Age | Commit message (Collapse) | Author |
|
Sshguard protects hosts from brute-force attacks
It can inspect logs and block "bad" addresses by threshold
Auto-generates own tables and rules for nftables, so they are not
intercept with VyOS firewall rules.
When service stops, all generated tables are deleted.
set service ssh dynamic-protection
set service ssh dynamic-protection allow-from '192.0.2.1'
set service ssh dynamic-protection block-time '120'
set service ssh dynamic-protection detect-time '1800'
set service ssh dynamic-protection threshold '30'
|
|
Added a new service that starts before Cloud-init, waits for all network
interfaces initialization, and if requested by config, checks which interfaces
can get configuration via DHCP server and creates a corresponding Cloud-init
network configuration.
This protects from two situations:
* when Cloud-init tries to get meta-data via eth0 (default and fallback variant
for any data source which depends on network), but the real network is connected
to another interface
* when Cloud-init starts simultaneously with udev and initializes the first
interface to get meta-data before it is renamed to eth0 by udev
|
|
(cherry picked from commit 29a44a73c638cb22839aa32986de367231b6efe9)
|
|
Dependency is required for the test Docker OCI image used within the
smoketest framework
|
|
|
|
This is a backport of https://github.com/vyos/vyos-1x/pull/1656.
Note I also changed `ip-down.script.tmpl` to not wait for `systemctl
stop dhcp6c@$iface.service`, because that command is slow and pppd will
kill the ip-down script if it times out.
I didn't see `ip-down.script.tmpl` or its equivalent in the 1.4 branch.
Not sure if there is another mechanism to handle that functionality or
it is missed.
|
|
(cherry picked from commit 681bdf2946d1d10f3b432f70452a8d018b7a98ae)
|
|
(cherry picked from commit 5faeacd1111a83e5859b98ccc4193cb6017cdba8)
|
|
(cherry picked from commit aa8080d316dbeb4d26bf67f6d67efeda43b2bc07)
|
|
(cherry picked from commit 2c94c3ec72a559de405b29b4399250db3085717e)
|
|
|
|
|
|
(cherry picked from commit d7f0cbdc102a1186cec80d0ebf29b8f4ef415435)
|
|
|
|
Replace the Flask micro-framework with FastAPI, in order to support
extensions to the API and OpenAPI 3.* generation. This change will
remain backwards compatible with previous versions. Notably, the
multipart forms version of requests remain supported; in addition
application/json requests are now natively supported.
(cherry picked from commit 0125fff200efe3259aa25953e7505f69679261f8)
|
|
(cherry picked from commit 4218a5bcb1093108e25d4e07fa07050b4f79d3d5)
|
|
(cherry picked from commit 7e52a7079afb522d1456833023ad58fa8b05e880)
|
|
|
|
|
|
|
|
|
|
(cherry picked from commit beac82b2d0d4bad182718cc8159f79150c5a71ae)
|
|
(cherry picked from commit c2a1c071e7d0a9ca754d7f5016eed7db188b3d1a)
|
|
(cherry picked from commit fd9032fb7bfc86d4e8901e348bc0afdc83e07413)
|
|
vyos@vyos:~$ show hardware storage nvme
Node SN Model Namespace Usage Format FW Rev
---------------- -------------------- ---------------------------------------- --------- -------------------------- ---------------- --------
/dev/nvme0n1 S437Nxxxxxxxxx SAMSUNG MZQLB960HAJR-00007 1 25.17 GB / 960.20 GB 512 B + 0 B EDA5202Q
/dev/nvme1n1 S437Nxxxxxxxxx SAMSUNG MZQLB960HAJR-00007 1 38.36 GB / 960.20 GB 512 B + 0 B EDA5202Q
vyos@vyos:~$ show hardware storage smart nvme0n1
=== START OF INFORMATION SECTION ===
Model Number: SAMSUNG MZQLB960HAJR-00007
Serial Number: S437Nxxxxxxxxx
...
|
|
generate wireguard mobile-config wg0 server wg.vyos.net address 1.2.2.2/24
WireGuard client configuration for interface: wg0
[Interface]
PrivateKey = AEXrZ4b3xFVLg1lql3hy/93+d43q3+3vPdSMUGI6/Fo=
Address = 1.2.2.2/24
[Peer]
PublicKey = h1HkYlSuHdJN6Qv4Hz4bBzjGg5WUty+U1L7DJsZy1iE=
Endpoint = wg.vyos.net:41751
AllowedIPs = 0.0.0.0/0, ::/0
The servers public key and port are automatically extracter from the running
config.
(cherry picked from commit 92d62740a1dd84d27ed3006cdc8d2560673f6bca)
|
|
Add a new CLI command "monitor log colored" to run the log file monitoring
through grc (https://github.com/garabik/grc).
(cherry picked from commit 6330708f7ad50e56b16e1c7bc671eaddcd758bdb)
|
|
(cherry picked from commit 52323dcd620ef1b6d716787c9c4729b9ae9ee7e0)
|
|
T3284: Merge Paramiko-based remote.py implementation
|
|
|
|
This is an extension to commit 801c5235 ("xdp: T2666: disable this highly
experimental feature in 1.3 LTS") by dropping all XDP references in the
equuleus codebase.
|
|
* 'current' of github.com:vyos/vyos-1x:
op-mode: T3178: add "monitor protocols <bgp|ospf|ospfv3|rib|rip|ripng>" commands
op-mode: T3178: add remaining "show ipv6 ospfv3 database" commands from vyatta-op-quagga
op-mode: T3178: migrate most of the OSPFv3 parts to re-includable snippets
xml: op-mode: add preprocessor support as known from configuration mode
Debian: vyos-1x depends on python3-spinx for "make docs"
ospf: T3198: Fix show information for database tag nodes
login: radius: T3192: remove debug print()
xml: convert tab to space in "system login"
|
|
|
|
* 'current' of github.com:vyos/vyos-1x: (30 commits)
smoketest: dummy: fix indent
smoketest: bridge: bond: enable ip subsystem tests
smoketest: interfaces: dhcpv6pd final fix
smoketest: ethernet: fix link-speed loop test
Debian: add build-dependency on python3-jinja2
smoketest: ethernet: verify() speed/duplex must both be auto or discrete
smoketest: interfaces: report skipped tests
smoketest: ethernet: bugfixes for dhcpc6 and unknown interfaces
Debian: add python3-psutil build dependency
smoketest: ethernet: check for error on non existing interface
vyos.configverify: provide generic helper to check for interface existence
smoketest: interfaces: fix dhcpv6 pd testcase when using multiple interfaces
login: radius: T3192: migrate to get_config_dict()
ssh: T2635: harden Jinja2 template and daemon startup
ssh: T2635: change sshd_config path to /run/sshd
login: radius: T3192: support IPv6 server(s) and source-address
xml: include: provide generic include for disable node
xml: radius: T3192: split individual nodes to discrete includes
bgp: T2174: verify() existence of route-map and prefix-list
smoketest: interfaces: test dhcpv6 pd sla-id auto increment
...
|
|
|
|
vyos.util depends partially on python3-psutil, and some smoketests executed
via "make test" include vyos.util, thus ensure the package is available.
|
|
|
|
|
|
|
|
|
|
Basic proxy functionality is working but the squidguard smoketest still fails
as this is yet not implemented.
|
|
|
|
|
|
|
|
The CLI command 'set interfaces ethernet <interface> offload-options xdp" enables
the XDP generic mode on the given interface.
vyos@vyos:~$ show interfaces ethernet eth1
eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 xdpgeneric/id:151 qdisc mq state DOWN group default qlen 1000
link/ether 00:50:56:bf:ef:aa brd ff:ff:ff:ff:ff:ff
inet6 fe80::250:56ff:febf:efaa/64 scope link tentative
valid_lft forever preferred_lft forever
Description: fooa
XDP code is thankfully copied from [1], thank you for this nice tutorial.
NOTE: this is an experimental feature which might break your
forwarding/filtering.
[1]: https://medium.com/swlh/building-a-xdp-express-data-path-based-peering-router-20db4995da66
|
|
|
|
The dependency on the WireGuard modules actually depend on the runnning Kernel.
While already working on 5.9 support which has a buildin version of WireGuard,
this also eases ARM development.
|
|
Python value
We should not use hardcoded Python values whenever possible. vyos.xml provides
an abstraction of the XML CLI definitions providing default values from the CLI
specified via the <defaultValue> node.
This increases consistency among all XML/Python wrappers.
Additional small fixes in this commit (besides the bad practice incorporating
unrelated changes into the same commit) contain:
- Keyboard layout shout be explicitly set for /dev/console
- Added missing Debian dependency on console-data
- When looking for a key in a dict, we do not need to specify dict.keys()
|
|
Add new CLI command "set system options performance <latency | throughput>"
|
|
|