summaryrefslogtreecommitdiff
path: root/interface-definitions/include
AgeCommit message (Collapse)Author
2023-11-02Merge pull request #2416 from c-po/evpn-mh-t5698Christian Breunig
T5698 EVPN ESI Multihoming
2023-11-02Merge pull request #2427 from sever-sever/T5704Christian Breunig
T5704: PPPoE L2TP SSTP IPoE add option max-concurrent-sessions
2023-11-02T5704: PPPoE L2TP SSTP IPoE add option max-concurrent-sessionsViacheslav Hletenko
Add `max-starting` option: [common] max-starting=N Specifies maximum concurrent session attempts which server may processed set service pppoe-server max-concurrent-sessions '30' Useful to prevent high CPU utilization and compat execution scripts per time.
2023-11-01T4726: Remove accel-ppp RADIUS vendor validatorsViacheslav Hletenko
The vendor name could contain Uppercase or lowercase symbols and not rely on the dictionary name but on dictionary value / # cat /usr/share/freeradius/dictionary.cisco | grep -i vendor VENDOR Cisco 9 Another example VENDOR Alcatel-IPD 6527 This way if we use `vendor=cisco` instead of `vendor=Cisco` it will not work at all Delete vendor validators
2023-10-31nat: T5681: fix CLI versionChristian Breunig
Fix commit 51abbc0f1b2 ("T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher (valid for interfaces and groups) in firewal, nat and nat66") that added a migrator but did not bump the version number.
2023-10-30bgp: T5698: add support for EVPN MultihomingChristian Breunig
2023-10-25T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher ↵Nicolas Fort
(valid for interfaces and groups) in firewal, nat and nat66.
2023-10-22Merge pull request #2386 from c-po/vxlan-t5671Christian Breunig
vxlan: T5671: change port to IANA assigned default port
2023-10-20vxlan: T5671: change port to IANA assigned default portChristian Breunig
Currently VyOS VXLAN implementation uses the Linux assigned port 8472 that predates the IANA assignment. As Most other vendors use the IANA assigned port, follow this guideline and use the new default port 4789. Existing configuration not defining an explicit port number will be migrated to the old default port number of 8472, keeping existing configurations work!
2023-10-20T5667: BGP label-uniscat enable ecmpfett0
2023-10-19Merge pull request #2377 from dmbaturin/T2897-no-clusterChristian Breunig
cluster: T2897: add a migration script for converting cluster to VRRP
2023-10-19Merge pull request #2344 from nicolas-fort/T5637Christian Breunig
T5637: add new rule at the end of base chains for default-actions and log capabilities
2023-10-19cluster: T2897: add a migration script for converting cluster to VRRPDaniil Baturin
2023-10-12Merge pull request #2277 from aapostoliuk/T5254-1-sagittaDaniil Baturin
bonding: T5254: Fixed changing ethernet when it is a bond member
2023-10-12openvpn: T5634: fix typoJohn Estabrook
2023-10-12openvpn: T5634: Remove support for insecure DES and Blowfish ciphersDaniil Baturin
2023-10-08Merge pull request #2263 from Cheeze-It/currentViacheslav Hletenko
T5530: isis: Adding loop free alternate feature
2023-10-06T5637: add new rule at the end of base chains for default-actions. This ↵Nicolas Fort
enables log capabilities for default-action in base chains. And of course, add option for enabling log for default-action
2023-10-06T5530: isis: Adding loop free alternate featureCheeze_It
2023-10-03bonding: T5254: Fixed changing ethernet when it is a bond memberaapostoliuk
If ethernet interface is a bond memeber: 1. Allow for changing only specific parameters which are specified in EthernetIf.get_bond_member_allowed_options function. 2. Added inheritable parameters from bond interface to ethernet interface which are scpecified in BondIf.get_inherit_bond_options. Users can change inheritable options under ethernet interface but in commit it will be copied from bond interface. 3. All other parameters are denied for changing. Added migration script. It deletes all denied parameters under ethernet interface if it is a bond member.
2023-09-30Merge pull request #2269 from indrajitr/ddclient-wait-timeChristian Breunig
ddclient: T5574: Support per-service cache management for providers
2023-09-30Merge pull request #2300 from nicolas-fort/T5600Christian Breunig
T5600: firewall: change constraints for inbound|outbound interface-name
2023-09-30ddclient: T5574: Support per-service cache management for servicesIndrajit Raychaudhuri
Add support for per-service cache management for ddclient providers via `wait-time` and `expiry-time` options. This allows for finer-grained control over how often a service is updated and how long the hostname will be cached before being marked expired in ddclient's cache. More specifically, `wait-time` controls how often ddclient will attempt to check for a change in the hostname's IP address, and `expiry-time` controls how often ddclient to a forced update of the hostname's IP address. These options intentionally don't have any default values because they are provider-specific. They get treated similar to the other provider- specific options in that they are only used if defined.
2023-09-30Merge pull request #2325 from sever-sever/T5165Christian Breunig
T5165: Migrate policy local-route rule x destination to address
2023-09-30Merge pull request #2303 from indrajitr/ddclient-misc-1Christian Breunig
ddclient: T5612: Miscellaneous improvements and fixes for dynamic DNS
2023-09-29T5165: Migrate policy local-route rule x destination to addressViacheslav Hletenko
Migrate policy local-route <destination|source> to node address replace 'policy local-route{v6} rule <tag> destination|source <x.x.x.x>' => 'policy local-route{v6} rule <tag> destination|source address <x.x.x.x>'
2023-09-29T5616: firewall: add option to be able to match firewall marks in firewall ↵Nicolas Fort
filter and in policy route.
2023-09-29Merge pull request #2256 from zdc/T5577-circinusChristian Breunig
T5577: Optimized PAM configs for RADIUS/TACACS+
2023-09-28Merge pull request #2295 from sever-sever/T5217-synproxyChristian Breunig
T5217: Add firewall synproxy
2023-09-28Merge pull request #2306 from sarthurdev/fw_helperJohn Estabrook
firewall: T5614: Add support for matching on conntrack helper
2023-09-27T5165: Add option protocol for policy local-routeViacheslav Hletenko
Add option `protocol` for policy local-route set policy local-route rule 100 destination '192.0.2.12' set policy local-route rule 100 protocol 'tcp' set policy local-route rule 100 set table '100'
2023-09-24firewall: T5614: Add support for matching on conntrack helpersarthurdev
2023-09-23ddclient: T5612: Relax hostname validation for apex and wildcard entryIndrajit Raychaudhuri
Some porvides (like 'namecheap') allow to use '@' or '*' as hostname prefix for apex and wildcard records. This commit relaxes the hostname validation to allow these prefixes.
2023-09-23ddclient: T5612: Enable TTL support for web-service based protocolsIndrajit Raychaudhuri
Enable TTL support for web-service based protocols in addition to RFC2136 based (nsupdate) protocol. Since TTL is not supported by all protocols, and thus cannot have a configuration default, the existing XML snippet `include/dns/time-to-live.xml.i` does not have common `<defaultValue>300</defaultValue>` anymore and is instead added explicitly whenever necessary.
2023-09-23ddclient: T5612: Refactor zone configurationIndrajit Raychaudhuri
Refactor zone configuration to use shared XML snippet for all cases.
2023-09-21T5217: Add firewall synproxyViacheslav Hletenko
Add ability to SYNPROXY connections It is useful to protect against TCP SYN flood attacks and port-scanners set firewall global-options syn-cookies 'enable' set firewall ipv4 input filter rule 10 action 'synproxy' set firewall ipv4 input filter rule 10 destination port '22' set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1' set firewall ipv4 input filter rule 10 protocol 'tcp' set firewall ipv4 input filter rule 10 synproxy tcp mss '1460' set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
2023-09-21T5600: firewall: change constraints for inbound|outbound interface-name. Now ↵Nicolas Fort
user can use VRF, and negated VRF, and configuration wonn't be broken after reboot.
2023-09-19Merge pull request #2284 from c-po/t5596-bgpChristian Breunig
bgp: T5596: add new features from FRR 9
2023-09-19Merge pull request #2285 from c-po/T5597-isisChristian Breunig
isis: T5597: add new features from FRR 9
2023-09-19firewall: T4502: Update to flowtable CLIsarthurdev
`set firewall flowtable <name> interface <ifname>` `set firewall flowtable <name> offload [software|hardware]` `set firewall [ipv4|ipv6] forward filter rule N action offload` `set firewall [ipv4|ipv6] forward filter rule N offload-target <name>`
2023-09-18isis: T5597: add new features from FRR 9Christian Breunig
* Add support for IS-IS advertise-high-metrics set protocols isis advertise-high-metrics * Add support for IS-IS advertise-passive-only set protocols isis advertise-passive-only
2023-09-18bgp: T5596: add new features from FRR 9Christian Breunig
* Add BGP Software Version capability (draft-abraitis-bgp-version-capability) set protocols bgp neighbor 192.0.2.1 capability software-version * Add BGP neighbor path-attribute treat-as-withdraw command set protocols bgp neighbor 192.0.2.1 path-attribute treat-as-withdraw
2023-09-18conntrack: T5217: Add tcp flag matching to `system conntrack ignore`sarthurdev
- Moves MSS node out of `tcp-flags.xml.i` and into `tcp-mss.xml.i` - Update smoketest to verify TCP flag matching
2023-09-14Merge pull request #2062 from vfreex/simple-fastpath-supportViacheslav Hletenko
T4502: firewall: Add software flow offload using flowtable
2023-09-13RADIUS: T5577: Added `mandatory` and `optional` modes for RADIUSzsdc
In CLI we can choose authentication logic: - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be stopped and access denied immediately. - `optional` (default) - if RADIUS answers with `Access-Reject`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-09-13T5576: Add BGP remove-private-as all optionViacheslav Hletenko
Add the ability to use the option all for remove-private-as. Remove private ASNs in outbound updates. all - Apply to all AS numbers set protocols bgp neighbor <tag> address-family ipv4-unicast remove-private-as all
2023-09-09T4502: firewall: Add software flow offload using flowtableYuxiang Zhu
The following commands will enable nftables flowtable offload on interfaces eth0 eth1: ``` set firewall global-options flow-offload software interface <name> set firewall global-options flow-offload hardware interface <name> ``` Generated nftables rules: ``` table inet vyos_offload { flowtable VYOS_FLOWTABLE_software { hook ingress priority filter - 1; devices = { eth0, eth1, eth2, eth3 }; counter } chain VYOS_OFFLOAD_software { type filter hook forward priority filter - 1; policy accept; ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software } } ``` Use this option to count packets and bytes for each offloaded flow: ``` set system conntrack flow-accounting ``` To verify a connection is offloaded, run ``` cat /proc/net/nf_conntrack|grep OFFLOAD ``` This PR follows firewalld's implementation: https://github.com/firewalld/firewalld/blob/e748b97787d685d0ca93f58e8d4292e87d3f0da6/src/firewall/core/nftables.py#L590 A good introduction to nftables flowtable: https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath
2023-09-08Merge pull request #2222 from nicolas-fort/T4072-fwall-bridgeChristian Breunig
T4072: add firewall bridge filtering.
2023-09-07T4072: add firewall bridge filtering. First implementation only applies for ↵Nicolas Fort
forward chain and few matchers. Should be extended in the future.
2023-09-06Merge pull request #2199 from sarthurdev/T4309Christian Breunig
conntrack: T4309: T4903: Refactor `system conntrack ignore`, add IPv6 support and firewall groups