Age | Commit message (Collapse) | Author |
|
T4916: Rewrite IPsec peer authentication and psk migration
|
|
|
|
|
|
Adds CLI configuration options to configure RADIUS accounting for OpenConnect VPN sessions. This functionality cannot be used outside of the RADIUS OpenConnect VPN authentication mode
|
|
Rewrite strongswan IPsec authentication to reflect structure
from swanctl.conf
The most important change is that more than one local/remote ID in the
same auth entry should be allowed
replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx'
=> 'ipsec authentication psk <tag> secret xxx'
set vpn ipsec authentication psk <tag> id '192.0.2.1'
set vpn ipsec authentication psk <tag> id '192.0.2.2'
set vpn ipsec authentication psk <tag> secret 'xxx'
set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1'
set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2'
Add template filter for Jinja2 'generate_uuid4'
|
|
T1297: VRRP: add garp options to vrrp
|
|
|
|
|
|
Some ISPs seem to use the host-uniq flag to authenticate client equipment.
Add CLI option in VyOS to allow specification of the host-uniq flag.
set interfaces pppoe pppoeN host-uniq <value>
|
|
|
|
|
|
|
|
|
|
T4857: SNMP: Implement FRR SNMP Recomendations
|
|
|
|
firewall: T4864: Fixed show zone-policy command output
|
|
Excluded to not spam the log as there is an access restriction to that
folder which SNMP user can not access.
|
|
1. Fixed "show zone-policy" command output
2. Rewritten zone-policy op-mode to new style
|
|
* Move CLI from "system ntp" -> "service ntp"
* Drop NTP server option preempt as not supported by chrony
|
|
T4911: op-mode: rewrite LLDP in standardised op-mode format
|
|
T4118: Add default value any for connection remote-id
|
|
|
|
If IPsec "peer <tag> authentication remote-id" is not set
it should be "%any" by default
https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_remote
Set XML default value in use it in the python vpn_ipsec.py script
|
|
Setting something like `protocols ospf area 10 range 10.10.0.0/16` without sub options doesn't work. This is because no range commands are generated when there is no leaf nodes set under the `range` tag node.
```
edit protocols ospf
set area 16 network 10.10.0.0/16
set area 16 range 10.10.0.0/16
commit
```
```
$ vtysh -c 'show run'
!
router ospf
auto-cost reference-bandwidth 100
timers throttle spf 200 1000 10000
network 10.10.0.0/16 area 16
exit
```
The generated FRR commands above is missing something like:
```
area 16 range 10.10.0.0/16
```
|
|
|
|
`passive_interface` is a leaf node. Also adds a smoketest.
|
|
Commit dafb0da2 ("static: T4883: add a description field for routing tables")
added an iproute2 description table but lacked checking if the key exists.
This has been fixed and also converted to Jinja2 to keep the "common" style
inside the routing protocols. It might feel overengineered indeed.
|
|
|
|
Allow multiple ports for high-availability virtual-server
The current implementation allows balance only one "virtual" address
and port between between several "real servers"
Allow matching "fwmark" to set traffic which should be balanced
Allow to set port 0 (all traffic) if we use "fwmark"
Add health-check script
set high-availability virtual-server 203.0.113.1 fwmark '111'
set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 health-check script '/bin/true'
set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 port '0'
|
|
Add ppp-options IPv6 interface id for vpn L2TP
- fixed or random interface identifier for IPv6
- peer interface identifier for IPv6
- whether to accept peer’s interface identifier
set vpn l2tp remote-access ppp-options ipv6-accept-peer-intf-id
set vpn l2tp remote-access ppp-options ipv6-intf-id 'random'
set vpn l2tp remote-access ppp-options ipv6-peer-intf-id 'calling-sid'
|
|
overlay2 is the preferred storage driver for all currently supported Linux
distributions, and requires no extra configuration.
|
|
container: T4870: Update podman to use overlay storage driver
|
|
T4866: rewrite show_interfaces.py show* functions to standardized op-mode
|
|
|
|
Commit 13071a4a ("T4809: radvd: Allow the use of AdvRASrcAddress") added a new
feature to set the RA source-address. Unfortunately it missed a semicolon.
|
|
|
|
T4832: dhcp: Add IPv6-only dhcp option support (RFC 8925)
|
|
T4780: Firewall: add firewall groups in firewall. Extend matching cri…
|
|
T4884: snmpd: add community6 fallback
|
|
1. Added in script update webproxy blacklists generation of all DBs
2. Fixed: if the blacklist category does not have generated db,
the template generates an empty dest category
in squidGuard.conf and a Warning message.
3. Added template generation for local's categories
in the rule section.
4. Changed syntax in the generation dest section for blacklist's
categories
4. Fixed generation dest local sections in squidGuard.conf
5. Fixed bug in syntax. The word 'allow' changed to the word 'any'
in acl squidGuard.conf
|
|
T4809: radvd: Allow the use of AdvRASrcAddress
|
|
routing: T1237: Add new feature failover route
|
|
This add the AdvRASrcAddress configuration option to configure
a source address for the router advertisements. The source
address still must be configured on the system. This is useful
for VRRP setups where you want fe80::1 on the VRRP interface
for cleaner VRRP failovers.
|
|
If no client and network is defined only a `community` config
is created. This also adds the `community6` part
|
|
Failover route allows to install static routes to the kernel routing
table only if required target or gateway is alive
When target or gateway doesn't respond for ICMP/ARP checks this route
deleted from the routing table
Routes are marked as protocol 'failover' (rt_protos)
cat /etc/iproute2/rt_protos.d/failover.conf
111 failover
ip route add 203.0.113.1 metric 2 via 192.0.2.1 dev eth0 proto failover
$ sudo ip route show proto failover
203.0.113.1 via 192.0.2.1 dev eth0 metric 1
So we can safely flush such routes
|
|
openvpn: T4770: rewrite op-mode show/reset to use vyos.opmode
|
|
|
|
vyos@vyos# show interfaces sstpc
sstpc sstpc10 {
authentication {
password vyos
user vyos
}
server sstp.vyos.net
ssl {
ca-certificate VyOS-CA
}
}
|
|
|
|
L2TP 'ppp-options ipv6 x' can work without declaring IPv6 pool
As we can get addresses via RADIUS attributes:
- Framed-IPv6-Prefix
- Delegated-IPv6-Prefix
|