|
|
|
T5128: Policy Route: allow wildcard on interface
|
|
T5125: Add op-mode for sFlow based on hsflowd
|
|
Add op-mode for sFlow based on hsflowd "show sflow"
Add machine readable format '--raw' and formatted output
|
|
include at least one wildcarded interface
|
|
|
|
T4173: Fix smoketest for load-balancing wan
|
|
T5131: fix op-mode show isis segment-routing prefix-sids
|
|
|
|
interfaces: T5130: remove show_interfaces.py reference and script
|
|
|
|
|