Age | Commit message (Collapse) | Author |
|
- Added system `radius` group
- Added `mandatory` and `optional` modes for RADIUS
- Improved PAM config for RADIUS
New modes:
- `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be
stopped and access denied immediately.
- `optional` (default) - if RADIUS answers with `Access-Reject`, authentication
continues using the next module.
In `mandatory` mode authentication will be stopped only if RADIUS clearly
answered that access should be denied (no user in RADIUS database, wrong
password, etc.). If RADIUS is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
|
|
scripts: T4269: node.def generator should automatically add default values (backport)
|
|
Since introducing the XML <defaultValue> node it was common, but redundant,
practice to also add a help string indicating which value would be used as
default if the node is unset.
This makes no sense b/c it's duplicated code/value/characters and prone to
error. The node.def scripts should be extended to automatically render the
appropriate default value into the CLI help string.
For e.g. SSH the current PoC renders:
$ cat templates-cfg/service/ssh/port/node.def
multi:
type: txt
help: Port for SSH service (default: 22)
val_help: u32:1-65535; Numeric IP port
...
Not all subsystems are already migrated to get_config_dict() and make use of
the defaults() call - those subsystems need to be migrated, first before the new
default is added to the CLI help.
(cherry picked from commit a68c9238111c6caee78bb28f8054b8f0cfa0e374)
|
|
Add accounting-interim-interval option for PPPoE-server
set service pppoe-server authentication radius accounting-interim-interval '60'
|
|
|
|
Container registry CLI node changed from leafNode to tagNode with the same
defaults. In addition we can now configure an authentication option per
registry.
(cherry picked from commit fe82d86d3e87cb8d92ebc9d0652c08e3dd79a12c)
|
|
(cherry picked from commit d14a6814acb173cdc6df13212620f7da330434ed)
|
|
T4971: PPPoE server add named ip pool and attr Framed-Pool
|
|
Add accel-ppp include client-ip-pool-name.xml.i
Can be used in other accep-ppp CLI as "include"
|
|
Extended PPPoE-server rate-limiter to avoid shaping marked resources
Often this feature needs for ISP, which provides access to some IX
or its resources.
set service pppoe-server shaper fwmark '223'
|
|
(cherry picked from commit f0bc6c62016d285f0645c4b3ba8b1451c40c637f)
|
|
backport: T4515: T4219: policy local-route6 and inbound-interface support
|
|
Use common "url.xml" which allow URL as domain name or IP entrie
|
|
Ability to get MTU from DHCP-server and don't touch it per
any interface change if interface 'dhcp-options mtu' is
configured
(cherry picked from commit 29b0ee30bf2622a40ca3d17e3f6b9e94e5b62072)
|
|
accel-ppp: T4373: T4507: Add options multiplier for shaper
|
|
Multiplier option is required by some vendors for correct shaping
For RADIUS based rate-limits
edit service pppoe-server
set authentication radius rate-limit multiplier '0.001'
|
|
When clients only use DHCP for interface addressing we can not bind NTPd to
an address - as it will fail if the address changes. This commit adds support
to bind ntpd to a given interface in addition to a given address.
set system ntp interface <name>
(cherry picked from commit 6732df1edd632b56d3d02970939f51d05d4262e9)
|
|
ipoe: T2580: Add pools and gateway options
|
|
The sla-id parameter of DHCPv6 prefix delegations is limited to 128. While this
is enough to use all /64 subnets of a /57 prefix, with a /56 prefix that is no
longer sufficient.
Increased sla-id length tp 65535 so one could delegate an entire /48.
(cherry picked from commit 283276d457a09c100416c0d4ffccd4f94ccd2540)
|
|
Add new feature to allow to use named pools
Can be used also with Radius attribute 'Framed-Pool'
set service ipoe-server client-ip-pool name POOL1 gateway-address '192.0.2.1'
set service ipoe-server client-ip-pool name POOL1 subnet '192.0.2.0/24'
|
|
Add output Plugin "prometheus-client" for telegraf
set service monitoring telegraf prometheus-client xxx
|
|
(cherry picked from commit a6c936997611de85dc73152297679d0b53095713)
|
|
inbound-interface support""
This reverts commit 45a2a7d0adc7e9d27d6c7aee1ccbd9b64a1437ad.
|
|
support"
|
|
(cherry picked from commit eaf4b60c9e7fa094d17b87b29bebaf81182ee7a1)
|
|
backport: T4515: T4219: policy local-route6 and inbound-interface support
|
|
|
|
This reverts commit 72d7152f794cfe48821797d62865024c1843096e.
|
|
(cherry picked from commit d418cd36027aef5993122ec62419e8c66fe7a1ed)
|
|
VXLAN does support using multiple remotes but VyOS does not. Add the ability
to set multiple remotes and add their flood lists using "bridge" command.
(cherry picked from commit 0ecddff7cffa8900d351d5c15e32420f9d780c0b)
|
|
backport: T4515: T4219: policy local-route6 and inbound-interface support
|
|
|
|
Ability to set virtual_address on not vrrp-listen interface
Add ability don't track primary vrrp interface "exclude-vrrp-interface"
Add ability to set tracking (state UP/Down) on desired interfaces
For example eth0 is used for vrrp and we want to track another eth1
interface that not belong to any vrrp-group
set high-avail vrrp group WAN interface 'eth0'
set high-avail vrrp group WAN virtual-address 192.0.2.222/24 interface 'eth2'
set high-avail vrrp group WAN track exclude-vrrp-interface
set high-avail vrrp group WAN track interface 'eth1'
|
|
(cherry picked from commit d96bab4e6da517f07133667834cd6f8bcfb5160f)
|
|
Add ability to set for services like "SSH/NTP" listen IPv6 link-local
addresses
|
|
|
|
|
|
conf-mode: NAT interface definition typo fix (Equuleus)
|
|
|
|
|
|
(cherry picked from commit b8f702bc7b6e92b8841271b4a2355d2b65ccb247)
|
|
|
|
To allow IPv6 only for vpn sstp sessions we have to add
'ppp-options' which can disable IPv4 allocation explicity.
Additional IPv6 ppp-options and fix template for it.
|
|
shared-network
(cherry picked from commit 689d1824d251ea9fbd81bf0c941dbd36e33ef420)
|
|
(cherry picked from commit 59e5b5eb4c0507f9d3831483152a748b58560bfd)
|
|
DHCP servers "shared-network" level only makes sense if one can specify
configuration items that can be inherited by individual subnets. This is now
possible for name-servers and the domain-name.
set service dhcp-server shared-network-name LAN domain-name 'vyos.net'
set service dhcp-server shared-network-name LAN name-server '192.0.2.1'
(cherry picked from commit d411a40a3598c55fae7abd8bc5f1876007aa704b)
|
|
(cherry picked from commit 83ea0cb273e29db22062cc133b6eabd4ba2761c7)
|
|
IPv4 DHCP uses "dns-server" to specify one or more name-servers for a given
pool. In order to use the same CLI syntax this should be renamed to name-server,
which is already the case for DHCPv6.
(cherry picked from commit e2f9f4f4e8b2e961a58d935d09798ddb4e1e0460)
|
|
(cherry picked from commit ec9503a9ec487ec7aa3524cb9847357f0631ca25)
|
|
(cherry picked from commit 794f193d11c8c1b5fed78f4e40280480446ab593)
|