Age | Commit message (Collapse) | Author |
|
T5148: Add smoketest for plugin openvpn-otp OpenVPN
|
|
T5065: Add verify for firewall port-group and port
|
|
hostapd: T5151: Override ConditionFileNotEmpty
|
|
We cannot use both 'port' and 'port-group' for the same direction
in one rule at the same time
Otherwise it generates wrong rules that don't block anything
set P_pgrp {
type inet_service
flags interval
auto-merge
elements = { 101-105 }
}
chain NAME_foo {
tcp dport 22 tcp dport @P_pgrp counter drop comment "foo-10"
counter return comment "foo default-action accept"
}
|
|
Debian's `debian/2%2.10-12` update of the hostap packaging added a
ConditionFileNotEmpty directive for `/etc/hostapd/<...>` paths, which
doesn't match the `/run/hostapd/<...>` paths that VyOS uses. This commit
updates the override file to use the proper VyOS paths.
https://salsa.debian.org/debian/wpa/-/commit/d204ceb5a2dc33db888eb55b5fee542a1005e69c
Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>
|
|
T1237: Failover route add checks for multiple targets
|
|
|
|
T4770: Ability to get OpenVPN iface state and description for raw
|
|
T5078: Added filtered-routes BGP command
|
|
T5148: Fix OpenVPN plugin dir variable
|
|
|
|
Jinja2 template uses {{ plugin_dir }} that it gets from the
interface-openvpn.py variable 'plugin_dir' but the correct var
should be as part of 'openvpn' dictionary i.e. openvpn['plugin_dir']
|
|
|
|
eapol: T5151: Allow TLSv1.0/1.1 for EAP-TLS
|
|
The Debian 12 upgrade in T5003 caused a regression for connecting to
legacy networks that only support TLSv1.0/1.1 for EAP-TLS. Debian allows
this by default in their wpa_supplicant package, but their
`allow-tlsv1.patch` patch does not work properly with VyOS' newer
wpa_supplicant package, which is based on the latest code in git. As a
result, wpa_supplicant always respects the system-wide openssl crypto
policy, disallowing TLSv1. The commit uses the documented way of
allowing TLSv1, which takes precedence over the system crypto policy.
Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>
|
|
|
|
There is only one target for checking ICMP/ARP
Extend it for checking multiple targets
set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '203.0.113.1'
set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '203.0.113.11'
The route will be installed only if all targets are 'alive'
|
|
Refactoring the tech-support command from .sh to .py
|
|
Networks are started only as soon as there is a consumer. If only a network is
created in the first place, no need to assign it to a VRF as there's no
consumer, yet.
|
|
opennhrp: T5135: Rewritten opennhrp script using vyos.ipsec
|
|
T5142: Add audit tool to monitor security-relevant events
|
|
T5145: Add maximum number of all logins on system
|
|
|
|
|
|
maxsyslogins
maximum number of all logins on system; user is not
allowed to log-in if total number of all user logins is
greater than specified number (this limit does not apply
to user with uid=0)
set system login max-login-session 2
|
|
|
|
|
|
Rewritten opennhrp script using vyos.ipsec library
|
|
This will prevent arbitrary strings from being entered as domain names.
Additionally, reuse the fqdn validator instead of a custom regex.
|
|
|
|
Improve and fix the output of dynamic dns status to be compatible with
new ddclient cache format.
Additional details:
- The status output is now formatted as a table with per-host dual-stack
information in rows. Columns not having actual value present in the
output will be kept empty.
- The 'Last update' column is now formatted in Local time format instead
of UTC.
|
|
T5125: Sflow op-mode add event_samples_suppressed option
|
|
T5141: Add numbers for dhclient-exit-hooks.d to enforce order
|
|
T5139: IPSec add IKE lifetime 0 for no rekeying
|
|
Add numbers for all dhclient-exit-hooks.d to enforce script order execution
Also, move '99-run-user-hooks' to '98-run-user-hooks' due to
vyatta-dhclient-hook bug and exit with 'exit 1' it is
described in the https://vyos.dev/T4856, so we should move this hook
to the end. Rename 'vyatta-dhclient-hook' to '99-vyatta-dhclient-hook'
|
|
IKE lifetime should starting from 0 for disabling rekeying
|
|
Add "Packet drops suppressed" option
Rename "Samples drop events sent" to "Packet drops sent"
|
|
Container networks now can be bound to a specific VRF instance.
set vrf name <foo> table <xxx>
set container network <name> vrf <foo>
|
|
Remove redundant XML CLI node definitions for the common description node by
referencing the common building block.
|
|
T5125: Extend op-mode show sflow add new metric
|
|
Add new metric, the number of packet-drop-events sent
|
|
Commit fe82d86d ("container: T4959: add registry authentication option") looked
up the wrong config dict level when validating that both username and password
need to be specified when registries are in use.
|
|
We now support assigning discrete IPv6 addresses to a container.
|
|
Commit 52e51ffb ("container: T5047: restart only containers that changed")
started to iterate over a NoneType which is invalid. This happened when a
network description was changed but no container was due for restart.
|
|
|
|
show isis vrf <name> neighbor|route
did not call the vtysh wrapper but instead always called the commands
for the default routing table.
|
|
ipsec: T5093: Fixed 'reset vpn ipsec profile' command
|
|
|
|
|
|
http-api: T5126: allow restricting client IP address
|