summaryrefslogtreecommitdiff
path: root/interface-definitions/include
AgeCommit message (Collapse)Author
2024-01-11Merge pull request #2789 from vyos/mergify/bp/sagitta/pr-2777Christian Breunig
T5688: Changed 'range' to multi in 'client-ip-pool' for accell-ppp (backport #2777)
2024-01-11Merge pull request #2793 from sarthurdev/T5550_sagittaChristian Breunig
interface: T5550: Interface source-validation priority over global value (backport)
2024-01-10T5688: Changed 'range' to multi in 'client-ip-pool' for accell-pppaapostoliuk
Changed node 'range' to multi in 'client-ip-pool' for accell-ppp services. Added completionHelp to default-pool and next-pool. Fixed verification in vpn l2tp config script. (cherry picked from commit 4ffec67d04670192d9b722353cbaef04cb0ba129)
2024-01-10bgp: T5913: allow peer-group support for ipv4|6-labeled-unicast SAFIChristian Breunig
(cherry picked from commit f1411240c6b11ec400ac0f66eb71982259204317)
2024-01-10Merge pull request #2783 from vyos/mergify/bp/sagitta/pr-2263Christian Breunig
T5530: isis: Adding loop free alternate feature (backport #2263)
2024-01-10T5530: isis: Adding loop free alternate featureCheeze_It
(cherry picked from commit 7a2b70bd73c8579a885348b93b8addfb20fb006c)
2024-01-10https: T5902: remove virtual-host configurationChristian Breunig
We have not seen the adoption of the https virtual-host CLI option. What it did? * Create multiple webservers each listening on a different IP/port (but in the same VRF) * All webservers shared one common document root * All webservers shared the same SSL certificates * All webservers could have had individual allow-client configurations * API could be enabled for a particular virtual-host but was always enabled on the default host This configuration tried to provide a full webserver via the CLI but VyOS is a router and the Webserver is there for an API or to serve files for a local-ui. Changes Remove support for virtual-hosts as it's an incomplete and thus mostly useless "thing". Migrate all allow-client statements to one top-level allow statement. (cherry picked from commit d0d3071e99eb65edb888c26ef2fdc9e038438887)
2024-01-08https: T5886: migrate https certbot to new "pki certificate" CLI treeChristian Breunig
(cherry picked from commit 9ab6665c80c30bf446d94620fc9d85b052d48072)
2024-01-08pki: T5886: add support for ACME protocol (LetsEncrypt)Christian Breunig
The "idea" of this PR is to add new CLI nodes under the pki subsystem to activate ACME for any given certificate. vyos@vyos# set pki certificate NAME acme Possible completions: + domain-name Domain Name email Email address to associate with certificate listen-address Local IPv4 addresses to listen on rsa-key-size Size of the RSA key (default: 2048) url Remote URL (default: https://acme-v02.api.letsencrypt.org/directory) Users choose if the CLI based custom certificates are used set pki certificate EXAMPLE acme certificate <base64> or if it should be generated via ACME. The ACME server URL defaults to LetsEncrypt but can be changed to their staging API for testing to not get blacklisted. set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory Certificate retrieval has a certbot --dry-run stage in verify() to see if it can be generated. After successful generation, the certificate is stored in under /config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set interfaces ethernet eth0 eapol certificate EXAMPLE) we call vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the base64 encoded certificate into the JSON data structure normally used when using a certificate set by the CLI. Using this "design" does not need any change to any other code referencing the PKI system, as the base64 encoded certificate is already there. certbot renewal will call the PKI python script to trigger dependency updates. (cherry picked from commit b8db1a9d7baf91b70c1b735e58710f1e2bc9fc7a) # Conflicts: # debian/control
2024-01-08T5896: firewall: backport interface validator for firewall rules.Nicolas Fort
2024-01-04xml: T5738: add constraint building block with alphanumeric, hypen, ↵Christian Breunig
underscore and dot (cherry picked from commit 82b4b2db8fda51df172210f470e5825b91e81de4)
2024-01-03Merge pull request #2719 from c-po/sagitta-backports-accel-pppChristian Breunig
Backports for Accel-PPP based serviced T5801, T5842 and T5688
2024-01-01T5801: Rewritten L2TP to get_config_dictaapostoliuk
Rewritten L2TP to get_config_dict Rewritten L2TP xml to accel-ppp patterns Migrated 'idle' to 'ppp-options.lcp-echo-timeout' Migrated 'authentication.mppe' to 'ppp-options.mppe' Migrated 'authentication.radius.dae-server' to 'authentication.radius.dynamic-author' Migrated 'authentication.require' to 'authentication.protocol' Added 'authentication.radius.acct-interim-jitter' Added 'authentication.radius.preallocate-vif' Added 'authentication.radius.server.<IP>.acct-port' Added 'ppp-options.ipv4' Added smoke-tests Fixed 'preallocate-vif' in SSTP (cherry picked from commit 09e0a2ca035ee39a68a510b28cc74560669d0420)
2024-01-01configverify: T5880: raise exception if interfaces sourced form dynamic ↵Christian Breunig
interfaces Interfaces matching the following regex (ppp|pppoe|sstpc|l2tp|ipoe)[0-9]+ can not be used as source-interface for e.g. a tunnel. The main reason is that these are dynamic interfaces which come and go from a kernel point of view, thus it's not possible to bind an interface to them. (cherry picked from commit 5062f5d313548d6ebb9c07fee6b6d6be25b8f8f0)
2023-12-30firewall: T5834: Improve log message and simplify log-option includeIndrajit Raychaudhuri
`include/firewall/rule-log-options.xml.i` is now more aptly renamed to `include/firewall/log-options.xml.i`. (cherry picked from commit 53a48f499ae9bcc2f657136bb7779b38aad1c242)
2023-12-30firewall: T5834: Remove vestigial include fileIndrajit Raychaudhuri
This file is a left over from previous refactoring and no longer referenced anywhere in the interface definitions. (cherry picked from commit f8f382b2195da8db8b730f107ffba16e67dac822)
2023-12-30firewall: T5834: Migration for 'enable-default-log' to 'default-log'Indrajit Raychaudhuri
(cherry picked from commit 7c40b70af9def9242b30d1fc949288d9da2bd027)
2023-12-30firewall: T5834: Rename 'enable-default-log' to 'default-log'Indrajit Raychaudhuri
Rename chain level defaults log option from `enable-default-log` to `default-log` for consistency. (cherry picked from commit 245e758aa2ea8779186d0c92d79d33170d036992)
2023-12-30system: T5877: Shorten system domain-search config pathIndrajit Raychaudhuri
Shorten and simplify `system domain-search` config path from: ``` set system domain-search domain <domain1> ``` to: ``` set system domain-search <domain1> ``` This will shorten the path and also make consistent with `domain-search` config in other places (like `dhcp-server`). (cherry picked from commit f77bf573c608b6c09182e1bad4312c4dd1e5195e)
2023-12-28accel-ppp: T5688: Standardized pool configuration in accel-pppaapostoliuk
Standardized pool configuration for all accel-ppp services. 1. Only named pools are used now. 2. Allows all services to use range in x.x.x.x/mask and x.x.x.x-x.x.x.y format 3. next-pool can be used in all services 2. Allows to use in ipoe gw-ip-address without pool configuration which allows to use Fraimed-IP-Address attribute by radius. 3. Default pool name should be explicidly configured with default-pool. 4. In ipoe netmask and range subnet can be different. (cherry picked from commit 422eb463d413da812eabc28706e507a9910d7b53)
2023-12-25snmp: T5855: migrate "set service lldp snmp enable" to "set service lldp snmp"Christian Breunig
(cherry picked from commit a9201e77110ce0695e2ba879304aef41b7ac9a0c)
2023-12-21T2898: add ndp-proxy serviceChristian Breunig
VyOS CLI command set service ndp-proxy interface eth0 prefix 2001:db8::/64 mode 'static' Will generate the following NDP proxy configuration $ cat /run/ndppd/ndppd.conf # autogenerated by service_ndp-proxy.py # This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route route-ttl 30000 # This sets up a listener, that will listen for any Neighbor Solicitation # messages, and respond to them according to a set of rules proxy eth0 { # Turn on or off the router flag for Neighbor Advertisements router no # Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds) timeout 500 # Control how long a valid or invalid entry remains in the cache (milliseconds) ttl 30000 # This is a rule that the target address is to match against. If no netmask # is provided, /128 is assumed. You may have several rule sections, and the # addresses may or may not overlap. rule 2001:db8::/64 { static } } (cherry picked from commit 4d721a58020971d00ab854c37b68e88359999f9c)
2023-12-21dhcp: T5846: Ensure DUID regex range is boundIndrajit Raychaudhuri
The DUID regex was missing a lower bound, which could cause it not to match when it should. We have to specify the lower bound explicitly as 0 to keep the regex behavior similar to that in Python (in Python, omitting the lower bound is equivalent to specifying 0). (cherry picked from commit 551f06218755076cde588c848c01ce5ca1bf5e6b)
2023-12-21dhcp: T5846: Fix include pathIndrajit Raychaudhuri
(cherry picked from commit 5768bc2d56cc8aabd8d276a2afc30608c1bc9838)
2023-12-21dhcp: T5846: Refactor and simplify DUID definitionIndrajit Raychaudhuri
Refactor DUID XML definition in conf-mode to be reusable. Additionally, remove explicit call to a separate validator `ipv6-duid` and inline the regex into the XML definition. (cherry picked from commit 51e7832fc5c88f9956b26157a80947bad4495a4e)
2023-12-20T5798: load-balancing revese-proxy add multiple SSL certificatesViacheslav Hletenko
Add ability to configure multiple SSL certificates for frontend/service set load-balancing reverse-proxy service web mode http set load-balancing reverse-proxy service web port 443 set load-balancing reverse-proxy service web ssl certificate cert1 set load-balancing reverse-proxy service web ssl certificate cert2 (cherry picked from commit fe99c45e05fd5794905145ddca80e6078145c2e8)
2023-12-18T4163: Add BGP Monitoring Protocol BMP featureViacheslav Hletenko
Add BMP feature. BMP (BGP Monitoring Protocol, RFC 7854) is used to send monitoring data from BGP routers to network management entities https://docs.frrouting.org/en/latest/bmp.html Example: set system frr bmp commit run restart bgp set protocols bgp system-as '65001' set protocols bgp neighbor 192.0.2.11 address-family ipv4-unicast set protocols bgp neighbor 192.0.2.11 remote-as '65001' set protocols bgp bmp mirror-buffer-limit '256000000' set protocols bgp bmp target foo address '127.0.0.1' set protocols bgp bmp target foo port '5000' set protocols bgp bmp target foo min-retry '1000' set protocols bgp bmp target foo max-retry '2000' set protocols bgp bmp target foo mirror set protocols bgp bmp target foo monitor ipv4-unicast post-policy set protocols bgp bmp target foo monitor ipv4-unicast pre-policy set protocols bgp bmp target foo monitor ipv6-unicast post-policy set protocols bgp bmp target foo monitor ipv6-unicast pre-policy (cherry picked from commit 5523fccf4f7d05444c36c568128e94cd7b08c34f)
2023-12-15T5775: firewall: re-add state-policy to firewall. These commands are now ↵Nicolas Fort
included in <set firewall global-options state-policy> node.
2023-12-15firewall: T4502: add offload to firewall table actionsBjarke Istrup Pedersen
2023-12-13bgp: T591: add SRv6 support from FRRChristian Breunig
set protocols bgp sid vpn per-vrf export '99' set protocols bgp srv6 locator 'foo' set protocols bgp system-as '100' Will generate in FRR config router bgp 100 no bgp ebgp-requires-policy no bgp default ipv4-unicast no bgp network import-check ! segment-routing srv6 locator foo exit sid vpn per-vrf export 99 exit (cherry picked from commit af46fe54e56cf85d13b62ee771bec3d80f225ac5)
2023-12-09git: T5803: Adjust git configuration for baseline defaultsIndrajit Raychaudhuri
Apply baseline defaults for `.gitattributes` and `.vscode/settings.json` for improved developer experience. The `.gitattrbutes` settings are based on: Git documentation (https://git-scm.com/docs/gitattributes#_effects) GitHub documentation (https://docs.github.com/en/get-started/getting-started-with-git/configuring-git-to-handle-line-endings) Community templates (https://github.com/gitattributes/gitattributes) Since editor-agnostic line-ending specific settings are applied to `.gitattributes`, they can be removed from `.vscode/settings.json`. The global VSCode defaults have also been removed to avoid duplication. (cherry picked from commit c30002208d392177cb1ffc1a5c714f7ad6d573b6)
2023-12-08Merge pull request #2581 from vyos/mergify/bp/sagitta/pr-2578Viacheslav Hletenko
T160: add NAT64 (backport #2578)
2023-12-07T160: Rebase and fixes for NAT64Viacheslav Hletenko
- Update the base (rebase) - Move include/nat64-protocol.xml.i => include/nat64/protocol.xml.i - Delete unwanted `write_json`, use `write_file` instead - Remove unnecessary deleting of default values for tagNodes T2665 - Add smoketest Example: ``` set interfaces ethernet eth0 address '192.168.122.14/24' set interfaces ethernet eth0 address '192.168.122.10/24' set interfaces ethernet eth2 address '2001:db8::1/64' set nat64 source rule 100 source prefix '64:ff9b::/96' set nat64 source rule 100 translation pool 10 address '192.168.122.10' set nat64 source rule 100 translation pool 10 port '1-65535' ``` (cherry picked from commit 336bb5a071b59264679be4f4f9bedbdecdbe2834)
2023-12-07nat64: T160: Implement Jool-based NAT64 translatorJoe Groocock
Signed-off-by: Joe Groocock <me@frebib.net> (cherry picked from commit 7d49f7079f1129c2fadc7f38ceb230804d89e177) # Conflicts: # debian/control
2023-12-05ddclient: T5791: Migration script for dynamic dns config path changeIndrajit Raychaudhuri
2023-12-05ddclient: T5791: Remove XML includes that aren't used anymoreIndrajit Raychaudhuri
As followup to interface definition change, remove XML snippets that aren't used anymore. They were there because they were 'include'-ed multiple times in the interface definition `dynamic-dns.xml.in`. Since that's not the case anymore, they can be removed.
2023-12-01Merge pull request #2557 from vyos/mergify/bp/sagitta/pr-2467Christian Breunig
T5727: Use native URL validator instead of regex-based validator (backport #2467)
2023-12-01T5727: Use native URL validator instead of regex-based validatorIndrajit Raychaudhuri
Replace regex-based URL validator with native validator from vyos-utils. Also, move `include/url.xml.i` to `include/url-http-https.xml.i` to reflect the fact that it is used only for HTTP(S) URLs. (cherry picked from commit 64322b19d6968195a6dc7c82e7e22126072377f5)
2023-11-30ddclient: T5708: Migrate `timeout` to `interval`Indrajit Raychaudhuri
Time interval in seconds to wait between DNS updates would be a bit more intuitive as `interval` than `timeout`.
2023-11-30ddclient: T5574: Support per-service cache management for servicesIndrajit Raychaudhuri
Add support for per-service cache management for ddclient providers via `wait-time` and `expiry-time` options. This allows for finer-grained control over how often a service is updated and how long the hostname will be cached before being marked expired in ddclient's cache. More specifically, `wait-time` controls how often ddclient will attempt to check for a change in the hostname's IP address, and `expiry-time` controls how often ddclient to a forced update of the hostname's IP address. These options intentionally don't have any default values because they are provider-specific. They get treated similar to the other provider- specific options in that they are only used if defined.
2023-11-30ddclient: T5612: Refactor zone configurationIndrajit Raychaudhuri
Refactor zone configuration to use shared XML snippet for all cases.
2023-11-30ddclient: T5612: Relax hostname validation for apex and wildcard entryIndrajit Raychaudhuri
Some porvides (like 'namecheap') allow to use '@' or '*' as hostname prefix for apex and wildcard records. This commit relaxes the hostname validation to allow these prefixes.
2023-11-30ddclient: T5612: Enable TTL support for web-service based protocolsIndrajit Raychaudhuri
Enable TTL support for web-service based protocols in addition to RFC2136 based (nsupdate) protocol. Since TTL is not supported by all protocols, and thus cannot have a configuration default, the existing XML snippet `include/dns/time-to-live.xml.i` does not have common `<defaultValue>300</defaultValue>` anymore and is instead added explicitly whenever necessary.
2023-11-22Merge pull request #2517 from nicolas-fort/T5419-FT-SagittaDaniil Baturin
T5419: firewall: backport firewall flowtable to Sagitta.
2023-11-22Merge pull request #2510 from vyos/mergify/bp/sagitta/pr-2506Daniil Baturin
dhcp-client: T5760: add CLI option to pass user-class parameter (backport #2506)
2023-11-21T5419: firewall: backport firewall flowtable to Sagitta.Nicolas Fort
2023-11-21Merge pull request #2512 from zdc/T5577-sagittaChristian Breunig
PAM: T5577: Backported PAM settings from circinus
2023-11-20http: T5762: api: make API socket backend communication the one and only defaultChristian Breunig
Why: Smoketests fail as they can not establish IPv6 connection to uvicorn backend server. https://github.com/vyos/vyos-1x/pull/2481 added a bunch of new smoketests. While debugging those failing, it was uncovered, that uvicorn only listens on IPv4 connections vyos@vyos# netstat -tulnp | grep 8080 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN - As the CLI already has an option to move the API communication from an IP to a UNIX domain socket, the best idea is to make this the default way of communication, as we never directly talk to the API server but rather use the NGINX reverse proxy. (cherry picked from commit f5e43b1361fb59a9c260739bdb28729d5119507c)
2023-11-20RADIUS: T5577: Added `mandatory` and `optional` modes for RADIUSzsdc
In CLI we can choose authentication logic: - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be stopped and access denied immediately. - `optional` (default) - if RADIUS answers with `Access-Reject`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-11-20dhcp-client: T5760: add CLI option to pass user-class parameterChristian Breunig
Example: set interfaces ethernet eth0 dhcp-options user-class VyOS or set interfaces ethernet eth0 dhcp-options user-class 56:79:4f:53 (cherry picked from commit 260645d0c6ff078cc89601f3a586195902f9c18e)