Age | Commit message (Collapse) | Author |
|
|
|
By using a Jinja2 macro the same template code can be used to create both
source and destination NAT rules with only minor changes introduced by
e.g. the used chain (POSTROUTING vs PREROUTING).
Used the following configuration for testing on two systems with VyOS 1.2
and the old implementation vs the new one here.
set nat destination rule 15 description 'foo-10'
set nat destination rule 15 destination address '1.1.1.1'
set nat destination rule 15 inbound-interface 'eth0.202'
set nat destination rule 15 protocol 'tcp_udp'
set nat destination rule 15 translation address '192.0.2.10'
set nat destination rule 15 translation port '3389'
set nat destination rule 20 description 'foo-20'
set nat destination rule 20 destination address '2.2.2.2'
set nat destination rule 20 destination port '22'
set nat destination rule 20 inbound-interface 'eth0.201'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '192.0.2.10'
set nat source rule 100 outbound-interface 'eth0.202'
set nat source rule 100 protocol 'all'
set nat source rule 100 source address '192.0.2.0/26'
set nat source rule 100 translation address 'masquerade'
set nat source rule 110 outbound-interface 'eth0.202'
set nat source rule 110 protocol 'tcp'
set nat source rule 110 source address '192.0.2.0/26'
set nat source rule 110 source port '5556'
set nat source rule 110 translation address 'masquerade'
set nat source rule 120 outbound-interface 'eth0.202'
set nat source rule 120 protocol 'tcp_udp'
set nat source rule 120 source address '192.0.3.0/26'
set nat source rule 120 translation address '2.2.2.2'
|
|
Build up only one output rule string by appending the configuration part by
part.
|
|
CLI commands used for ruleset generation:
set nat source rule 100 outbound-interface 'eth0.202'
set nat source rule 100 protocol 'all'
set nat source rule 100 source address '192.0.2.0/26'
set nat source rule 100 translation address 'masquerade'
set nat source rule 110 outbound-interface 'eth0.202'
set nat source rule 110 protocol 'tcp'
set nat source rule 110 source address '192.0.2.0/26'
set nat source rule 110 source port '5556'
set nat source rule 110 translation address 'masquerade'
|
|
The generated NAT rules in VyOS 1.2 are compared to the generated nftables
ruleset in VyOS 1.3 this was done by converting the 1.2 iptables ruleset to
nftables and then do the diff. To convert from iptables to nftables use the
following command:
$ iptables-save -t nat > /tmp/tmp.iptables
$ iptables-restore-translate -f /tmp/tmp.iptables
The following CLI options have been used for testing:
set nat source rule 10 description 'foo-10'
set nat source rule 10 destination address '1.1.1.1'
set nat source rule 10 destination port '1111'
set nat source rule 10 exclude
set nat source rule 10 log 'enable'
set nat source rule 10 outbound-interface 'eth0.202'
set nat source rule 10 protocol 'tcp_udp'
set nat source rule 10 translation address '192.0.2.10'
set nat source rule 15 description 'foo-10'
set nat source rule 15 destination address '1.1.1.1'
set nat source rule 15 exclude
set nat source rule 15 log 'enable'
set nat source rule 15 outbound-interface 'eth0.202'
set nat source rule 15 protocol 'tcp_udp'
set nat source rule 15 translation address '192.0.2.10'
set nat source rule 20 description 'foo-20'
set nat source rule 20 destination address '2.2.2.2'
set nat source rule 20 log 'enable'
set nat source rule 20 outbound-interface 'eth0.201'
set nat source rule 20 protocol 'tcp'
set nat source rule 20 translation address '192.0.2.10'
set nat source rule 100 outbound-interface 'eth0.202'
set nat source rule 100 protocol 'all'
set nat source rule 100 source address '192.0.2.0/26'
set nat source rule 100 translation address 'masquerade'
|
|
The generated NAT rules in VyOS 1.2 are compared to the generated nftables
ruleset in VyOS 1.3 this was done by converting the 1.2 iptables ruleset to
nftables and then do the diff. To convert from iptables to nftables use the
following command:
$ iptables-save -t nat > /tmp/tmp.iptables
$ iptables-restore-translate -f /tmp/tmp.iptables
The following CLI options have been used for testing:
set nat destination rule 10 description 'foo-10'
set nat destination rule 10 destination address '1.1.1.1'
set nat destination rule 10 destination port '1111'
set nat destination rule 10 exclude
set nat destination rule 10 inbound-interface 'eth0.202'
set nat destination rule 10 log
set nat destination rule 10 protocol 'tcp_udp'
set nat destination rule 10 translation address '192.0.2.10'
set nat destination rule 15 description 'foo-10'
set nat destination rule 15 destination address '1.1.1.1'
set nat destination rule 15 exclude
set nat destination rule 15 inbound-interface 'eth0.202'
set nat destination rule 15 log
set nat destination rule 15 protocol 'tcp_udp'
set nat destination rule 15 translation address '192.0.2.10'
set nat destination rule 20 description 'foo-20'
set nat destination rule 20 destination address '2.2.2.2'
set nat destination rule 20 inbound-interface 'eth0.201'
set nat destination rule 20 log
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '192.0.2.10'
|
|
|
|
Make the entire template more maintainable
|
|
|
|
|
|
When instantiating NAT it is required to isntall some nftable jump targets.
The targets need to be added after a specific other target thus we need to
dynamically query the handler number. This is done by get_handler() which could
be moved to vyos.util at a later point in time so it can be reused for a
firewall rewrite.
|
|
|
|
|
|
|
|
New command added:
* set vpn sstp network-settings name-server 2001:db8::1111
|
|
New commands added:
* set vpn sstp network-settings client-ipv6-pool prefix 2001:db8::/64 mask 112
* set vpn sstp network-settings client-ipv6-pool delegate 2001:db8:100::/48 delegation-prefix 64
|
|
|
|
... no need to reinvent the wheel in our Python code.
|
|
The intermedite class only held the path to the configuration files - thus
its existence was doubtworthy. For better readability and a clean
inheritance graph that class has been dropped.
|
|
|
|
|
|
|
|
- delete log_file, log_level and user nodes
- rename hash_type to hash
- rename mine_interval to interval
|
|
|
|
This allows the radius client to work when a management VRF is in use.
|
|
|
|
* 'pptp-rewrite' of github.com:c-po/vyos-1x:
accel-ppp: fix wrong reference in verify() on missing attributes
accel-ppp: T2314: bugfix wrong placement of endif in Jinja2 template
vpn: pptp: T2351: add support for common radius-additions XML
vpn: pptp: T2351: migrate to common radius CLI
vpn: pptp: T2351: migrate to common name-server, wins-server nodes
accel-ppp: provide common wins-server include definition
vpn: pptp: T2351: use first IP from client pool as gateway address
vpn: pptp: T2351: align configuration to other accel implementations
vpn: pptp: T2351: migrate from SysVinit to systemd
vyos.util: migrate all cpu_count() occurances to common get_half_cpus()
|
|
|
|
|
|
|
|
|
|
Commit bb9f998 introduced a bug where openvpn fails to start if
'local-host' is an IPv4 address due to 'proto' wanting a IPv6 socket.
This adds a conditional check and uses normal proto if it's IPv4.
|
|
|
|
Bug introduced in commit b36e6e6 ("openvpn: T2273: migrate from SysVinit to
systemd") as not all relevant configuration files have been re-rendered
into /run/openvpn.
|
|
Bug introduced in commit b36e6e6 ("openvpn: T2273: migrate from SysVinit to
systemd") as not all relevant configuration files have been re-rendered
into /run/openvpn
|
|
|
|
|
|
|
|
|
|
implementations
|
|
|
|
|
|
When only defining a timeout limit the generated config will look like:
[connlimit]
limit=
burst=
timeout=5
This will trigger a "Floating point exception" on startup of Accel-PPP and it
can be re-surrected anymore until service is completely deleted and re-added.
|
|
Instead of having "dns-server server-1|server-2" nodes and the same for IPv6
all DNS nameservers are migrated to a common name-servers node.
|
|
|
|
Yet, VyOS knows these two encryption schemes for WiFi:
1. CCMP = AES in Counter mode with CBC-MAC (CCMP-128)
2. TKIP = Temporal Key Integrity Protocol
These encryption schemes are new and especially the Galois counter mode
cipher suites are very desirable!
1. CCMP-256 = AES in Counter mode with CBC-MAC with 256-bit key
2. GCMP = Galois/counter mode protocol (GCMP-128)
3. GCMP-256 = Galois/counter mode protocol with 256-bit key
CCMP is supported by all WPA2 compatible NICs, so this remains the
default cipher for bidirectional and group packets while using WPA2.
Use 'iw list' to figure out which cipher suites your cards support
prior to configuring other cipher suites than CCMP. AP NICs and
STA NICs must both support at least one common cipher in a given
list in order to associate successfully.
|
|
openvpn: T149: IPv6 support
|
|
ipoe: T2294: Fix templates and migrate to systemd
|
|
|
|
- allow configuring IPv6 server addresses and push options
- add IPv6 server client IP pool
- add IPv6 push dhcp-option DNS6
- allow configuring IPv6 server client addresses
- allow configuring IPv6 site-to-site addresses
- validate all IPv6 options and addresses
- use protos that explicitely open an IPv6 listening socket
(tcp6-server, tcp6-client, udp6) as the default on Linux listens on
IPv4 only (https://community.openvpn.net/openvpn/ticket/360)
- add validator for any IPv6 address, host or network (used by pool)
|