| Age | Commit message (Collapse) | Author |
|---|
|
- Added system `radius` group
- Added `mandatory` and `optional` modes for RADIUS
- Improved PAM config for RADIUS
New modes:
- `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be
stopped and access denied immediately.
- `optional` (default) - if RADIUS answers with `Access-Reject`, authentication
continues using the next module.
In `mandatory` mode authentication will be stopped only if RADIUS clearly
answered that access should be denied (no user in RADIUS database, wrong
password, etc.). If RADIUS is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
|
|
Sshguard protects hosts from brute-force attacks
It can inspect logs and block "bad" addresses by threshold
Auto-generates own tables and rules for nftables, so they are not
intercept with VyOS firewall rules.
When service stops, all generated tables are deleted.
set service ssh dynamic-protection
set service ssh dynamic-protection allow-from '192.0.2.1'
set service ssh dynamic-protection block-time '120'
set service ssh dynamic-protection detect-time '1800'
set service ssh dynamic-protection threshold '30'
|
|
Added a new service that starts before Cloud-init, waits for all network
interfaces initialization, and if requested by config, checks which interfaces
can get configuration via DHCP server and creates a corresponding Cloud-init
network configuration.
This protects from two situations:
* when Cloud-init tries to get meta-data via eth0 (default and fallback variant
for any data source which depends on network), but the real network is connected
to another interface
* when Cloud-init starts simultaneously with udev and initializes the first
interface to get meta-data before it is renamed to eth0 by udev
|
|
(cherry picked from commit 29a44a73c638cb22839aa32986de367231b6efe9)
|
|
Dependency is required for the test Docker OCI image used within the
smoketest framework
|
|
|
|
This is a backport of https://github.com/vyos/vyos-1x/pull/1656.
Note I also changed `ip-down.script.tmpl` to not wait for `systemctl
stop dhcp6c@$iface.service`, because that command is slow and pppd will
kill the ip-down script if it times out.
I didn't see `ip-down.script.tmpl` or its equivalent in the 1.4 branch.
Not sure if there is another mechanism to handle that functionality or
it is missed.
|
|
(cherry picked from commit 681bdf2946d1d10f3b432f70452a8d018b7a98ae)
|
|
(cherry picked from commit 5faeacd1111a83e5859b98ccc4193cb6017cdba8)
|
|
(cherry picked from commit aa8080d316dbeb4d26bf67f6d67efeda43b2bc07)
|
|
(cherry picked from commit 2c94c3ec72a559de405b29b4399250db3085717e)
|
|
|
|
|
|
(cherry picked from commit d7f0cbdc102a1186cec80d0ebf29b8f4ef415435)
|
|
|
|
Replace the Flask micro-framework with FastAPI, in order to support
extensions to the API and OpenAPI 3.* generation. This change will
remain backwards compatible with previous versions. Notably, the
multipart forms version of requests remain supported; in addition
application/json requests are now natively supported.
(cherry picked from commit 0125fff200efe3259aa25953e7505f69679261f8)
|
|
(cherry picked from commit 4218a5bcb1093108e25d4e07fa07050b4f79d3d5)
|
|
(cherry picked from commit 7e52a7079afb522d1456833023ad58fa8b05e880)
|
|
|
|
|
|
|
|
|
|
(cherry picked from commit beac82b2d0d4bad182718cc8159f79150c5a71ae)
|
|
(cherry picked from commit c2a1c071e7d0a9ca754d7f5016eed7db188b3d1a)
|
|
(cherry picked from commit fd9032fb7bfc86d4e8901e348bc0afdc83e07413)
|
|
vyos@vyos:~$ show hardware storage nvme
Node SN Model Namespace Usage Format FW Rev
---------------- -------------------- ---------------------------------------- --------- -------------------------- ---------------- --------
/dev/nvme0n1 S437Nxxxxxxxxx SAMSUNG MZQLB960HAJR-00007 1 25.17 GB / 960.20 GB 512 B + 0 B EDA5202Q
/dev/nvme1n1 S437Nxxxxxxxxx SAMSUNG MZQLB960HAJR-00007 1 38.36 GB / 960.20 GB 512 B + 0 B EDA5202Q
vyos@vyos:~$ show hardware storage smart nvme0n1
=== START OF INFORMATION SECTION ===
Model Number: SAMSUNG MZQLB960HAJR-00007
Serial Number: S437Nxxxxxxxxx
...
|
|
generate wireguard mobile-config wg0 server wg.vyos.net address 1.2.2.2/24
WireGuard client configuration for interface: wg0
[Interface]
PrivateKey = AEXrZ4b3xFVLg1lql3hy/93+d43q3+3vPdSMUGI6/Fo=
Address = 1.2.2.2/24
[Peer]
PublicKey = h1HkYlSuHdJN6Qv4Hz4bBzjGg5WUty+U1L7DJsZy1iE=
Endpoint = wg.vyos.net:41751
AllowedIPs = 0.0.0.0/0, ::/0
The servers public key and port are automatically extracter from the running
config.
(cherry picked from commit 92d62740a1dd84d27ed3006cdc8d2560673f6bca)
|
|
Add a new CLI command "monitor log colored" to run the log file monitoring
through grc (https://github.com/garabik/grc).
(cherry picked from commit 6330708f7ad50e56b16e1c7bc671eaddcd758bdb)
|
|
(cherry picked from commit 52323dcd620ef1b6d716787c9c4729b9ae9ee7e0)
|
|
T3284: Merge Paramiko-based remote.py implementation
|
|
|
|
This is an extension to commit 801c5235 ("xdp: T2666: disable this highly
experimental feature in 1.3 LTS") by dropping all XDP references in the
equuleus codebase.
|
|
* 'current' of github.com:vyos/vyos-1x:
op-mode: T3178: add "monitor protocols <bgp|ospf|ospfv3|rib|rip|ripng>" commands
op-mode: T3178: add remaining "show ipv6 ospfv3 database" commands from vyatta-op-quagga
op-mode: T3178: migrate most of the OSPFv3 parts to re-includable snippets
xml: op-mode: add preprocessor support as known from configuration mode
Debian: vyos-1x depends on python3-spinx for "make docs"
ospf: T3198: Fix show information for database tag nodes
login: radius: T3192: remove debug print()
xml: convert tab to space in "system login"
|
|
|
|
* 'current' of github.com:vyos/vyos-1x: (30 commits)
smoketest: dummy: fix indent
smoketest: bridge: bond: enable ip subsystem tests
smoketest: interfaces: dhcpv6pd final fix
smoketest: ethernet: fix link-speed loop test
Debian: add build-dependency on python3-jinja2
smoketest: ethernet: verify() speed/duplex must both be auto or discrete
smoketest: interfaces: report skipped tests
smoketest: ethernet: bugfixes for dhcpc6 and unknown interfaces
Debian: add python3-psutil build dependency
smoketest: ethernet: check for error on non existing interface
vyos.configverify: provide generic helper to check for interface existence
smoketest: interfaces: fix dhcpv6 pd testcase when using multiple interfaces
login: radius: T3192: migrate to get_config_dict()
ssh: T2635: harden Jinja2 template and daemon startup
ssh: T2635: change sshd_config path to /run/sshd
login: radius: T3192: support IPv6 server(s) and source-address
xml: include: provide generic include for disable node
xml: radius: T3192: split individual nodes to discrete includes
bgp: T2174: verify() existence of route-map and prefix-list
smoketest: interfaces: test dhcpv6 pd sla-id auto increment
...
|
|
|
|
vyos.util depends partially on python3-psutil, and some smoketests executed
via "make test" include vyos.util, thus ensure the package is available.
|
|
|
|
|
|
|
|
|
|
Basic proxy functionality is working but the squidguard smoketest still fails
as this is yet not implemented.
|
|
|
|
|
|
|
|
The CLI command 'set interfaces ethernet <interface> offload-options xdp" enables
the XDP generic mode on the given interface.
vyos@vyos:~$ show interfaces ethernet eth1
eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 xdpgeneric/id:151 qdisc mq state DOWN group default qlen 1000
link/ether 00:50:56:bf:ef:aa brd ff:ff:ff:ff:ff:ff
inet6 fe80::250:56ff:febf:efaa/64 scope link tentative
valid_lft forever preferred_lft forever
Description: fooa
XDP code is thankfully copied from [1], thank you for this nice tutorial.
NOTE: this is an experimental feature which might break your
forwarding/filtering.
[1]: https://medium.com/swlh/building-a-xdp-express-data-path-based-peering-router-20db4995da66
|
|
|
|
The dependency on the WireGuard modules actually depend on the runnning Kernel.
While already working on 5.9 support which has a buildin version of WireGuard,
this also eases ARM development.
|
|
Python value
We should not use hardcoded Python values whenever possible. vyos.xml provides
an abstraction of the XML CLI definitions providing default values from the CLI
specified via the <defaultValue> node.
This increases consistency among all XML/Python wrappers.
Additional small fixes in this commit (besides the bad practice incorporating
unrelated changes into the same commit) contain:
- Keyboard layout shout be explicitly set for /dev/console
- Added missing Debian dependency on console-data
- When looking for a key in a dict, we do not need to specify dict.keys()
|
|
Add new CLI command "set system options performance <latency | throughput>"
|
