Age | Commit message (Collapse) | Author |
|
From ocserv documentation:
```
If the groupconfig option is set, then config-per-user will be
overriden, and all configuration will be read from radius. That
also includes the Acct-Interim-Interval, and Session-Timeout
values.
```
Implement yes/no configuration and parameter handling during jinja
rendering.
Fix bug wherein openconnect-server configuration requires creation
of local user accounts even when RADIUS authentication is used.
Testing:
Set the groupconfig=yes param and observed change in generated
/run/ocserv/ocserv.conf.
Removed the local users via `delete vpn openconnect
authentication local-users` and observed commit & service operation
|
|
ocserv: T4596: Rewrite show openconnect sessions op-mode
|
|
set vpn openconnect network-settings split-dns <domain>
|
|
|
|
Fix template for configuration DMVPN IKE profile
dead-peer-detection delay and dead-peer-detecion timeout options
|
|
Rewrite "show openconnect-server sessions" to vyos.opmode format
Ability to get raw and formatted output
Ability to get data via API
|
|
|
|
* https://github.com/Cheeze-It/vyos-1x:
bgp: T4257: Changing BGP "local-as" to "system-as"
|
|
|
|
nat66: T4586: Add SNAT destination prefix and DNAT address
|
|
T4480: webproxy: Add safe-ports and ssl-safe-ports for acl squid config
|
|
Ability to configure SNAT destination prefix and
DNAT source address
Add option "!" - not address/prefix for NAT66
|
|
Add overwritten scripts to 'op-mode-standardized.json'
|
|
|
|
bgp: T4257: Changing BGP "local-as" to "system-as"
This change is to change the global BGP name for the node "local-as" to "system-as"
This is needed so that there's less ambiguity with the local-as feature per neighbor.
bgp: T4257: Changing BGP "local-as" to "system-as"
bgp: T4257: Changing BGP "local-as" to "system-as"
This change is to change the global BGP name for the node "local-as" to "system-as"
This is needed so that there's less ambiguity with the local-as feature per neighbor.
|
|
graphql: T4554: Automate GraphQL handling of standardized op-mode requests
|
|
hosts/networks that should be ignored.
|
|
|
|
|
|
T4550: router-advert: Add deprecate-prefix & decrement-lifetimes options
|
|
|
|
DeprecatePrefix and DecrementLifetimes options in radvd is useful in a DHCPv6-PD environment to accommodate prefix changes from ISP's delegating router. Though there is currently no integration between the DHCP PD client (wide-dhcpv6-client) and radvd, it could be a good start point to have the 2 options configurable by the user.
https://phabricator.vyos.net/T4550
- deprecate-prefix: Upon shutdown, deprecate the prefix. This is useful
in a DHCPv6 PD environment: When ISP re-assigns a new prefix,
deprecate the old prefix that was advertised.
- decrement-lifetimes: Decrement the values of the preferred and valid
lifetimes for the prefix over time. This is also useful in a DHCPv6
PD environment to keep the advertised prefix's lifetimes in sync with
the prefix from delegating router.
|
|
|
|
Fix conflicts
|
|
Fix for IPv6 netflow_plugin name
When we use IPv6 uacctd.conf doesnt expect coluns in the plugin
name. Replace dots and colons to dash.
|
|
As we have specific configuration for each plugin:
set service monitoring telegraf xxx
- azure-data-explorer
- prometheus-client
- splunk
We should to move configuration that related to influxdb under
influxdb node
Replace:
set service monitoring telegraf
- authentication xxx
- bucket xxx
- port xxx
- url
To:
set service monitoring telegraf influxdb xxx
|
|
After discussion with @zsdc this was decided the better long term fix
* Removes hourly logrotate cron in favour of systemd timer override
|
|
|
|
dns: T4509: Add dns64-prefix option
|
|
rfc6147: DNS Extensions for Network Address Translation
from IPv6 Clients to IPv4 Servers
set service dns forwarding dns64-prefix 2001:db8:aabb::/96
|
|
When clients only use DHCP for interface addressing we can not bind NTPd to
an address - as it will fail if the address changes. This commit adds support
to bind ntpd to a given interface in addition to a given address.
set system ntp interface <name>
|
|
Add rate-limit options: attribute, muptiplier and vendor
set service ipoe-server auth radius rate-limit attribute 'Mikrotik-Rate-Limit'
set service ipoe-server auth radius rate-limit enable
set service ipoe-server auth radius rate-limit multiplier '0.001'
set service ipoe-server auth radius rate-limit vendor 'Miktorik'
|
|
set service router-advert interface eth0 name-server-lifetime <value>
|
|
Commit a2ab95ff68b ("pppoe: T4384: replace default-route CLI option with common
CLI nodes already present for DHCP") had an issue as the PPPoE interface options
and also DHCP interface options did not honor the no-default-route option.
This has been fixed.
|
|
|
|
* Refactor nftables clean-up code
* Adds policy route test for using firewall groups
|
|
|
|
|
|
* 'sstp_port' of https://github.com/goodNETnick/vyos-1x:
sstp: T4444. Port number changing support
|
|
firewall: T970: Add firewall group domain-group
|
|
for ipv4
|
|
OWAMP is a command line client application and a policy daemon used
to determine one way latencies between hosts.
OWAMP session control uses traditional client-server communication
between a control-client and a server,
TWAMP (two-way active measurement protocol)
Add configuration and operation modes
set service sla owamp-server
set service sla twamp-server
run force owping 192.0.2.120
run force twping 192.0.2.190
|
|
|
|
prefix-len on both matches. Also change help properties of route-source node.
|
|
|
|
* 'T4449' of https://github.com/nicolas-fort/vyos-1x:
Policy: T4449: Extend matching options for route-map ip nexthop
|
|
|
|
Domain group allows to filter addresses by domain main
Resolved addresses as elements are stored to named "nft set"
that used in the nftables rules
Also added a dynamic "resolver" systemd daemon
vyos-domain-group-resolve.service which starts python script
for the domain-group addresses resolving by timeout 300 sec
set firewall group domain-group DOMAINS address 'example.com'
set firewall group domain-group DOMAINS address 'example.org'
set firewall name FOO rule 10 action 'drop'
set firewall name FOO rule 10 source group domain-group 'DOMAINS'
set interfaces ethernet eth0 firewall local name 'FOO'
nft list table ip filter
table ip filter {
set DOMAINS {
type ipv4_addr
flags interval
elements = { 192.0.2.1, 192.0.2.85,
203.0.113.55, 203.0.113.58 }
}
chain NAME_FOO {
ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10"
counter packets 0 bytes 0 return comment "FOO default-action accept"
}
}
|
|
|
|
|