summaryrefslogtreecommitdiff
path: root/debian
AgeCommit message (Collapse)Author
2024-06-26smoketest: T6510: make test_configd_inspect.py a build time testChristian Breunig
Rather then waiting for a fully assembled ISO image to validate if there is no incompatibility with vyos-configd - like more then one instance of Config(), make this a build time test case for "make test"
2024-06-05migration: T6006: add activation script dir and helper functionJohn Estabrook
2024-05-23Merge pull request #3399 from 0xThiebaut/suricataChristian Breunig
suricata: T751: Initial support for suricata
2024-05-14T3420: Remove service upnpViacheslav Hletenko
Remove `service upnp` as it never worked as expected, nft rules do not integrated and custom patches do not seem like a suitable solution for now. Security: UPnP has been historically associated with security risks due to its automatic and potentially unauthenticated nature. UPnP devices might be vulnerable to unauthorized access or exploitation.
2024-05-12suricata: T751: Initial support for suricataMaxime THIEBAUT
2024-05-06T6307: Add dependency procps to build vyos-1xViacheslav Hletenko
2024-04-09T6199: add missing build dependencyChristian Breunig
2024-04-06Debian: T6199: add pylint do list of build dependenciesChristian Breunig
2024-04-03T6199: drop unused sphinx documentation folderChristian Breunig
2024-04-01ssh: T6192: allow binding to multiple VRF instancesChristian Breunig
Currently VyOS only supports binding a service to one individual VRF. It might become handy to have the services (initially it will be VRF, NTP and SNMP) be bound to multiple VRFs. Changed VRF from leafNode to multi leafNode with defaultValue: default - which is the name of the default VRF.
2024-03-28dhcp: T6174: Add TACACS/Radius users to _kea groupsarthurdev
Also raise op-mode error when unable to fetch data from Kea socket
2024-03-12conntrack: T4022: add RTSP conntrack helperIndrek Ardel
2024-03-07config: T4919: Add support for encrypted config file with TPMsarthurdev
2024-01-19Debian: T2267: extend version tag from GIT repoChristian Breunig
This extends commit 2c3e4696b3e22 ("T2267: Versioning: Update version tag from GIT repo") to also include release tags.
2024-01-06https: T5886: migrate https certbot to new "pki certificate" CLI treeChristian Breunig
2024-01-06pki: T5886: add support for ACME protocol (LetsEncrypt)Christian Breunig
The "idea" of this PR is to add new CLI nodes under the pki subsystem to activate ACME for any given certificate. vyos@vyos# set pki certificate NAME acme Possible completions: + domain-name Domain Name email Email address to associate with certificate listen-address Local IPv4 addresses to listen on rsa-key-size Size of the RSA key (default: 2048) url Remote URL (default: https://acme-v02.api.letsencrypt.org/directory) Users choose if the CLI based custom certificates are used set pki certificate EXAMPLE acme certificate <base64> or if it should be generated via ACME. The ACME server URL defaults to LetsEncrypt but can be changed to their staging API for testing to not get blacklisted. set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory Certificate retrieval has a certbot --dry-run stage in verify() to see if it can be generated. After successful generation, the certificate is stored in under /config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set interfaces ethernet eth0 eapol certificate EXAMPLE) we call vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the base64 encoded certificate into the JSON data structure normally used when using a certificate set by the CLI. Using this "design" does not need any change to any other code referencing the PKI system, as the base64 encoded certificate is already there. certbot renewal will call the PKI python script to trigger dependency updates.
2023-12-31Merge pull request #2696 from indrajitr/kea-lfc-fixChristian Breunig
dhcp: T3316: Adjust kea lease files' location and permissions
2023-12-29tacacs: T141: Wrap string in double quotes to allow expansionIndrajit Raychaudhuri
2023-12-29dhcp: T3316: Add `_kea` user as vyattacfg group memberIndrajit Raychaudhuri
Allowing `_kea` to be a member of `vyattacfg` group allows kea-dhcp{4,6}-server to have access to DHCP lease directory under `/config/` and thus have ability to manipupate the leases files.
2023-12-20T2898: add ndp-proxy serviceChristian Breunig
VyOS CLI command set service ndp-proxy interface eth0 prefix 2001:db8::/64 mode 'static' Will generate the following NDP proxy configuration $ cat /run/ndppd/ndppd.conf # autogenerated by service_ndp-proxy.py # This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route route-ttl 30000 # This sets up a listener, that will listen for any Neighbor Solicitation # messages, and respond to them according to a set of rules proxy eth0 { # Turn on or off the router flag for Neighbor Advertisements router no # Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds) timeout 500 # Control how long a valid or invalid entry remains in the cache (milliseconds) ttl 30000 # This is a rule that the target address is to match against. If no netmask # is provided, /128 is assumed. You may have several rule sections, and the # addresses may or may not overlap. rule 2001:db8::/64 { static } }
2023-12-14T5826: ensure dmidecode is installed as a dependency of vyos-1xMathew McBride
dmicode is used in the "show hardware dmi" and to derive synthetic MAC addresses (see python/vyos/ifconfig/interface.py). On non-x86 platforms like arm64 it may not be pulled in explictly by other packages (like libparted2) so add it as an explicit dependency.
2023-12-09Merge pull request #1960 from sarthurdev/keaChristian Breunig
dhcp: T3316: Migrate dhcp/dhcpv6 server to Kea
2023-12-08Merge pull request #2584 from c-po/T4943-google-authenticatorChristian Breunig
login: T4943: use pam-auth-update to enable/disable Google authenticator
2023-12-08login: T4943: use pam-auth-update to enable/disable Google authenticatorChristian Breunig
The initial version always enabled Google authenticator (2FA/MFA) support by hardcoding the PAM module for sshd and login. This change only enables the PAM module on demand if any use has 2FA/MFA configured. Enabling the module is done system wide via pam-auth-update by using a predefined template. Can be tested using: set system login user vyos authentication plaintext-password vyos set system login user vyos authentication otp key 'QY735IG5HDHBFHS5W7Y2A4EM274SMT3O' See https://docs.vyos.io/en/latest/configuration/system/login.html for additional details.
2023-12-08dhcp: T3316: Migrate dhcp/dhcpv6 server to Keasarthurdev
2023-12-06nat64: T160: Implement Jool-based NAT64 translatorJoe Groocock
Signed-off-by: Joe Groocock <me@frebib.net>
2023-12-01mdns: T5793: Cleanup avahi-daemon configuration in `/etc`Indrajit Raychaudhuri
`/etc/avahi` technically can be deleted since we operate with avahi-daemon configuration in `/run/avahi-daemon`. But we still need to keep `/etc/avahi/services` because avahi-daemon `chroot` to that location at startup. This is setup at build time via `AVAHI_CONFIG_DIR` and there is no way to change it at runtime.
2023-12-01mdns: T5793: Cleanup avahi-daemon configuration in `/etc`Indrajit Raychaudhuri
`/etc/avahi` can be deleted since we operate with avahi-daemon configuration in `/run/avahi-daemon`.
2023-11-18T2405: fix debian/control syntaxChristian Breunig
2023-11-18T2405: add Git support to commit-archiveYun Zheng Hu
T2405: add Git support to commit-archive
2023-11-16image: T4516: use copy of pw_reset script for install, link for compatJohn Estabrook
Note that this was updated for the fix in T5739.
2023-11-09T1797: Remove vpp packages and mentionsViacheslav Hletenko
2023-11-07Merge pull request #2436 from sever-sever/T5706Daniil Baturin
T5706: Add custom systemd udev rules to exclude dynamic interfaces
2023-11-05ddclient: T5708: Migration to 3.11.1 and related improvementsIndrajit Raychaudhuri
- Migrate to ddclient 3.11.1 and enforce debian/control dependency - Add dual stack support for additional protocols - Restrict usage of `porkbun` protocol, VyOS configuration structure isn't compatible with porkbun yet - Improve and cleanup error messages
2023-11-04T5706: Add custom systemd udev rules to exclude dynamic interfacesViacheslav Hletenko
Add custom systemd udev rules to exclude some regular and dynamic interfaces from "systemd-sysctl" calls. It fixes high CPU utilization (100%) as we have a lot of calls per interface for dynamic interfaces like ppp|ipoe|sstp etc. /lib/systemd/systemd-udevd should not be called for those interfaces
2023-10-17T1797: Delete VPP from vyos-1x as it is implemented in addonViacheslav Hletenko
2023-10-07debian: T5639: group dependencies and add commentsDaniil Baturin
2023-09-29Merge pull request #2256 from zdc/T5577-circinusChristian Breunig
T5577: Optimized PAM configs for RADIUS/TACACS+
2023-09-15Merge pull request #2185 from sever-sever/T5261-newViacheslav Hletenko
T5261: Add AWS load-balancing tunnel handler
2023-09-13TACACS: T5577: Added `mandatory` and `optional` modes for TACACS+zsdc
In CLI we can choose authentication logic: - `mandatory` - if TACACS+ answered with `REJECT`, authentication must be stopped and access denied immediately. - `optional` (default) - if TACACS+ answers with `REJECT`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if TACACS+ clearly answered that access should be denied (no user in TACACS+ database, wrong password, etc.). If TACACS+ is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-09-13RADIUS: T5577: Added `mandatory` and `optional` modes for RADIUSzsdc
In CLI we can choose authentication logic: - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be stopped and access denied immediately. - `optional` (default) - if RADIUS answers with `Access-Reject`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-09-13groups: T5577: Added `radius` and `tacacs` groupszsdc
We need separated groups for RADIUS and TACACS+ system users because they need to be used in PAM rules independently.
2023-09-12frr: T5239: T2061: prevent writing logs to /var/log/frr/frr.logChristian Breunig
2023-09-10Debian: bump package version to 1.5dev0Christian Breunig
2023-09-07smoketest: T5558: Extend configtest to allow checking of migration script ↵sarthurdev
results
2023-09-01T5261: Add AWS load-balancing tunnel handlerViacheslav Hletenko
Add AWS load-balancing tunnel handler https://aws.amazon.com/blogs/networking-and-content-delivery/how-to-integrate-linux-instances-with-aws-gateway-load-balancer/ set service aws glb script on-create '/config/scripts/tmp.sh' set service aws glb script on-destroy '/config/scripts/tmp.sh' set service aws glb status format 'simple' set service aws glb status port '8282' set service aws glb threads tunnel '4' set service aws glb threads tunnel-affinity '1-2' set service aws glb threads udp '4' set service aws glb threads udp-affinity '0-3'
2023-08-29Debian: T5521: remove unused tacacs UNIX groupChristian Breunig
2023-08-29Debian: T5521: use bash over dash for postinstall scriptChristian Breunig
2023-08-28Debian: T5521: use --no-create-home for TACACS usersChristian Breunig
2023-08-28Debian: T5521: place AAA users in users group (besides aaa group)Christian Breunig