summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-10-03Merge pull request #2328 from c-po/t5628-loginChristian Breunig
login: T5628: fix spwd deprecation warning
2023-10-03bonding: T5254: Fixed changing ethernet when it is a bond memberaapostoliuk
If ethernet interface is a bond memeber: 1. Allow for changing only specific parameters which are specified in EthernetIf.get_bond_member_allowed_options function. 2. Added inheritable parameters from bond interface to ethernet interface which are scpecified in BondIf.get_inherit_bond_options. Users can change inheritable options under ethernet interface but in commit it will be copied from bond interface. 3. All other parameters are denied for changing. Added migration script. It deletes all denied parameters under ethernet interface if it is a bond member.
2023-10-02login: T5628: fix spwd deprecation warningChristian Breunig
vyos@vyos:~$ show system login users Username Type Locked Tty From Last login ---------- ------ -------- ----- ------------- ------------------------ vyos vyos False pts/0 172.16.33.139 Mon Oct 2 20:42:24 2023
2023-10-02smoketests: T5626: verify Kernel options required for containersChristian Breunig
2023-09-30T5436: Add missing preconfig-scriptApachez
2023-09-30vrf: netns: T3829: T31: priority needs to be after netnsChristian Breunig
A network namespace can have VRFs assigned, thus we need to get the priorities right. This lowers both priorities in general as a VRF or NETNS needs to be available very early as services can run on top of them.
2023-09-30Merge pull request #2269 from indrajitr/ddclient-wait-timeChristian Breunig
ddclient: T5574: Support per-service cache management for providers
2023-09-30Merge pull request #2300 from nicolas-fort/T5600Christian Breunig
T5600: firewall: change constraints for inbound|outbound interface-name
2023-09-30ddclient: T5574: Support per-service cache management for servicesIndrajit Raychaudhuri
Add support for per-service cache management for ddclient providers via `wait-time` and `expiry-time` options. This allows for finer-grained control over how often a service is updated and how long the hostname will be cached before being marked expired in ddclient's cache. More specifically, `wait-time` controls how often ddclient will attempt to check for a change in the hostname's IP address, and `expiry-time` controls how often ddclient to a forced update of the hostname's IP address. These options intentionally don't have any default values because they are provider-specific. They get treated similar to the other provider- specific options in that they are only used if defined.
2023-09-30Merge pull request #2325 from sever-sever/T5165Christian Breunig
T5165: Migrate policy local-route rule x destination to address
2023-09-30Merge pull request #2303 from indrajitr/ddclient-misc-1Christian Breunig
ddclient: T5612: Miscellaneous improvements and fixes for dynamic DNS
2023-09-30Merge pull request #2323 from JeffWDH/currentChristian Breunig
T5497: Add ability to resequence rule numbers for firewall
2023-09-30Merge pull request #2314 from nicolas-fort/T5616Viacheslav Hletenko
T5616: firewall and policy: add option to be able to match firewall marks
2023-09-29T5165: Migrate policy local-route rule x destination to addressViacheslav Hletenko
Migrate policy local-route <destination|source> to node address replace 'policy local-route{v6} rule <tag> destination|source <x.x.x.x>' => 'policy local-route{v6} rule <tag> destination|source address <x.x.x.x>'
2023-09-29Merge pull request #2324 from sarthurdev/fw_configdepChristian Breunig
conntrack: T5376: Fix conntrack-sync vyos.configdep issues
2023-09-29T5497: Add ability to resequence rule numbers for firewallJeffWDH
Updated spacing.
2023-09-29T5616: firewall: add option to be able to match firewall marks in firewall ↵Nicolas Fort
filter and in policy route.
2023-09-29conntrack: T5376: Fixes for conntrack-sync configdepsarthurdev
Fixes `KeyError: 'conntrack_sync'` Ignore `ConfigError("ConfigError('Interface eth1 requires an IP address!')")` due to calling conntrack-sync too early
2023-09-29T5497: Add ability to resequence rule numbers for firewallJeffWDH
2023-09-29Merge pull request #2256 from zdc/T5577-circinusChristian Breunig
T5577: Optimized PAM configs for RADIUS/TACACS+
2023-09-28Merge pull request #2322 from sarthurdev/synproxy_fixChristian Breunig
firewall: T5217: Synproxy bugfix and ct state conflict checking
2023-09-28firewall: T5217: Synproxy bugfix and ct state conflict checkingsarthurdev
2023-09-28Merge pull request #2307 from indrajitr/mdns-ipversionsChristian Breunig
mdns: T5615: Allow controlling IP version to use for mDNS repeater
2023-09-28mdns: T5615: Rename avahi-daemon config fileIndrajit Raychaudhuri
Rename avahi-daemon config file to avahi-daemon.conf.j2 to match the convention used by other config files.
2023-09-28mdns: T5615: Allow controlling IP version to use for mDNS repeaterIndrajit Raychaudhuri
This commit adds a new configuration option to the mDNS repeater service to allow controlling which IP version to use for mDNS repeater. Additionally, publishing AAAA record over IPv4 and A record over IPv6 is disabled as suggested. See: - https://github.com/lathiat/avahi/issues/117#issuecomment-1651475104 - https://bugzilla.redhat.com/show_bug.cgi?id=669627#c2
2023-09-28Merge pull request #2295 from sever-sever/T5217-synproxyChristian Breunig
T5217: Add firewall synproxy
2023-09-28Merge pull request #2304 from sarthurdev/conntrack_helpersJohn Estabrook
conntrack: T5376: T5598: Restore kernel conntrack helpers
2023-09-28Merge pull request #2306 from sarthurdev/fw_helperJohn Estabrook
firewall: T5614: Add support for matching on conntrack helper
2023-09-28Merge pull request #2305 from sarthurdev/T5606Daniil Baturin
ipsec: T5606: Add support for whole CA chains
2023-09-28Merge pull request #2313 from sever-sever/T5165Daniil Baturin
T5165: Add option protocol for policy local-route
2023-09-27T5165: Add option protocol for policy local-routeViacheslav Hletenko
Add option `protocol` for policy local-route set policy local-route rule 100 destination '192.0.2.12' set policy local-route rule 100 protocol 'tcp' set policy local-route rule 100 set table '100'
2023-09-26Merge pull request #2308 from sarthurdev/fw_opmodeChristian Breunig
firewall: T5160: Remove zone policy op-mode
2023-09-25firewall: T5160: Remove zone policy op-modesarthurdev
2023-09-24conntrack: T5376: Use vyos.configdep to call conntrack-syncsarthurdev
2023-09-24conntrack: T5376: T5598: Fix for kernel conntrack helperssarthurdev
`nf_conntrack_helper` that auto-assigned helpers is removed from the kernel
2023-09-24firewall: T5614: Add support for matching on conntrack helpersarthurdev
2023-09-24ipsec: T5606: Add support for whole CA chainssarthurdev
Also includes an update to smoketest to verify
2023-09-23ddclient: T5612: Additional refactoring for scripts and smoketestsIndrajit Raychaudhuri
Additional cleanup and refactoring for ddclient scripts including the smotektests.
2023-09-23ddclient: T5612: Relax hostname validation for apex and wildcard entryIndrajit Raychaudhuri
Some porvides (like 'namecheap') allow to use '@' or '*' as hostname prefix for apex and wildcard records. This commit relaxes the hostname validation to allow these prefixes.
2023-09-23ddclient: T5612: Adjust validator and completion for ddclientIndrajit Raychaudhuri
Adjust the validator and completion for ddclient to remove unsupported or superfluous protocols. Specifically, - remove 'nsupdate' protocol from the list because there is a separate config path for that protocol (rfc2136) - remove 'cloudns' protocol from the list because it has non standard configuration and is not supported by our configurator at this time
2023-09-23ddclient: T5612: Enable TTL support for web-service based protocolsIndrajit Raychaudhuri
Enable TTL support for web-service based protocols in addition to RFC2136 based (nsupdate) protocol. Since TTL is not supported by all protocols, and thus cannot have a configuration default, the existing XML snippet `include/dns/time-to-live.xml.i` does not have common `<defaultValue>300</defaultValue>` anymore and is instead added explicitly whenever necessary.
2023-09-23ddclient: T5612: Refactor zone configurationIndrajit Raychaudhuri
Refactor zone configuration to use shared XML snippet for all cases.
2023-09-23ddclient: T5612: Generate more reliable ddclient configIndrajit Raychaudhuri
Adjust the jinja template to avoid generating incorrect ddclient.conf in some cases. The template is reformatted to guarantee whitespacing and empty line separation.
2023-09-23ddclient: T5612: Improve dual stack support for dyndns2 protocolIndrajit Raychaudhuri
dyndns2 protocol in ddclient honors dual stack for selective servers because of the way it is implemented in ddclient. We formalize the well known servers that support dual stack in a list and check against it when validating the configuration.
2023-09-23ddclient: T5612: Fix VRF support for ddclient serviceIndrajit Raychaudhuri
Fix VRF support interface definition and configuration mode for ddclient to actually capture the VRF name and pass it to the template.
2023-09-23Merge pull request #2302 from sever-sever/T5497Viacheslav Hletenko
T5497: op-mode: Add generate firewall rule-resequence
2023-09-23T5497: op-mode: Add generate firewall rule-resequenceViacheslav Hletenko
Add op-mode command `generate firewall rule-resequence` Generates output with new sequences for firewall rules set firewall ipv4 input filter rule 1 action 'accept' set firewall ipv4 input filter rule 1 description 'Allow loopback' $ generate firewall rule-resequence start 10 step 10 set firewall ipv4 input filter rule 10 action 'accept' set firewall ipv4 input filter rule 10 description 'Allow loopback'
2023-09-22Merge pull request #2298 from jestabro/disk-by-idChristian Breunig
smoketest: T5607: support getting SCSI device by drive-id
2023-09-21T5217: Add firewall synproxyViacheslav Hletenko
Add ability to SYNPROXY connections It is useful to protect against TCP SYN flood attacks and port-scanners set firewall global-options syn-cookies 'enable' set firewall ipv4 input filter rule 10 action 'synproxy' set firewall ipv4 input filter rule 10 destination port '22' set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1' set firewall ipv4 input filter rule 10 protocol 'tcp' set firewall ipv4 input filter rule 10 synproxy tcp mss '1460' set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
2023-09-21T5600: firewall: change constraints for inbound|outbound interface-name. Now ↵Nicolas Fort
user can use VRF, and negated VRF, and configuration wonn't be broken after reboot.