summaryrefslogtreecommitdiff
path: root/data
AgeCommit message (Collapse)Author
2022-08-18T3896: update groupconfig syntax per PR1463RageLtMan
Address @sever-sever's suggestion to refactor how groupconfig is defined, parsed, and set (with his proposed conditional string appending Py-sugar). Use the disable-mobike refactor as template for XML simplification. Testing: None yet
2022-08-18T3896: Use group selector and forced dns tunnelingRageLtMan
Enterprise RADIUS configurations often utilize group selectors for authentication and attribute distribution for connecting clients. Ocserv implements this functionality via the `select-group` config file attribute, repeating for multiple groups. When a user selects their membership group and the request is passed to the RADIUS server, ocserv will match the returned Class attribute against the value selected by the user. This functionality also works for local group membership resolution, although VyOS currently doesn't have group membership configuration for this. Expose the tunnel-all-dns option in the ocserv config file allowing users who deploy default routes to select split-dns and those who do not to enable full DNS tunneling. Testing: Smoketests & build Configured groups in openconnect profile and verified existence in /run/ocserv/ocserv.conf Configured forced dns tunneling and verified presence of setting in /run/ocserv/ocserv.conf
2022-08-18T3896: Drop cserv local user req, add groupconfigRageLtMan
From ocserv documentation: ``` If the groupconfig option is set, then config-per-user will be overriden, and all configuration will be read from radius. That also includes the Acct-Interim-Interval, and Session-Timeout values. ``` Implement yes/no configuration and parameter handling during jinja rendering. Fix bug wherein openconnect-server configuration requires creation of local user accounts even when RADIUS authentication is used. Testing: Set the groupconfig=yes param and observed change in generated /run/ocserv/ocserv.conf. Removed the local users via `delete vpn openconnect authentication local-users` and observed commit & service operation
2022-08-16Merge pull request #1462 from sever-sever/T4596Christian Poessinger
ocserv: T4596: Rewrite show openconnect sessions op-mode
2022-08-15ocserv: openconnect: T4614: add support for split-dnsChristian Poessinger
set vpn openconnect network-settings split-dns <domain>
2022-08-15ocserv: T4333: migrate to new vyos_defined Jinja2 testChristian Poessinger
2022-08-10dmvpn: T4595: Fix dpd profile optionsViacheslav Hletenko
Fix template for configuration DMVPN IKE profile dead-peer-detection delay and dead-peer-detecion timeout options
2022-08-06ocserv: T4596: Rewrite show openconnect sessions op-modeViacheslav Hletenko
Rewrite "show openconnect-server sessions" to vyos.opmode format Ability to get raw and formatted output Ability to get data via API
2022-08-05nat66: T4598: Add exclude options in nat66Nicolas Fort
2022-08-04Merge https://github.com/Cheeze-It/vyos-1x into currentChristian Poessinger
* https://github.com/Cheeze-It/vyos-1x: bgp: T4257: Changing BGP "local-as" to "system-as"
2022-08-04macsec: T4537: macsec_csindex can be set even without encryptionChristian Poessinger
2022-08-04Merge pull request #1457 from sever-sever/T4586Christian Poessinger
nat66: T4586: Add SNAT destination prefix and DNAT address
2022-08-03Merge pull request #1369 from nicolas-fort/T4480Daniil Baturin
T4480: webproxy: Add safe-ports and ssl-safe-ports for acl squid config
2022-08-03nat66: T4586: Add SNAT destination prefix and DNAT addressViacheslav Hletenko
Ability to configure SNAT destination prefix and DNAT source address Add option "!" - not address/prefix for NAT66
2022-08-02graphql: T4544: Add overwritten scripts op-mode-standardized.jsonViacheslav Hletenko
Add overwritten scripts to 'op-mode-standardized.json'
2022-08-02macsec: T4537: add mussing macsec_csindex option to support GCM-AES-256Christian Poessinger
2022-07-30bgp: T4257: Changing BGP "local-as" to "system-as"Cheeze_It
bgp: T4257: Changing BGP "local-as" to "system-as" This change is to change the global BGP name for the node "local-as" to "system-as" This is needed so that there's less ambiguity with the local-as feature per neighbor. bgp: T4257: Changing BGP "local-as" to "system-as" bgp: T4257: Changing BGP "local-as" to "system-as" This change is to change the global BGP name for the node "local-as" to "system-as" This is needed so that there's less ambiguity with the local-as feature per neighbor.
2022-07-29Merge pull request #1432 from jestabro/gql-op-modeJohn Estabrook
graphql: T4554: Automate GraphQL handling of standardized op-mode requests
2022-07-25fastnetmon: T4556: Allow configure white_list_path and populate with ↵Adrian Almenar
hosts/networks that should be ignored.
2022-07-25graphql: T4544: add script to generate GraphQL schema for op-modeJohn Estabrook
2022-07-22ssh: T3212: do not load systemd EnvironmentFileChristian Poessinger
2022-07-22Merge pull request #1421 from vfreex/radvd-prefix-specific-optionsChristian Poessinger
T4550: router-advert: Add deprecate-prefix & decrement-lifetimes options
2022-07-21fastnetmon: T4555: add IPv6 supportChristian Poessinger
2022-07-21T4550: router-advert: Add deprecate-prefix & decrement-lifetimes optionsYuxiang Zhu
DeprecatePrefix and DecrementLifetimes options in radvd is useful in a DHCPv6-PD environment to accommodate prefix changes from ISP's delegating router. Though there is currently no integration between the DHCP PD client (wide-dhcpv6-client) and radvd, it could be a good start point to have the 2 options configurable by the user. https://phabricator.vyos.net/T4550 - deprecate-prefix: Upon shutdown, deprecate the prefix. This is useful in a DHCPv6 PD environment: When ISP re-assigns a new prefix, deprecate the old prefix that was advertised. - decrement-lifetimes: Decrement the values of the preferred and valid lifetimes for the prefix over time. This is also useful in a DHCPv6 PD environment to keep the advertised prefix's lifetimes in sync with the prefix from delegating router.
2022-07-21fastnetmon: T4553: Allow to configure ban_time instead of 1900s default valueAdrian Almenar
2022-07-20T4480:webproxy: Add safe-ports and ssl-safe-ports for acel squid config -- ↵Nicolas Fort
Fix conflicts
2022-07-15netflow: T4532: replace dot and colons to dashViacheslav Hletenko
Fix for IPv6 netflow_plugin name When we use IPv6 uacctd.conf doesnt expect coluns in the plugin name. Replace dots and colons to dash.
2022-07-07monitoring: T4411: Migrate influxdb options to influxdb nodeViacheslav Hletenko
As we have specific configuration for each plugin: set service monitoring telegraf xxx - azure-data-explorer - prometheus-client - splunk We should to move configuration that related to influxdb under influxdb node Replace: set service monitoring telegraf - authentication xxx - bucket xxx - port xxx - url To: set service monitoring telegraf influxdb xxx
2022-07-07syslog: T4500: Remove max-size from rsyslog leaving rotation to logrotatesarthurdev
After discussion with @zsdc this was decided the better long term fix * Removes hourly logrotate cron in favour of systemd timer override
2022-07-05zone-policy: T4512: Add support for `enable-default-log`sarthurdev
2022-07-05Merge pull request #1389 from sever-sever/T4509Christian Poessinger
dns: T4509: Add dns64-prefix option
2022-07-05dns: T4509: Add dns64-prefix optionViacheslav Hletenko
rfc6147: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers set service dns forwarding dns64-prefix 2001:db8:aabb::/96
2022-07-04ntp: T4456: support listening on specified interfaceChristian Poessinger
When clients only use DHCP for interface addressing we can not bind NTPd to an address - as it will fail if the address changes. This commit adds support to bind ntpd to a given interface in addition to a given address. set system ntp interface <name>
2022-07-02ipoe: T4507: Add option rate-limit for RADIUS authenticationViacheslav Hletenko
Add rate-limit options: attribute, muptiplier and vendor set service ipoe-server auth radius rate-limit attribute 'Mikrotik-Rate-Limit' set service ipoe-server auth radius rate-limit enable set service ipoe-server auth radius rate-limit multiplier '0.001' set service ipoe-server auth radius rate-limit vendor 'Miktorik'
2022-06-29router-advert: T4477: support RDNSS lifetime optionChristian Poessinger
set service router-advert interface eth0 name-server-lifetime <value>
2022-06-25dhcp: pppoe: T4384: bugfix not honoring no-default-route CLI optionChristian Poessinger
Commit a2ab95ff68b ("pppoe: T4384: replace default-route CLI option with common CLI nodes already present for DHCP") had an issue as the PPPoE interface options and also DHCP interface options did not honor the no-default-route option. This has been fixed.
2022-06-14firewall: T970: Use set prefix to domain groupssarthurdev
2022-06-14firewall: T4147: Use named sets for firewall groupssarthurdev
* Refactor nftables clean-up code * Adds policy route test for using firewall groups
2022-06-11firewall: T4299: Add support for GeoIP filteringsarthurdev
2022-06-10firewall: T478: Add support for nesting groupssarthurdev
2022-06-09Merge branch 'sstp_port' of https://github.com/goodNETnick/vyos-1x into currentChristian Poessinger
* 'sstp_port' of https://github.com/goodNETnick/vyos-1x: sstp: T4444. Port number changing support
2022-06-09Merge pull request #1327 from sever-sever/T970Christian Poessinger
firewall: T970: Add firewall group domain-group
2022-06-04Policy: T3976-T4449-nexthop: add - match ipv6 nexthop type - as available ↵Nicolas Fort
for ipv4
2022-06-02sla: T4222: Add OWAMP and TWAMP for service slaViacheslav Hletenko
OWAMP is a command line client application and a policy daemon used to determine one way latencies between hosts. OWAMP session control uses traditional client-server communication between a control-client and a server, TWAMP (two-way active measurement protocol) Add configuration and operation modes set service sla owamp-server set service sla twamp-server run force owping 192.0.2.120 run force twping 192.0.2.190
2022-05-31IPv6: T3976: add prefix-list and access-list option from ipv6 route-mapfett0
2022-05-29Policy: T4450: Expand options for ip|ipv6 address match. Now support ↵Nicolas Fort
prefix-len on both matches. Also change help properties of route-source node.
2022-05-29eigrp: T2472: add basic template rendering and FRR communicationChristian Poessinger
2022-05-29Merge branch 'T4449' of https://github.com/nicolas-fort/vyos-1x into currentChristian Poessinger
* 'T4449' of https://github.com/nicolas-fort/vyos-1x: Policy: T4449: Extend matching options for route-map ip nexthop
2022-05-28rip: T4448: add support to set protocol version on an interface levelChristian Poessinger
2022-05-28firewall: T970: Add firewall group domain-groupViacheslav Hletenko
Domain group allows to filter addresses by domain main Resolved addresses as elements are stored to named "nft set" that used in the nftables rules Also added a dynamic "resolver" systemd daemon vyos-domain-group-resolve.service which starts python script for the domain-group addresses resolving by timeout 300 sec set firewall group domain-group DOMAINS address 'example.com' set firewall group domain-group DOMAINS address 'example.org' set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 source group domain-group 'DOMAINS' set interfaces ethernet eth0 firewall local name 'FOO' nft list table ip filter table ip filter { set DOMAINS { type ipv4_addr flags interval elements = { 192.0.2.1, 192.0.2.85, 203.0.113.55, 203.0.113.58 } } chain NAME_FOO { ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10" counter packets 0 bytes 0 return comment "FOO default-action accept" } }