summaryrefslogtreecommitdiff
path: root/interface-definitions/include
AgeCommit message (Collapse)Author
2022-09-13firewall: T2199: Refactor firewall + zone-policy, move interfaces under ↵sarthurdev
firewall node * Refactor firewall and zone-policy rule creation and cleanup * Migrate interface firewall values to `firewall interfaces <name> <direction> name/ipv6-name <name>` * Remove `firewall-interface.py` conf script
2022-09-07update-check: T3476: Allow update-check for VyOS imagesViacheslav Hletenko
Ability to autocheck available new images Parse remote URL JSON image-version.json file and compare version VyOS with a local current version, if find diff sent wall message that the new image is available Also, add op-mode command to check images "show system image" With option "auto-check" check will be once per 12 hours set system update-check auto-check set system update-check url 'http://example.com/image-version.json' If new version is available shows it per login (MOTD)
2022-09-07T1024: Firewall and Policy route: add option to match dscp value, both on ↵Nicolas Fort
firewall and in policy route
2022-09-06T4670: policy route: extend matching criteria for policy route and route6. ↵Nicolas Fort
Matching criteria added: ttl/hoplimit and packet-length
2022-09-03firewall: T4651: re-implement packet-length CLI option to use <multi/>Christian Poessinger
2022-09-03firewall: T3568: improve default-action help stringChristian Poessinger
2022-09-03firewall: T3568: add XML include block for eq,gt,lt optionsChristian Poessinger
2022-09-02Merge branch 'T4651' of https://github.com/nicolas-fort/vyos-1x into firewallChristian Poessinger
* 'T4651' of https://github.com/nicolas-fort/vyos-1x: Firewall: T4651: Change proposed cli from ip-length to packet-length Firewall: T4651: Add options to match packet size on firewall rules.
2022-09-01Firewall: T4651: Change proposed cli from ip-length to packet-lengthNicolas Fort
2022-08-31nat: T538: Move nat configs to /run directoryViacheslav Hletenko
2022-08-30firewall: T4655: implement XML defaultValue for name and ipv6-nameChristian Poessinger
This extends the implementation of commit 0cc7e0a49094 ("firewall: T4655: Fix default action 'drop' for the firewall") in a way that we can now also use the XML <defaultValue> node under "firewall name" and "firewall ipv6-name". This is a much cleaner approach which also adds the default value automatically to the CLIs completion helper ("?").
2022-08-30firewall: T3568: rename XML building blocks to match CLI node nameChristian Poessinger
2022-08-26Merge pull request #1482 from sever-sever/T4631Christian Poessinger
nat66: T4631: Add port and protocol to nat66 conf
2022-08-20nat66: T4631: Add port and protocol to nat66Viacheslav Hletenko
Ability to configure src/dst/translation port and protocol for SNAT and DNAT IPv6
2022-08-18firewall: T4622: Add TCP MSS optionViacheslav Hletenko
Ability to drop|accept packets based on TCP MSS size set firewall name <tag> rule <tag> tcp mss '501-1460'
2022-08-17nat: T538: Add static NAT one-to-oneViacheslav Hletenko
Ability to set static NAT (one-to-one) in one rule set nat static rule 10 destination address '203.0.113.0/24' set nat static rule 10 inbound-interface 'eth0' set nat static rule 10 translation address '192.0.2.0/24' It will be enough for PREROUTING and POSTROUTING rules Use a separate table 'vyos_static_nat' as SRC/DST rules and STATIC rules can have the same rule number
2022-08-10l2tp: T4603: Add RADIUS nas-ip-address optionViacheslav Hletenko
Add l2tp authentication radius nas-ip-address option which will be sent in NAS-IP-Address Radius attribute
2022-08-08nat66: T4598: add file nat-exclue.xml.i, which is invoked by nat66.xml.in ↵Nicolas Fort
and nat-rule.xml.i
2022-08-04Merge https://github.com/Cheeze-It/vyos-1x into currentChristian Poessinger
* https://github.com/Cheeze-It/vyos-1x: bgp: T4257: Changing BGP "local-as" to "system-as"
2022-08-01mtu: T4572: Add DHCP-option MTU to get values from DHCP-serverViacheslav Hletenko
Ability to get MTU from DHCP-server and don't touch it per any interface change if interface 'dhcp-options mtu' is configured
2022-07-30bgp: T4257: Changing BGP "local-as" to "system-as"Cheeze_It
bgp: T4257: Changing BGP "local-as" to "system-as" This change is to change the global BGP name for the node "local-as" to "system-as" This is needed so that there's less ambiguity with the local-as feature per neighbor. bgp: T4257: Changing BGP "local-as" to "system-as" bgp: T4257: Changing BGP "local-as" to "system-as" This change is to change the global BGP name for the node "local-as" to "system-as" This is needed so that there's less ambiguity with the local-as feature per neighbor.
2022-07-29Merge pull request #1403 from sever-sever/T4518Christian Poessinger
lb-wan: T4518: Add XML for conf mode load-balancing wan
2022-07-09ip: T4517: add option to enable directed broadcast forwardingYuxiang Zhu
Directed broadcast is described in rfc1812#section-5.3.5.2 and rfc2644. By default Linux kernel doesn't forward directed broadcast packets unless both of `/proc/sys/net/ipv4/conf/all/bc_forwarding` and `/proc/sys/net/ipv4/conf/$iface/bc_forwarding` are set to 1.
2022-07-08lb-wan: T4518: Add XML for conf mode load-balancing wanViacheslav Hletenko
Add XML for configuration mode "load-balancing wan" for the future rewriting this to Python Remove node from Makefile as Python code is not yet completed
2022-07-07monitoring: T4411: Migrate influxdb options to influxdb nodeViacheslav Hletenko
As we have specific configuration for each plugin: set service monitoring telegraf xxx - azure-data-explorer - prometheus-client - splunk We should to move configuration that related to influxdb under influxdb node Replace: set service monitoring telegraf - authentication xxx - bucket xxx - port xxx - url To: set service monitoring telegraf influxdb xxx
2022-07-07syslog: T4500: Remove max-size from rsyslog leaving rotation to logrotatesarthurdev
After discussion with @zsdc this was decided the better long term fix * Removes hourly logrotate cron in favour of systemd timer override
2022-07-04Merge pull request #1386 from sarthurdev/geoip_negateChristian Poessinger
firewall: T4299: Add ability to inverse match country-codes
2022-07-04firewall: T4299: Add ability to inverse match country codessarthurdev
2022-07-04xml: include: interface - fix help stringChristian Poessinger
2022-07-01Merge pull request #1380 from sarthurdev/ovpn-multi-caChristian Poessinger
openvpn: T4485: Accept multiple tls ca-certificate values
2022-07-01xml: include: add missing prefix in include file commentChristian Poessinger
2022-06-29openvpn: T4485: Accept multiple `tls ca-certificate` valuessarthurdev
2022-06-11firewall: T4299: Add support for GeoIP filteringsarthurdev
2022-06-10xml: drop not always applicable REQUIRED suffix from completion help stringChristian Poessinger
If a parameter is required is determined from the Python string on commit. This "indicator" is not used consistently and sometimes missing, or added where it is not required anymore due to Python script improvement/rewrite.
2022-06-10Merge pull request #1322 from nicolas-fort/T3907-fwall-logDaniil Baturin
Firewall: T3907: add log-level options in firewall
2022-06-09Merge pull request #1327 from sever-sever/T970Christian Poessinger
firewall: T970: Add firewall group domain-group
2022-05-31policy: T3976: bump version 2 -> 3Christian Poessinger
2022-05-29eigrp: T2472: add missing <multi/> specifier when redistributing protocolsChristian Poessinger
2022-05-29eigrp: T2472: add "local-as" CLI node to specify ASN like under BGPChristian Poessinger
2022-05-29eigrp: T2472: add basic template rendering and FRR communicationChristian Poessinger
2022-05-29rip: T4448: remove default version for RIPChristian Poessinger
Commit f9e38622 ("rip: T4448: add support to set protocol version on an interface level") also added the versionspecified on a per interface level. the RIp version carried a default value of 2 which makes RIPv1 and RIPv2 no longer working which is dthe default for FRR. Remove the default "2" from the RIP version specifier to make this behavior work again.
2022-05-29eigrp: vrf: T2773: prepare XML definitions for VRF instanceChristian Poessinger
2022-05-28rip: T4448: add support to set protocol version on an interface levelChristian Poessinger
2022-05-28xml: rip: T4448: rename include files to match schemaChristian Poessinger
2022-05-28firewall: T970: Add firewall group domain-groupViacheslav Hletenko
Domain group allows to filter addresses by domain main Resolved addresses as elements are stored to named "nft set" that used in the nftables rules Also added a dynamic "resolver" systemd daemon vyos-domain-group-resolve.service which starts python script for the domain-group addresses resolving by timeout 300 sec set firewall group domain-group DOMAINS address 'example.com' set firewall group domain-group DOMAINS address 'example.org' set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 source group domain-group 'DOMAINS' set interfaces ethernet eth0 firewall local name 'FOO' nft list table ip filter table ip filter { set DOMAINS { type ipv4_addr flags interval elements = { 192.0.2.1, 192.0.2.85, 203.0.113.55, 203.0.113.58 } } chain NAME_FOO { ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10" counter packets 0 bytes 0 return comment "FOO default-action accept" } }
2022-05-27Firewall: T3907: Revert migration script 6-to-7 and add new 7-to-8Nicolas Fort
2022-05-27dhcp6: pd: T4447: bugfix sla-id limits (must be greater then 128Christian Poessinger
The sla-id parameter of DHCPv6 prefix delegations is limited to 128. While this is enough to use all /64 subnets of a /57 prefix, with a /56 prefix that is no longer sufficient. Increased sla-id length tp 64535 so one could delegate an entire /48.
2022-05-20Merge pull request #1317 from sever-sever/T4418Christian Poessinger
monitoring: T4418: Add output plugin azure-data-explorer
2022-05-20monitoring: T4418: Add output plugin azure-data-explorerViacheslav Hletenko
Add output telegraf Plugin Azure Data Explorer set service monitoring telegraf azure-data-explorer authentication client-id 'x' set service monitoring telegraf azure-data-explorer authentication client-secret 'x' set service monitoring telegraf azure-data-explorer authentication tenant-id 'x' set service monitoring telegraf azure-data-explorer database 'x' set service monitoring telegraf azure-data-explorer group-metrics 'single-table' set service monitoring telegraf azure-data-explorer url 'http://localhost.loc'
2022-05-19ipsec: T2816: add completion help for IP addresses to local-address nodeChristian Poessinger